Mytube versions up to 1.7.71 contains a vulnerability that allows attackers to bypass IP-based rate limiting on general API endpoints (CVSS 6.5).
Wings for Pterodactyl versions 1.7.0 through 1.11.x fail to respect SQLite's maximum parameter limit when deleting activity log entries, allowing authenticated users to trigger a database error that prevents log cleanup and causes indefinite accumulation of records. This denial of service condition degrades panel performance and availability over time. Public exploit code exists for this vulnerability, and no patch is currently available.
SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.
Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows attackers to inject malicious JavaScript through unescaped SVG content in dynamically generated icon images. An unauthenticated attacker can craft a malicious link that, when clicked by a victim, executes arbitrary scripts in the context of the SiYuan application. Public exploit code exists for versions prior to 3.5.4, which contains the necessary patches.
Online Store Management System versions up to 1.01 contains a vulnerability that allows attackers to command injection (CVSS 7.3).
Mailpit versions before 1.28.3 contain a server-side request forgery vulnerability in the HTML Check feature that allows unauthenticated attackers to trigger arbitrary HTTP requests by crafting malicious CSS links in email messages. The vulnerability exists in the CSS inlining function which automatically downloads external stylesheets without proper validation. Public exploit code exists for this issue, though a patch is available in version 1.28.3 and later.
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /subject/index.php allows unauthenticated remote attackers to query, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against vulnerable instances.
PHPGurukul Directory Management System 1.0 contains a SQL injection vulnerability in the search functionality of /index.php that allows unauthenticated remote attackers to manipulate the searchdata parameter and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The vulnerability impacts confidentiality, integrity, and availability with a CVSS score of 7.3.
Online Frozen Foods Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuring the response time of the /api/login endpo (CVSS 5.3).
Birkir Prime versions up to 0.4.0.beta.0 are vulnerable to resource exhaustion attacks through the GraphQL Alias Handler endpoint, allowing unauthenticated remote attackers to cause denial of service. Public exploit code is available for this vulnerability, and the project has not yet released a patch despite early notification. The attack requires no user interaction and can be executed over the network with minimal complexity.
Prime versions up to 0.4.0.beta.0 are vulnerable to denial of service attacks through the GraphQL Array Based Query Batch Handler component, which can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
Birkir Prime versions up to 0.4.0.beta.0 contain a denial of service vulnerability in the GraphQL Directive Handler that can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the developers have not released a patch despite early notification. An unauthenticated attacker can leverage this flaw to disrupt service availability.
Remote denial of service in birkir Prime up to version 0.4.0.beta.0 can be triggered through the GraphQL Field Handler endpoint without authentication. Public exploit code exists for this vulnerability, though no patch is currently available from the project maintainers.
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. [CVSS 5.3 MEDIUM]
Birkir Prime up to version 0.4.0.beta.0 exposes sensitive information through error messages in its GraphQL Directive Handler endpoint (/graphql), allowing unauthenticated remote attackers to extract data. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite being notified.
Birkir Prime up to version 0.4.0.beta.0 exposes sensitive information through its GraphQL API endpoint due to improper access controls, allowing unauthenticated remote attackers to disclose confidential data. Public exploit code for this vulnerability is available, and the vendor has not yet released a patch despite being notified of the issue.
Header injection in Mailpit's SMTP server prior to version 1.28.3 allows unauthenticated remote attackers to inject or modify email headers by embedding carriage return characters in sender and recipient addresses due to insufficient regex validation. Public exploit code exists for this vulnerability, which could enable attackers to manipulate email routing, spoofing, or phishing attacks against users of the email testing tool. The issue is resolved in version 1.28.3 and later.
R Automation Runtime versions up to 6.5 is affected by allocation of resources without limits or throttling (CVSS 6.8).
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. [CVSS 6.5 MEDIUM]
A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). [CVSS 6.5 MEDIUM]
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
HotCRP is conference review software. [CVSS 6.5 MEDIUM]
Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.
SQL injection in Yonyou KSOA 9.0's /kmf/user_popedom.jsp endpoint allows unauthenticated remote attackers to manipulate the folderid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires no user interaction and can result in unauthorized data access, modification, or system disruption.
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/select.jsp allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/save_folder.jsp allows unauthenticated remote attackers to manipulate database queries and potentially access, modify, or delete sensitive data. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available from the vendor.
SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the folderid parameter in /kmf/folder.jsp HTTP requests, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response despite early notification.
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/edit_folder.jsp allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification.
SQL injection in Yonyou KSOA 9.0's /kmc/save_catalog.jsp endpoint allows unauthenticated remote attackers to manipulate the catalogid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling potential data exfiltration and unauthorized database modification.
Unauthenticated SQL injection in Yonyou KSOA 9.0 via the ID parameter in the /worksheet/worksadd_plan.jsp endpoint allows remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no authentication or user interaction and can be exploited over the network.
SQL injection in Yonyou KSOA 9.0's /worksheet/worksadd.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification. The attack requires no user interaction and could enable unauthorized data access, modification, or deletion.
Swift W3C TraceContext and Swift OTel improperly validate malformed HTTP headers, enabling remote attackers to crash affected services through denial-of-service attacks. This vulnerability affects applications using these libraries for distributed tracing and telemetry, particularly HTTP servers processing untrusted network input. No patch is currently available, though versions 1.0.0-beta.5 of Swift W3C TraceContext and 1.0.4 of Swift OTel are expected to address the issue.
Swing Music is a self-hosted music player for local audio files. versions up to 2.1.4 contains a security vulnerability.
OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).