GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist.
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
Mini Mouse 9.2.0 remote control application has an RCE vulnerability allowing attackers to execute arbitrary OS commands through the remote control protocol.
Hasura GraphQL 1.3.3 has a remote code execution vulnerability allowing attackers to execute arbitrary shell commands through the GraphQL endpoint.
Tenda AX3 firmware has a third stack-based buffer overflow in formGetIptv, allowing unauthenticated remote code execution through the router's web interface.
Tenda AX3 firmware has a second stack overflow in formSetIptv via the vlanId parameter, allowing remote code execution through the IPTV configuration endpoint.
Tenda AX3 firmware v16.03.12.11 has a stack overflow in formSetIptv via the list parameter, enabling remote attackers to crash the router or execute arbitrary code.
DD-WRT firmware version 45723 has a buffer overflow in the UPnP network discovery service allowing remote attackers to execute code on the router without authentication.
GeoGebra CAS Calculator 6.0.631.0 has a denial of service vulnerability that crashes the application through uncontrolled resource consumption triggered by crafted mathematical expressions.
5ire AI assistant desktop application prior to version 0.10.0 has an output encoding vulnerability that allows malicious AI model responses to execute code through the Electron renderer.
5ire MCP client prior to version 0.10.0 has a code injection vulnerability through MCP tool responses that enables arbitrary code execution on the user's desktop.
Lodash versions up to 4.17.22 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 5.3).
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. [CVSS 8.8 HIGH]
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]
Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. [CVSS 8.8 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. [CVSS 8.3 HIGH]
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. [CVSS 8.2 HIGH]
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. [CVSS 8.2 HIGH]
PingzapperSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
BRA_Scheduler service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
OkiJaSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
OKI Local Port Manager service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
its Windows service configuration contains a vulnerability that allows attackers to execute arbitrary code (CVSS 7.8).
Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]
eBeam Device Service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
GVFS.Service Windows service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
ScheduleService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).
GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).
OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. [CVSS 7.8 HIGH]
its Encrypto Service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]
ac.sharedstore service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
SbieSvc service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
eBeam Stylus Driver service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
WPCommandFileService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
HiPatchService contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).
Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. [CVSS 7.5 HIGH]
D151 Firmware versions up to - is affected by missing authentication for critical function (CVSS 7.5).
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. [CVSS 7.5 HIGH]
Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. [CVSS 7.5 HIGH]
GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. [CVSS 7.5 HIGH]
GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. [CVSS 7.5 HIGH]
ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. [CVSS 7.5 HIGH]