Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in security decisions allows local attackers to bypass protections designed to prevent execution of malicious content. KEV-listed with EPSS 9.3%, this vulnerability enables attackers to circumvent Office security features like Protected View or macro restrictions through crafted documents.
Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.
Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.
Unauthenticated attackers can trigger a buffer overflow in Tenda AC23 firmware version 16.03.07.52 through the wpapsk_crypto parameter in /goform/WifiExtraSet, enabling remote code execution with full system compromise. Public exploit code is available and actively used in the wild, yet no patch has been released by the vendor. All AC23 devices running the affected firmware version are at immediate risk of complete takeover.
KiteService Windows service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. [CVSS 7.8 HIGH]
IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]
MTAgentService contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]
The gix-date library's TimeBuf component can produce invalid UTF-8 strings that corrupt its internal safety mechanisms, triggering undefined behavior in downstream processing. This local privilege escalation vulnerability affecting gix-date has public exploit code available and can cause application crashes or unexpected behavior when a local attacker supplies malformed input. No patch is currently available to remediate this issue.
Pnpm versions up to 10.28.1 contains a vulnerability that allows attackers to overwriting config files, scripts, or other sensitive files (CVSS 6.5).
Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.
Path traversal in pnpm's binary fetcher (versions prior to 10.28.1) allows attackers to write files outside the intended extraction directory through malicious ZIP entries or crafted prefix values, potentially overwriting critical configuration files and scripts on affected systems. All pnpm users installing packages with binary assets are vulnerable, particularly those in CI/CD pipelines or with custom Node.js binary configurations. Public exploit code exists for this medium-severity vulnerability.
pnpm versions prior to 10.28.2 fail to properly constrain symlink resolution when installing file: and git: dependencies, allowing malicious packages to copy sensitive files from the host system into node_modules and leak credentials. This affects developers using local file dependencies and CI/CD pipelines installing git-based packages, with public exploit code available. The vulnerability enables theft of credentials from locations like ~/.ssh/id_rsa and ~/.npmrc by exploiting symlinks to absolute paths outside the package root.
Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. [CVSS 6.4 MEDIUM]
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. [CVSS 6.4 MEDIUM]
Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. [CVSS 6.4 MEDIUM]
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. [CVSS 6.4 MEDIUM]
Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.
Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricted.
Operation And Maintenance Security Management System versions up to 3.0.12. contains a security vulnerability (CVSS 7.3).
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. [CVSS 5.5 MEDIUM]
SQL injection in Online Music Site 1.0's AdminDeleteUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can leverage this to compromise data confidentiality, integrity, and availability.
SQL injection in the login page of code-projects Online Examination System 1.0 allows unauthenticated remote attackers to manipulate the User parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and affects confidentiality, integrity, and availability of the affected system.
pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.
Stored XSS in Shaarli versions before 0.16.0 allows authenticated attackers to inject malicious HTML by crafting tags starting with a double quote character, which breaks out of input tag validation on the homepage. An attacker with login credentials can exploit this to execute arbitrary JavaScript in victims' browsers with the victim's interaction. A patch is available in version 0.16.0 and public exploit code exists.
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. [CVSS 5.4 MEDIUM]
XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.
Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. [CVSS 8.8 HIGH]
WellChoose's Single Sign-On Portal System contains an OS command injection vulnerability that allows authenticated users to execute arbitrary commands on the affected server. Attackers with valid credentials can exploit this flaw to achieve remote code execution with full system privileges. No patch is currently available for this high-severity vulnerability.
The WellChoose Single Sign-On Portal System contains an OS command injection vulnerability that allows authenticated users to execute arbitrary commands on the affected server. An attacker with valid credentials can bypass input validation to inject malicious OS commands, achieving full system compromise with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. [CVSS 8.8 HIGH]
Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated users to reset account credentials without password verification, potentially enabling privilege escalation or account takeover on affected devices. The vulnerability affects firmware versions up to V16.01.0.19(5037) and currently lacks an available patch.
Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to administrator by exploiting broken authorization in the user management API, enabling password changes for admin accounts without proper access controls. An attacker with any valid user account can bypass web interface restrictions and gain full administrative access to the device. No patch is currently available for this vulnerability.
Missing authentication in the Beetel 777VR1 firmware (versions up to 01.00.09) UART interface allows an attacker with physical access to bypass security controls through a complex exploitation process. Public exploit code exists for this vulnerability, though no patch has been released and the vendor has not responded to disclosure attempts. The attack requires direct device access and significant technical sophistication but could result in complete system compromise.
Improper access controls in the UART interface of Beetel 777VR1 firmware (up to version 01.00.09) allow attackers with physical access to bypass authentication mechanisms, though exploitation requires high technical complexity. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. [CVSS 8.5 HIGH]
Skipper versions up to 0.24.0 contains a vulnerability that allows attackers to list targets of an ExternalName and allow list via regular expressions (CVSS 8.1).
Arbitrary code execution in SOLIDWORKS eDrawings 2025-2026 via out-of-bounds write when parsing specially crafted EPRT files. An attacker can exploit this vulnerability by distributing a malicious file that executes code with user privileges upon opening. No patch is currently available.
Arbitrary code execution in SOLIDWORKS eDrawings 2025-2026 via heap overflow when parsing malicious EPRT files allows attackers to gain full system compromise upon user interaction. The vulnerability requires local file access and user action to trigger, making it a significant risk for organizations using affected SOLIDWORKS versions. No patch is currently available.
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) allows unauthenticated remote attackers to trigger denial of service through malformed requests to Server Function endpoints, causing server crashes, memory exhaustion, or CPU spikes. Applications using these packages are at risk of availability disruption. No patch is currently available; immediate mitigation and monitoring are recommended.
An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints [CVSS 7.5 HIGH]
Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencrypted HTTP from the maintenance interface, allowing unauthenticated network attackers to intercept and obtain account credentials. Affected devices lack authentication requirements for accessing this interface, making credential theft trivial for anyone on the same network. No patch is currently available for this vulnerability.
BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. [CVSS 7.3 HIGH]
SQL Injection vulnerability in the Structure for Admin authenticated user [CVSS 7.2 HIGH]
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]
An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. [CVSS 6.8 MEDIUM]
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]