Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life.
Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.
Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.
Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administrative access.
Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricted.
XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.