Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8) that allows unauthenticated remote attackers to gain administrative access through an alternate authentication path. With EPSS 2.8% but KEV listing confirming active exploitation, this vulnerability threatens the security management infrastructure that organizations rely on to protect their networks.
HUSTOJ online judge has a path traversal vulnerability enabling arbitrary file access on the competition server.
OpenSSL has a critical out-of-bounds write when parsing CMS AuthEnvelopedData/EnvelopedData with malicious AEAD parameters, enabling potential RCE.
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass and unauthorized cluster operations.
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3.
VestaCP 0.9.8-26 has a session management vulnerability allowing remote attackers to hijack admin sessions through the LoginAs module.
Gila CMS before 2.0.0 has an RFI vulnerability enabling unauthenticated RCE.
Remote code execution and denial of service in GnuPG before 2.5.17 stem from a stack-based buffer overflow in gpg-agent when it processes a crafted CMS (S/MIME) EnvelopedData message containing an oversized wrapped session key during PKDECRYPT --kem=CMS handling. Any user or service decrypting attacker-supplied S/MIME mail with a vulnerable build can be crashed, and the memory corruption may be escalated to arbitrary code execution in the gpg-agent process that custodies private keys. Publicly available exploit code exists, but the issue is not in CISA KEV and EPSS is low (0.20%, 41st percentile), indicating no confirmed widespread exploitation yet.
Computer Book Store v1.0 has file upload in admin_add.php.
Mobile Shop Management System has file upload enabling web shell deployment.
Dirsearch 0.4.1 has CSV injection in scan reports.
Knockpy 4.1.1 has CSV injection in subdomain scan exports.
Mobile Shop Management System has SQL injection in ExLogin.php.
Mobile Shop Management System has SQL injection in insertmessage.php.
Mobile Shop Management System has code injection in ExAddNewUser.php.
Easy CD & DVD Cover Creator 4.13 has a buffer overflow in serial number input.
Server-Side Request Forgery (SSRF) vulnerability in Squidex CMS webhook configuration allows authenticated administrators to make requests to internal services by specifying localhost or internal IP addresses as webhook destinations. PoC available.
Victor Cms versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. [CVSS 8.8 HIGH]
Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. [CVSS 8.2 HIGH]
Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]
Arbitrary file deletion in ConvertX prior to version 0.17.0 allows authenticated attackers to remove files outside the intended upload directory by exploiting insufficient path validation in the POST /delete endpoint. The vulnerability enables attackers to supply path traversal sequences that bypass directory restrictions, with impact limited only by server process permissions. Public exploit code exists for this HIGH severity flaw, though a patch is available in version 0.17.0.
MobSF versions prior to 4.4.5 are vulnerable to stored XSS through unsanitized rendering of Android manifest attributes in HTML reports, allowing attackers to inject malicious JavaScript by uploading crafted APK files. Public exploit code exists for this vulnerability, and successful exploitation enables session hijacking and account takeover of security analysts using the framework. Upgrade to version 4.4.5 or later to remediate.
its Windows service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Quick 'n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. [CVSS 7.8 HIGH]
MotoHelperService.exe service contains a vulnerability that allows attackers to potentially inject malicious code (CVSS 7.8).
PST Service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. [CVSS 7.8 HIGH]
ElevationService executable contains a vulnerability that allows attackers to potentially inject malicious code (CVSS 7.8).
its service configuration contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. [CVSS 7.8 HIGH]
Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. [CVSS 7.8 HIGH]
Stack-based buffer overflow in GnuPG's tpm2daemon (versions before 2.5.17) allows a local attacker to corrupt the daemon's stack by sending a crafted PKDECRYPT command targeting TPM-backed RSA or ECC keys, potentially achieving arbitrary code execution in the daemon's context. The flaw affects GnuPG and the bundled Gpg4win distribution and has been patched by upstream and major Linux vendors (Red Hat, SUSE). Publicly available exploit code exists, though the EPSS score is negligible (0.01%) and it is not listed in CISA KEV (no public exploit identified as actively exploited in the wild).
Kyverno versions up to 1.16.3 is affected by allocation of resources without limits or throttling (CVSS 7.7).
Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. [CVSS 7.5 HIGH]
SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. [CVSS 7.5 HIGH]
Tapinradio versions up to 2.13.7 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).
Arbitrary file write in python-multipart prior to 0.0.22 lets remote attackers place uploaded files outside the intended upload directory by supplying a filename that begins with an absolute path (e.g. '/etc/...'). The flaw only manifests in deployments that enable the non-default options UPLOAD_DIR plus UPLOAD_KEEP_FILENAME=True, where os.path.join silently discards the configured directory. Publicly available exploit code exists (Exploit-DB 52543, GHSA-wp53-j4wj-2cfg), though EPSS is very low (0.03%, 7th percentile) and it is not in CISA KEV.
Remote code execution in D-Link DIR-615 firmware through os command injection via the ipaddr parameter in the Web Management Interface allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability affects unsupported firmware versions up to 4.10, and public exploit code is available. No patch has been released by the vendor.
AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.
vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. The vulnerability affects users running vLLM's multimodal features with untrusted input.
LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. [CVSS 7.1 HIGH]
Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the 'range' parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. [CVSS 6.5 MEDIUM]
Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. [CVSS 6.4 MEDIUM]
libsoup's improper handling of URL-decoded input in HTTP proxy configurations allows remote attackers to inject CRLF sequences into the Host header, enabling injection of arbitrary HTTP headers or request bodies. Public exploit code exists for this vulnerability, which could allow attackers to manipulate downstream services through compromised proxy requests. Affected applications using libsoup with HTTP proxy functionality are at risk of integrity compromise, though no patch is currently available.
ROOT data analysis framework has an input validation vulnerability in zlib modules enabling code execution through crafted data files.