BeyondTrust Remote Support (RS) and older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability (CVE-2026-1731) that allows unauthenticated attackers to execute OS commands through specially crafted requests. With EPSS 66% and KEV listing with public PoC, this vulnerability is devastating because these products are specifically designed for privileged remote access — compromising them grants attackers access to the most sensitive systems in an organization.
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized SQL commands.
SandboxJS has a second CVSS 10.0 sandbox escape where function return values aren't properly sanitized, allowing code execution outside the sandbox.
SandboxJS has a fourth CVSS 10.0 sandbox escape through Map's safe prototype being used as a gateway to inject arbitrary code.
SandboxJS has a third CVSS 10.0 sandbox escape via Map prototype shadowing that allows complete sandbox bypass.
SandboxJS has a fifth CVSS 10.0 escape via a TOCTOU race condition in sandbox validation, allowing code to slip through during the check-execute gap.
Gogs self-hosted Git service v0.13.3 has a command injection vulnerability enabling remote code execution through crafted repository operations.
IP-COM W30AP wireless access point up to firmware 1.0.0.11 has a buffer overflow that allows remote attackers to execute code or crash the device.
Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.
html5_snmp 1.11 has multiple SQL injection vulnerabilities allowing attackers to manipulate SNMP monitoring database queries.
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. [CVSS 8.8 HIGH]
Remote code execution in UTT 520W firmware versions up to 1.7.7-180627 through a buffer overflow in the /goform/formPolicyRouteConf endpoint allows authenticated attackers to execute arbitrary commands on affected devices. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The flaw stems from improper bounds checking in the GroupName parameter handling.
Remote code execution in UTT 520W firmware 1.7.7-180627 allows authenticated attackers to execute arbitrary code via a buffer overflow in the ServerIp parameter of the /goform/formSyslogConf endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure attempts. The attack requires network access and valid credentials but executes with full system privileges.
Remote code execution in UTT 520W firmware through a buffer overflow in the /goform/formTimeGroupConfig endpoint allows authenticated attackers to achieve complete system compromise via manipulation of the year1 parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The high CVSS score of 8.8 reflects the combination of network accessibility, low attack complexity, and full impact on confidentiality, integrity, and availability.
Remote code execution in UTT 520W firmware versions up to 1.7.7-180627 via stack buffer overflow in the /goform/formIpGroupConfig endpoint allows authenticated attackers to achieve complete system compromise. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Affected devices are remotely exploitable with no user interaction required.
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. [CVSS 8.8 HIGH]
Enclave versions up to 2.10.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 8.8).
Remote code execution in Calibre prior to version 9.2.0 through a path traversal flaw in the CHM reader allows local attackers to write arbitrary files with user permissions, enabling payload execution via the Windows Startup folder. Public exploit code exists for this vulnerability. Windows users should upgrade to Calibre 9.2.0 or later to remediate the risk.
Pydantic AI versions 0.0.26 through 1.55.x contain a server-side request forgery vulnerability in URL download functionality that allows remote attackers to make arbitrary HTTP requests to internal network resources when applications process untrusted message history. Public exploit code exists for this vulnerability, which could enable attackers to access internal services or cloud credentials. Applications must upgrade to version 1.56.0 or later to remediate the issue.
Arbitrary file append vulnerability in Qdrant vector database versions 1.9.3 through 1.15.x allows authenticated users with minimal read-only privileges to write to arbitrary files through an unsanitized log file path parameter in the /logger endpoint. Public exploit code exists for this vulnerability, enabling attackers to corrupt system files or inject malicious content with high impact to confidentiality, integrity, and availability. The issue is resolved in version 1.16.0.
Calibre 9.1.0 and earlier contains a path traversal vulnerability in EPUB conversion that allows malicious EPUB files to corrupt or modify arbitrary files writable by the Calibre process. The vulnerability exploits improper handling of CipherReference URIs in encryption metadata, enabling attackers to write outside the intended extraction directory. Public exploit code exists for this high-severity issue, which is patched in version 9.2.0.
SecurosCtrlService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]
BstHdLogRotatorSvc service contains a vulnerability that allows attackers to potentially execute arbitrary code (CVSS 7.8).
DsiWMIService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).
Stack buffer overlap in iccDEV's color profile processing library prior to version 2.3.1.4 enables local attackers with user interaction to achieve arbitrary code execution through malicious ICC color management profiles. The vulnerability exists in the CIccTagMultiProcessElement::Apply() function where SrcPixel and DestPixel buffers overlap, and public exploit code is currently available. A patch has been released in version 2.3.1.4 to address this issue.
JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. [CVSS 7.8 HIGH]
calibre is an e-book manager. [CVSS 7.8 HIGH]
Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. [CVSS 7.8 HIGH]
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. [CVSS 7.6 HIGH]
Path traversal in NiceGUI before 3.7.0 allows remote attackers to write arbitrary files outside intended directories by exploiting unsanitized filename metadata in the FileUpload.name property, potentially leading to remote code execution when developers incorporate this value directly into file paths. Public exploit code exists for this vulnerability, affecting applications using common patterns like concatenating user-supplied filenames with upload directories. Developers are only protected if they use fixed paths, generate filenames server-side, or explicitly sanitize user input.
Spree Commerce's guest checkout feature contains an insecure direct object reference (IDOR) flaw that allows unauthenticated attackers to access other customers' personally identifiable information by manipulating address parameters during transaction processing. Public exploit code exists for this vulnerability, which affects all guest checkout flows across multiple Spree versions. Patches are available for versions 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2.
Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. [CVSS 7.4 HIGH]
TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. [CVSS 7.1 HIGH]
thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. [CVSS 7.1 HIGH]
RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. [CVSS 7.1 HIGH]
Syteline Erp versions up to 10.0.8803.16889 is affected by use of hard-coded cryptographic key (CVSS 7.1).
Heap buffer overflow in Vim's tag file resolution allows local attackers with user privileges to corrupt heap memory and crash the application or potentially execute code by supplying a malicious 'helpfile' option value. The vulnerability exists in the get_tagfname() function which fails to validate the length of user-controlled input before copying it into a fixed-size buffer. Public exploit code exists for this issue affecting Vim prior to version 9.1.2132, though a patch is available.
Gogs versions 0.13.3 and earlier are vulnerable to arbitrary file read and write operations through path traversal in the Git hook editing functionality, affecting self-hosted installations. An authenticated attacker with high privileges can exploit this vulnerability to access or modify files outside the intended directory. Public exploit code exists for this vulnerability, and no patch is currently available.
Denial of service in Gogs 0.13.3 and earlier allows authenticated users to crash the application by deleting repository files before synchronization. Public exploit code exists for this vulnerability, affecting self-hosted Git service deployments. A patch is available in versions 0.13.4 and 0.14.0+dev.
SQL injection in OpenSTAManager v2.9.8 and earlier allows authenticated attackers to extract sensitive data through the Prima Nota module's unvalidated id_documenti parameter. Public exploit code exists for this vulnerability, which bypasses input validation on comma-separated values used in SQL IN() clauses to leak information via XPATH error-based techniques. The vulnerability affects PHP-based deployments and currently has no available patch.
Authenticated operators in Sliver C2 framework versions prior to 1.6.11 can read arbitrary files on the server through a path traversal vulnerability in the website content subsystem, potentially exposing sensitive credentials, configurations, and cryptographic keys. Public exploit code exists for this vulnerability. The issue is resolved in version 1.6.11 and later.
OpenSTAManager versions 2.9.8 and earlier are vulnerable to SQL injection in the Payment Schedule module's bulk operations handler, where inadequate input validation on record IDs allows authenticated attackers to execute arbitrary SQL queries and extract sensitive data via error-based techniques. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid user credentials but can expose confidential information from the application database.
OpenSTAManager v2.9.8 and earlier allow authenticated attackers to conduct time-based SQL injection attacks through the global search functionality, enabling extraction of sensitive data from the underlying database. The vulnerability stems from insufficient input validation on the search term parameter used in SQL LIKE clauses across multiple search handlers. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenSTAManager v2.9.8 and earlier allows authenticated remote attackers to extract sensitive data through time-based SQL injection in the article pricing handler due to insufficient input sanitization of the idarticolo parameter. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can infer database contents through carefully timed SQL queries without requiring user interaction.
OpenSTAManager is an open source management software for technical assistance and invoicing. [CVSS 6.5 MEDIUM]
Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. [CVSS 6.4 MEDIUM]
html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the 'Remark' parameter in add_router_operation.php. [CVSS 6.1 MEDIUM]
Reflected XSS in TYDAC AG MAP+ 3.4.0 PDF export allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs, with public exploit code available. An attacker can deliver such links via email or social engineering to compromise user sessions and steal sensitive data. No patch is currently available.
Client-certificate-auth middleware for Node.js versions 0.2.1 and 0.3.0 fails to validate the Host header when redirecting HTTP requests to HTTPS, enabling attackers to craft malicious redirects that direct users to arbitrary domains. Public exploit code exists for this open redirect vulnerability, and no patch is currently available for affected versions.