SandboxJS prior to 0.8.31 has yet another sandbox escape via prototype pollution, the sixth distinct escape technique discovered.
Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.
Buffer overflow in Tenda AC8 firmware version 16.03.33.05 allows authenticated remote attackers to execute arbitrary code via the timeZone parameter in the /goform/fast_setting_wifi_set endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the ability to achieve complete system compromise through network access.
Remote code execution in Tenda AC8 firmware 16.03.33.05 allows authenticated attackers to achieve full system compromise through a buffer overflow in the WiFi guest settings function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access but minimal user interaction, making it a significant risk for exposed devices.
SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel users to execute arbitrary SQL queries via the criteria[orderBy] parameter in the element-indexes/get-elements endpoint. The vulnerability stems from insufficient input sanitization in the ORDER BY clause, enabling attackers to manipulate database queries. Public exploit code exists for this high-severity vulnerability, and patches are available in versions 4.16.18 and 5.8.22.
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.
Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.
PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserialization of the $type property in JSON files within Flow or App packages. A local attacker with user interaction can exploit this vulnerability to achieve full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions.
SumatraPDF 3.5.2 and earlier on Windows allows arbitrary code execution when a user opens a PDF and selects "Show in folder," as the application executes a malicious explorer.exe binary from the same directory without warning. Public exploit code exists for this vulnerability, which affects any user who opens untrusted PDFs and interacts with the file menu option. An attacker can achieve code execution with the privileges of the victim's user account through a simple social engineering attack.
Unauthenticated directory traversal in FileRise prior to version 3.3.0 allows remote attackers to read arbitrary files from the /uploads directory without authentication by directly accessing guessable file paths. Public exploit code exists for this vulnerability, enabling attackers to expose sensitive data and breach user privacy. No patch is currently available.
Unauthenticated message injection in PolarLearn 0-PRERELEASE-16 and earlier allows remote attackers to send persistent messages to arbitrary group chats via the WebSocket API without credentials. Public exploit code exists for this vulnerability, which affects all users of vulnerable versions by enabling spam and potential information manipulation within group communications.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
Memory exhaustion in Sliver C2 framework prior to version 1.7.0 allows unauthenticated remote attackers to bypass OTP validation in the DNS listener and create unbounded server-side sessions without expiry mechanisms. Public exploit code exists for this vulnerability, enabling attackers to repeatedly allocate sessions and exhaust server memory resources. The DNS C2 listener accepts bootstrap messages without proper authentication even when OTP enforcement is enabled.
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers without signature verification, allowing network attackers to perform man-in-the-middle attacks and inject malicious code. An attacker with any valid TLS certificate can intercept update requests and redirect users to a malicious installer, achieving arbitrary code execution on Windows systems. Public exploit code exists for this vulnerability and no patch is currently available.
Hollo versions prior to 0.6.20 and 0.7.2 improperly expose direct messages and followers-only posts through the ActivityPub outbox endpoint, allowing unauthenticated remote attackers to access sensitive user communications. Public exploit code exists for this authorization bypass vulnerability, enabling attackers to enumerate and retrieve private content intended for restricted audiences. Patched versions 0.6.20 and 0.7.2 are available to remediate the exposure.
Litestar ASGI framework versions before 2.20.0 fail to properly escape regex metacharacters in CORS origin validation, allowing attackers to bypass origin restrictions through crafted malicious origins. This configuration flaw affects cross-origin request filtering and enables unauthorized cross-origin access. Public exploit code exists for this vulnerability.
Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]
D-Link DIR-823X firmware versions up to 250416 contain an OS command injection vulnerability in the /goform/set_filtering function that allows remote attackers with high privileges to execute arbitrary commands with full system access. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and administrative credentials but carries high confidentiality, integrity, and availability impact.
Cache poisoning in Litestar before 2.20.0 allows unauthenticated remote attackers to exploit improper Unicode normalization in the FileStore cache backend to create collisions between cache keys, enabling one URL to serve another URL's cached responses. Public exploit code exists for this vulnerability. An attacker can leverage this to serve malicious cached content to users accessing legitimate endpoints.
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. [CVSS 6.5 MEDIUM]
SSRF bypass in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows unauthenticated attackers to access cloud metadata endpoints and internal IP addresses through the saveAsset GraphQL mutation by exploiting Guzzle's automatic redirect handling. The vulnerability bypasses hostname and IP blocklist protections that validate only the initial request URL, enabling attackers to reach sensitive internal resources. Public exploit code exists; patched versions 4.16.18 and 5.8.22 are available.
Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. Public exploit code exists for this vulnerability, though patches are available in versions 4.16.18 and 5.8.22.
Litestar versions before 2.20.0 improperly escape regex metacharacters in the allowed_hosts middleware, allowing attackers to bypass hostname validation by supplying hosts that match the compiled regex pattern but differ from intended literal hostnames. Public exploit code exists for this vulnerability. The flaw affects the ASGI framework's ability to properly restrict incoming requests to authorized hosts.
A device has a stack-based buffer overflow in HTTP SESSION cookie processing allowing unauthenticated remote code execution.
GitLab AI Gateway's Duo Workflow Service has a CVSS 9.9 server-side template injection enabling code execution through the AI workflow system.
A device has a stack-based buffer overflow in cookie parsing (including TRACKID) enabling unauthenticated remote code execution.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — second of seven critical PlaciPy vulnerabilities.
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
Yokogawa FAST/TOOLS has a second web server vulnerability involving improper cryptographic handling that weakens the security of SCADA communications.
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
A device stores user credentials using AES-ECB encryption with a hard-coded key, allowing any attacker to decrypt all stored passwords.
Yokogawa FAST/TOOLS SCADA has a vulnerability in its web server component enabling unauthorized access to the industrial control monitoring system.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
An SQL injection vulnerability in a product allows unauthenticated database compromise through unsanitized input.
Yokogawa FAST/TOOLS has a third vulnerability involving improper encoding of output that could enable injection attacks against the SCADA web interface.
SQL injection in code-projects Online Reviewer System 1.0 via the ID parameter in the questions-view.php file allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at active risk.
SQL injection in the login component of code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based installations of the Online Reviewer System. An attacker can exploit this to extract sensitive data, modify database contents, or potentially gain unauthorized system access.
SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/btn_functions.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in itsourcecode Event Management System 1.0 via the ID parameter in /admin/manage_user.php allows unauthenticated remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, putting all affected installations at immediate risk.
SQL injection in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in AdminEditCategory.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.
Online Music Site versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in the user deletion function, potentially leading to unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations vulnerable to active exploitation.
SQL injection in code-projects Online Reviewer System 1.0 via the difficulty_id parameter in /system/system/admins/assessments/pretest/loaddata.php allows remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could result in unauthorized data access, modification, or deletion within the application database.
SQL injection in code-projects Online Reviewer System 1.0 allows remote attackers to manipulate the test_id parameter in the exam-delete.php file, enabling unauthorized database access and modification without authentication. The vulnerability has public exploit code available and currently lacks a patch, posing an immediate risk to unpatched installations. Affected organizations using this system should prioritize mitigation strategies while awaiting official remediation.
SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the exam-update.php endpoint, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in the News Portal Project 1.0 administrator login interface allows unauthenticated remote attackers to manipulate the email parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could exploit this to extract sensitive data, modify database contents, or potentially escalate privileges within the application.
SumatraPDF versions 3.5.2 and earlier are vulnerable to a heap buffer over-read in the MOBI file parser due to incomplete bounds validation in the HuffDic decompressor, allowing attackers to crash the application by opening a malicious .mobi file. Public exploit code exists for this vulnerability. Local user interaction is required to trigger the vulnerability, and while denial of service is the primary impact, the out-of-bounds read could potentially leak sensitive memory contents.