Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.
Buffer overflow in Tenda AC8 firmware version 16.03.33.05 allows authenticated remote attackers to execute arbitrary code via the timeZone parameter in the /goform/fast_setting_wifi_set endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the ability to achieve complete system compromise through network access.
Remote code execution in Tenda AC8 firmware 16.03.33.05 allows authenticated attackers to achieve full system compromise through a buffer overflow in the WiFi guest settings function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access but minimal user interaction, making it a significant risk for exposed devices.
SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel users to execute arbitrary SQL queries via the criteria[orderBy] parameter in the element-indexes/get-elements endpoint. The vulnerability stems from insufficient input sanitization in the ORDER BY clause, enabling attackers to manipulate database queries. Public exploit code exists for this high-severity vulnerability, and patches are available in versions 4.16.18 and 5.8.22.
Path normalization bypass in Filebrowser prior to 2.57.1 allows authenticated users to circumvent file access restrictions by injecting multiple slashes into request URLs, enabling unauthorized access to files designated as restricted. The vulnerability exploits a mismatch between the authorization validation logic and filesystem path resolution, affecting users running vulnerable versions. Public exploit code exists for this high-severity issue.
Adminer versions 5.4.1 and earlier suffer from a post-message validation bypass that allows remote attackers to trigger denial of service affecting all users. By sending a crafted POST request with array parameters to the version endpoint, an attacker can cause openssl_verify() to receive malformed input, resulting in a TypeError that crashes the application and returns HTTP 500 errors. Public exploit code exists for this vulnerability; administrators should upgrade to version 5.4.2 immediately.
PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserialization of the $type property in JSON files within Flow or App packages. A local attacker with user interaction can exploit this vulnerability to achieve full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions.
SumatraPDF 3.5.2 and earlier on Windows allows arbitrary code execution when a user opens a PDF and selects "Show in folder," as the application executes a malicious explorer.exe binary from the same directory without warning. Public exploit code exists for this vulnerability, which affects any user who opens untrusted PDFs and interacts with the file menu option. An attacker can achieve code execution with the privileges of the victim's user account through a simple social engineering attack.
Unauthenticated directory traversal in FileRise prior to version 3.3.0 allows remote attackers to read arbitrary files from the /uploads directory without authentication by directly accessing guessable file paths. Public exploit code exists for this vulnerability, enabling attackers to expose sensitive data and breach user privacy. No patch is currently available.
Unauthenticated message injection in PolarLearn 0-PRERELEASE-16 and earlier allows remote attackers to send persistent messages to arbitrary group chats via the WebSocket API without credentials. Public exploit code exists for this vulnerability, which affects all users of vulnerable versions by enabling spam and potential information manipulation within group communications.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
Memory exhaustion in Sliver C2 framework prior to version 1.7.0 allows unauthenticated remote attackers to bypass OTP validation in the DNS listener and create unbounded server-side sessions without expiry mechanisms. Public exploit code exists for this vulnerability, enabling attackers to repeatedly allocate sessions and exhaust server memory resources. The DNS C2 listener accepts bootstrap messages without proper authentication even when OTP enforcement is enabled.
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers without signature verification, allowing network attackers to perform man-in-the-middle attacks and inject malicious code. An attacker with any valid TLS certificate can intercept update requests and redirect users to a malicious installer, achieving arbitrary code execution on Windows systems. Public exploit code exists for this vulnerability and no patch is currently available.
Hollo versions prior to 0.6.20 and 0.7.2 improperly expose direct messages and followers-only posts through the ActivityPub outbox endpoint, allowing unauthenticated remote attackers to access sensitive user communications. Public exploit code exists for this authorization bypass vulnerability, enabling attackers to enumerate and retrieve private content intended for restricted audiences. Patched versions 0.6.20 and 0.7.2 are available to remediate the exposure.
Litestar ASGI framework versions before 2.20.0 fail to properly escape regex metacharacters in CORS origin validation, allowing attackers to bypass origin restrictions through crafted malicious origins. This configuration flaw affects cross-origin request filtering and enables unauthorized cross-origin access. Public exploit code exists for this vulnerability.
Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]
D-Link DIR-823X firmware versions up to 250416 contain an OS command injection vulnerability in the /goform/set_filtering function that allows remote attackers with high privileges to execute arbitrary commands with full system access. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and administrative credentials but carries high confidentiality, integrity, and availability impact.
Command injection in GitHub Super-linter versions 6.0.0 through 8.3.0 allows attackers to execute arbitrary commands in workflow runner contexts by submitting pull requests with maliciously crafted filenames containing shell command substitution syntax. An attacker exploiting this vulnerability can access sensitive workflow credentials, including GITHUB_TOKEN, depending on permission configurations. The vulnerability affects Super-linter when used as a GitHub Action and has no available patch at this time.
Placipy 1.0.0 fails to implement CSRF protections while permitting credentialed cross-origin requests, allowing unauthenticated attackers to perform unauthorized actions on behalf of logged-in users through malicious websites. An attacker can exploit this vulnerability to modify placement records, access sensitive educational data, or compromise institutional operations without user knowledge. No patch is currently available.
Keycloak's JWT authorization grant flow fails to verify that an Identity Provider is enabled before accepting tokens signed by its key, allowing attackers with a disabled IdP's signing credentials to obtain valid access tokens. This authentication bypass affects organizations that have disabled IdPs due to compromise or offboarding but retain the associated signing keys. An attacker can exploit this to gain unauthorized access to systems relying on Keycloak for authentication.
Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. An attacker with limited asset write permissions can exploit this to gain unauthorized access to and manipulate sensitive assets in protected volumes.
Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Denial-of-service in FreeRDP's camera redirection (rdpecam) client channel allows a malicious or compromised RDP server to crash connected clients running versions prior to 3.22.0. The capture thread continues sending sample responses through a channel callback that was already freed when the device channel closed, producing a use-after-free in ecam_channel_write. EPSS is low (0.02%), it is not on CISA KEV, and no public exploit identified at time of analysis, but an upstream fix and multiple distro advisories exist.
Zirve Information Technologies Inc. E-Taxpayer Accounting Website is affected by cross-site scripting (xss) (CVSS 8.6).
Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]
In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible [CVSS 8.2 HIGH]
Keycloak's invitation token validation fails to cryptographically verify JWT payload modifications, allowing authenticated attackers to alter organization IDs and email addresses to register into unauthorized organizations. This enables unauthorized access to organizations without proper authentication, affecting any Keycloak deployment using the invitation feature. No patch is currently available.
Arbitrary code execution in vscode-spell-checker prior to v4.5.4 allows attackers to execute malicious Node.js code by placing a crafted .cspell.config.js file in an untrusted workspace, since the extension fails to validate VS Code's workspace-trust state before loading configuration files. An attacker can exploit this by tricking users into opening a malicious workspace, resulting in code execution with the privileges of the extension host process.
GIGABYTE MacroHub improperly executes external applications with elevated privileges, enabling authenticated local users to achieve arbitrary code execution with SYSTEM-level access. This local privilege escalation affects MacroHub users on Windows systems and could allow attackers to fully compromise affected machines. No patch is currently available.
Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. [CVSS 7.8 HIGH]
Privilege escalation in Cube.js versions 0.27.19 through 1.5.12 allows authenticated attackers to craft specially designed API requests that bypass access controls and gain elevated privileges within the application. This vulnerability affects Cube.js semantic layer deployments and requires only a valid API token to exploit, making it a risk to multi-tenant or role-based access control implementations. No patch is currently available for this HIGH severity issue.
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate URLs. [CVSS 7.5 HIGH]
Insufficient URI validation in CGI endpoints permits unauthenticated attackers to bypass authentication controls through path traversal techniques, enabling direct access to protected administrative functions and configuration files. An attacker can exploit this remotely without credentials to retrieve sensitive data and potentially modify system settings. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit SQL injection in C&Cm@il by HGiga to execute arbitrary database queries and extract sensitive information without authentication or user interaction. The vulnerability has a high severity rating with a CVSS score of 7.5 and impacts database confidentiality. No patch is currently available for this issue.
Placipy versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the input event handling mechanism where unsynchronized access to cached channel callbacks can be freed or reinitialized by concurrent channel closure operations. An attacker with network access can trigger a denial of service condition by exploiting this race condition. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a buffer management error in audio format parsing that causes out-of-bounds memory access when processing malformed audio data. An attacker can exploit this vulnerability over the network without authentication to trigger a denial of service condition. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the URBDRC channel handler where asynchronous bulk transfer completions reference freed memory after channel closure, enabling denial of service attacks. An unauthenticated remote attacker can trigger this condition through malformed RDP protocol messages to crash the FreeRDP service. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in pointer handling where sdl_Pointer_New and sdl_Pointer_Free both attempt to free the same memory, causing a denial of service condition. An attacker with network access can trigger this memory corruption to crash RDP client instances without authentication. The vulnerability affects all users of vulnerable FreeRDP versions and is resolved in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in audio format renegotiation that allows unauthenticated attackers to cause denial of service by triggering a crash through audio processing. The vulnerability occurs when the AUDIN format list is freed during renegotiation while the capture thread continues accessing the freed memory, affecting any system running vulnerable FreeRDP instances. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the libusb device interface selection code where error handling prematurely frees configuration data that subsequent code attempts to access, causing denial of service. This vulnerability affects systems using FreeRDP for remote desktop protocol operations and can be triggered remotely without authentication or user interaction. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition where the video_timer component sends notifications after the control channel closes, dereferencing freed memory and causing denial of service. An unauthenticated remote attacker can trigger this crash by manipulating RDP session timing, making the vulnerability exploitable with no user interaction required. A patch is available in FreeRDP 3.22.0 and later.
FreeRDP proxy versions prior to 3.22.0 are vulnerable to denial of service when processing specially crafted RDP server responses that trigger a null pointer dereference in the logon information handler. An unauthenticated attacker controlling a malicious RDP server can crash the FreeRDP proxy by sending a LogonInfoV2 PDU with empty domain or username fields. This vulnerability has been patched in version 3.22.0 and later.
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. [CVSS 7.5 HIGH]
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the audio playback subsystem where the RDPSND async thread processes queued audio packets after the channel has been closed and its internal state freed, causing a denial of service. The vulnerability affects systems running vulnerable FreeRDP versions and can be exploited remotely without authentication or user interaction. A patch is available in FreeRDP 3.22.0 and later.
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports old SSL/TLS versions, potentially allowing an attacker to decrypt communications with the web server. [CVSS 7.5 HIGH]
Birtech Information Technologies Industry and Trade Ltd. Co. Senseway is affected by improper authentication (CVSS 7.3).
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.