Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet.
MSHTML Framework contains a protection mechanism failure (CVE-2026-21513, CVSS 8.8) allowing remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the legacy HTML rendering engine (still used by many Windows applications and email clients) enables execution of malicious content by circumventing the browser's security sandbox and content restrictions.
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the core Windows Shell component enables remote code execution by circumventing security boundaries designed to prevent execution of untrusted content received from the network.
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted inputs, allowing local attackers to bypass protections when opening malicious documents. KEV-listed, this vulnerability enables document-based attacks that circumvent Word's security features designed to protect users from malicious content.
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables authorized local attackers to escalate privileges. KEV-listed, this kernel-level vulnerability in the Windows compositor allows any authenticated user to achieve SYSTEM-level access through exploitation of an incompatible type access in DWM's resource handling.
Windows Remote Desktop contains an improper privilege management vulnerability (CVE-2026-21533, CVSS 7.8) enabling authorized local attackers to escalate to SYSTEM. KEV-listed, this vulnerability in the RDP subsystem is particularly concerning in environments where Remote Desktop is widely used, as it can be chained with RDP session access for complete system compromise.
Windows Remote Access Connection Manager contains a null pointer dereference flaw affecting Windows 10 (versions 1809 and 21h2) and Windows 11 (version 23h2) that has been confirmed as actively exploited. A local attacker can trigger a denial of service condition without requiring authentication or user interaction. No patch is currently available for this vulnerability.
Worklenz is a project management tool. [CVSS 8.8 HIGH]
Denial of service (with limited memory disclosure) in libpng before 1.6.55 lets an attacker supply a specially crafted but spec-valid PNG that, when processed via the png_set_quantize() API, traps the library in an infinite loop reading past the end of an internal heap buffer. Affects any application that links libpng and calls png_set_quantize() without a histogram while the palette holds more than twice the colors the display supports. Publicly available exploit code exists; EPSS is low (0.06%, 19th percentile) and it is not on CISA KEV, so widespread exploitation is not currently indicated.
Unauthenticated attackers can read sensitive configuration files from SiYuan knowledge management systems prior to version 3.5.5 by exploiting case-sensitivity bypass in file access controls on Windows and other case-insensitive filesystems. The /api/file/getFile endpoint fails to properly validate mixed-case path traversal attempts, allowing unauthorized access to protected data. Public exploit code exists for this vulnerability, and no patch is currently available.
Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, where files are moved to a web-accessible directory before security checks are performed. An authenticated attacker can exploit the time window between file placement and validation deletion to execute malicious PHP code on the server. Public exploit code exists for this vulnerability.
Stored XSS in Docmost before version 0.25.0 allows authenticated attackers to inject malicious scripts into public share page titles that execute when victims visit shared links, compromising user sessions and data. The vulnerability stems from improper HTML escaping of page titles in meta and title tags, and public exploit code is available. Upgrade to version 0.25.0 or later to remediate.
Remote code execution in D-Link DCS-931L camera firmware through OS command injection in the /goform/setSysAdmin endpoint allows authenticated attackers to execute arbitrary commands on affected devices. Public exploit code exists for this vulnerability, and no patch is available since the product is no longer supported by the vendor.
AutoGPT platform versions before 0.6.32 contain a regular expression denial of service vulnerability in the Code Extraction Block due to overlapping quantifiers that cause catastrophic backtracking when processing whitespace-heavy inputs. Authenticated attackers can exploit this by submitting malicious input with long sequences of spaces to trigger excessive regex processing, causing the service to become unavailable. Public exploit code exists for this vulnerability, and a patch is available in version 0.6.32 and later.
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execution, allowing attackers with high privileges to execute tools with malicious or unintended parameters without user awareness. Public exploit code exists for this vulnerability. The issue is resolved in version 0.219.4, which adds expandable tool call details for transparency.
Command injection in Catalyst game server management platform. Install scripts in server templates allow injecting OS commands. EPSS 0.29%.
Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.
Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9.
Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.
Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.
SSRF vulnerability in Teknolist Okulistik application allows server-side requests to internal resources.
SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.
Prototype pollution in CASL Ability authorization library versions 2.4.0 through 6.7.4. Can lead to authorization bypass in applications using CASL for access control.
Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plain content instead of enforcing application/json, enabling attackers to modify project user roles through malicious forms. An authenticated admin visiting a malicious website could be tricked into unknowingly changing role assignments, potentially granting unauthorized access to projects. Public exploit code exists for this vulnerability, though a patch is available in version 1.2.50 and later.
Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6.
Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated attackers can execute arbitrary commands on TP-Link Tapo C260 v1 cameras through command injection in POST parameters during configuration synchronization, potentially achieving complete device compromise. The vulnerability stems from insufficient input validation and affects confidentiality, integrity, and availability with no patch currently available.
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]
Docpedia by Flowring contains a SQL injection vulnerability (CWE-89) that allows authenticated users to execute arbitrary database queries with network access. Attackers can exploit this flaw to read, modify, or delete sensitive database contents, with no patch currently available. The vulnerability has a high CVSS score of 8.8 and affects all confidentiality, integrity, and availability of the underlying database.
Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System is affected by authorization bypass through user-controlled key (CVSS 8.8).
Microsoft Defender for Endpoint on Linux contains a code injection vulnerability that enables adjacent network attackers to execute arbitrary code without authentication. The flaw affects multiple platforms and carries high severity (CVSS 8.8) with no patch currently available. An attacker on the local network could achieve complete system compromise through this unauthenticated attack vector.
Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS is affected by sql injection (CVSS 8.8).
GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.
Remote code execution in GitHub Copilot and Visual Studio 2022 via command injection allows unauthenticated attackers to execute arbitrary code over the network with user interaction. The vulnerability stems from improper sanitization of special elements in commands, enabling attackers to break out of intended command contexts and inject malicious payloads. No patch is currently available for this high-severity issue affecting both development environments.
Apache HertzBeat versions 1.7.1 through 1.8.0 contain an XPath injection vulnerability that allows authenticated attackers to manipulate XPath queries and potentially extract or modify sensitive data. An attacker with valid credentials can exploit this flaw to bypass access controls and execute arbitrary XPath expressions against the application's XML data stores. Affected users should upgrade to version 1.8.0 immediately as no patch is currently available for earlier versions.
GitHub Copilot is vulnerable to command injection attacks that enable remote code execution without requiring authentication or user interaction beyond a click. An attacker can exploit this network-accessible vulnerability to execute arbitrary commands on affected systems. No patch is currently available for this high-severity vulnerability.
Windows Hyper-V fails to properly enforce access controls, enabling local authenticated users to circumvent security features and gain unauthorized system access. This high-severity flaw affects Windows 10, Windows 11, Windows Server 2022, and Hyper-V implementations, allowing privileged attackers to escalate privileges across system boundaries. No patch is currently available for this vulnerability.
Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8).
Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS contains a security vulnerability (CVSS 8.7).
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. [CVSS 6.7 MEDIUM]
Out-of-bounds write in the firmware for the Intel(R) AMT and Intel(R) Standard Manageability within Ring 3: User Applications may allow a denial of service. Network adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. [CVSS 8.6 HIGH]
Arbitrary code execution with SYSTEM privileges in SINEC NMS User Management Component (all versions prior to V2.15.2.1) stems from improper access controls allowing low-privileged users to modify configuration files and load malicious DLLs. An authenticated attacker can exploit this to achieve complete system compromise. No patch is currently available.
Kanboard versions up to 1.2.50 is affected by authorization bypass through user-controlled key (CVSS 4.3).
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 8.2 HIGH]
Private-key information disclosure in the pyca/cryptography Python package (versions <= 46.0.4) arises because public-key loading and construction routines skip prime-order subgroup validation for SECT binary elliptic curves, letting an attacker submit a small-order point that leaks bits of a victim's private key during ECDH or enables signature forgery in ECDSA. Per the CVSS vector exploitation is unauthenticated and network-reachable (PR:N/AV:N) but high-complexity (AC:H), and only the rarely used SECT/binary curves are affected. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.01%), and a fix is available in 46.0.5.
Remote code execution in Azure Local stems from improper certificate validation, enabling unauthenticated attackers to execute arbitrary code over the network without user interaction. This HIGH severity vulnerability (CVSS 8.1) affects Azure and Azure Local deployments, with no patch currently available. Organizations using these products face immediate risk of compromise through network-based attacks exploiting this validation bypass.
Fortios versions up to 7.6.4 contains a vulnerability that allows attackers to an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FS (CVSS 8.1).
Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]
GitHub Copilot and Visual Studio 2022 contain a command injection vulnerability that allows authenticated users to execute arbitrary commands through improper sanitization of special elements. An attacker with valid credentials can leverage user interaction to escalate privileges and gain elevated access across the network. No patch is currently available for this vulnerability.