Command injection in Catalyst game server management platform. Install scripts in server templates allow injecting OS commands. EPSS 0.29%.
Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.
Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9.
Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.
Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.
SSRF vulnerability in Teknolist Okulistik application allows server-side requests to internal resources.
SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.
Prototype pollution in CASL Ability authorization library versions 2.4.0 through 6.7.4. Can lead to authorization bypass in applications using CASL for access control.
Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6.