Ray dashboard versions 2.53.0 and below lack proper authentication on DELETE endpoints, allowing unauthenticated attackers to terminate Serve instances or remove jobs through DNS rebinding or same-network attacks. Public exploit code exists for this vulnerability, which impacts Ray deployments with dashboards exposed to network access. Administrators should upgrade to Ray 2.54.0 or higher to remediate the availability risk.
SQL injection in the Agri Trading Online Shopping System 1.0 admin panel allows unauthenticated remote attackers to manipulate product parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects the HTTP POST request handler in admin/productcontroller.php and enables data exfiltration, modification, and potential denial of service.
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanitized list descriptions in the Atom feed endpoint, which executes in browsers via native SVG elements without requiring an RSS reader. An attacker can exploit this to perform actions on behalf of victims visiting the feed URL, with public exploit code already available. A patch is available to remediate this cross-site scripting vulnerability affecting the self-hosted link archiving application.
GetSimple CMS allows authenticated users to upload SVG files containing malicious JavaScript through the administrative interface, which executes in browsers when the files are accessed due to insufficient sanitization. Public exploit code exists for this stored XSS vulnerability, and no patch is currently available, leaving all GetSimple CMS versions at risk.
Funadmin versions up to 7.1.0-rc4 contain an information disclosure vulnerability in the password recovery function that allows unauthenticated remote attackers to access sensitive user data. Public exploit code is available for this vulnerability, and the vendor has not released a patch despite early notification. The low CVSS score of 5.3 reflects limited impact, though organizations running affected versions should implement compensating controls until an update is available.
Static Web Server versions up to 2.40.1 contains a vulnerability that allows attackers to identify valid users by exploiting early responses for invalid usernames, enabli (CVSS 5.3).
Arbitrary file upload in GetSimple CMS results from missing CSRF protection on the administrative upload endpoint, allowing an attacker to silently inject files through a malicious webpage visited by an authenticated admin. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker needs only to trick an authenticated user into visiting a crafted page to compromise the application.
OpenShift versions 1.1.2-alpha and below suffer from a race condition in local JSON persistence that allows authenticated local users to corrupt data stores or cause loss of updates across sessions, study materials, quizzes, and authentication records. The vulnerability stems from non-atomic and insufficiently synchronized file operations that can be exploited through concurrent access to the application's local storage. No patch is currently available.
Moodle's TeX formula editor fails to enforce adequate execution time limits when processing mimetex content, enabling authenticated users to craft malicious formulas that exhaust server resources. This resource exhaustion vulnerability can degrade application performance or trigger denial-of-service conditions without requiring user interaction or privilege escalation.
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]
Pannellum 2.5.0 through 2.5.6 allows arbitrary JavaScript execution through improperly sanitized hotspot configuration attributes in JSON files, enabling stored XSS attacks against users viewing panorama viewers with malicious configurations. An attacker can craft a malicious config file that executes code automatically upon page load without user interaction, potentially allowing page defacement or credential theft. A patch is available to address this vulnerability.
Stored cross-site scripting in Isso's comment server allows unauthenticated attackers to inject malicious JavaScript through improperly escaped website and comment fields, enabling session hijacking or credential theft when victims interact with affected comments. The vulnerability stems from insufficient HTML escaping that leaves quotes unescaped in href attributes and comment edit endpoints, permitting arbitrary event handler injection. No patch is currently available for Python deployments.
Feathersjs versions 5.0.39 and below contain an open redirect vulnerability in the redirect query parameter that fails to properly validate user-supplied values, enabling attackers to inject authority into URLs and steal access tokens through URL manipulation. An unauthenticated remote attacker can exploit this by crafting a malicious redirect URL that causes the victim's browser to send the access token to an attacker-controlled domain, resulting in account takeover. A patch is available for affected installations.
Vehicle Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.
Information disclosure in Foswiki versions up to 2.1.10 allows unauthenticated remote attackers to access sensitive data through the Changes/Viewfile/Oops component. Public exploit code exists for this vulnerability. Upgrading to version 2.1.11 or later resolves the issue.
Asn1 Ts library versions 11.0.5 and below expose sensitive data through unintended ArrayBuffer leakage during INTEGER decoding operations in BER/DER codec processing. Applications using affected versions could inadvertently disclose memory contents to remote attackers without requiring authentication or user interaction. A patch is available in version 11.0.6 and later.
OpenClaw CLI versions 2026.2.13 and earlier terminate processes based on command-line pattern matching without verifying process ownership, allowing unrelated processes to be killed on shared hosts. An attacker or unprivileged user on a multi-tenant system could leverage this to disrupt services or cause denial of service by triggering process cleanup routines that match their target applications. The vulnerability has been patched in version 2026.2.14.
Feathersjs versions 5.0.39 and below store unencrypted HTTP headers in base64-encoded session cookies, allowing attackers with network access to decode and retrieve sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. Authenticated users can exploit this vulnerability in deployments behind reverse proxies or API gateways to gain unauthorized access to sensitive information. A patch is available for affected installations.
Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
Openclaw contains a vulnerability that allows attackers to potential unintentional disclosure of local files from the packaging machine int (CVSS 4.4).
Flask versions 3.1.2 and earlier fail to set proper cache headers when the session object is accessed through certain methods like the Python `in` operator, allowing cached responses containing user-specific session data to be served to other users. An attacker can exploit this to access sensitive information from cached responses if the application runs behind a caching proxy that doesn't ignore Set-Cookie headers. This requires the vulnerable application to lack explicit Cache-Control headers and access session data in ways that bypass normal cache-control logic.
Unauthorized Discord moderation actions in OpenClaw versions 2026.2.17 and below allow non-admin users to execute timeouts, kicks, and bans by spoofing sender identity parameters in tool-driven requests. The vulnerability affects deployments where Discord moderation is enabled and the bot has necessary guild permissions, enabling privilege escalation through identity manipulation. A patch is available in version 2026.2.18.
OpenClaw versions 2026.2.17 and earlier fail to enforce payload size limits in the ACP bridge, allowing local clients to trigger denial of service through excessively large prompt inputs that consume system resources. This vulnerability primarily impacts IDE integrations and other local ACP clients that may inadvertently send oversized text blocks. The issue has been patched in version 2026.2.19.