Remote code execution in Vaelsys 4.1.0 allows unauthenticated attackers to execute arbitrary OS commands via malicious xajaxargs parameters sent to the /tree/tree_server.php endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. This network-accessible flaw poses immediate risk to exposed Vaelsys installations.
Remote code execution in Tosei Online Store Management System 1.01 allows unauthenticated attackers to execute arbitrary OS commands through the DevId parameter in /cgi-bin/monitor.php. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no user interaction and is exploitable over the network.
Improper access control in SourceCodester Student Result Management System 1.0 allows unauthenticated remote attackers to manipulate the SMTP configuration through the update_smtp.php endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations running vulnerable PHP-based installations face potential compromise of email settings and system integrity.
SQL injection in Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the student results view functionality, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.
Funadmin versions up to 7.1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 7.3).
Out-of-bounds write in the URL handler of Zaher1307's tiny_web_server allows remote attackers to achieve code execution, information disclosure, or denial of service without authentication. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. Users of tiny_web_server should implement network segmentation or disable this service until a fix becomes available.
Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.
Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).