Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Persistent authentication token in Tattile ANPR cameras firmware 1.181.5 and prior. Authentication tokens never expire, enabling indefinite session reuse. PoC available.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Default credentials in Tattile Smart+, Vega, and Basic ANPR camera families firmware 1.181.5 and prior. License plate recognition cameras ship with known default credentials. PoC available.
JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type confusion. PoC available.
SQL injection in Ormar async ORM for Python versions 0.9.9 through 0.22.0. Aggregate queries pass unsanitized input to SQL, enabling database compromise through the ORM abstraction. PoC and patch available.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
Astro web framework versions prior to 9.5.4 contain a server-side request forgery vulnerability in error page handling that allows unauthenticated remote attackers to bypass Host header validation and redirect requests to internal services or cloud metadata endpoints. By manipulating the Host header when accessing prerendered error pages, attackers can read response bodies from internal URLs, cloud metadata services, or localhost resources. Public exploit code exists for this vulnerability, which affects applications using custom error pages without proper Host validation.
Unauthenticated RTSP stream access in multiple Tattile and Vega firmware versions allows remote attackers to view live video and audio feeds without credentials, exposing surveillance data across affected devices. Public exploit code exists for this vulnerability, which impacts Axle Counter, Vega11, Vega53, Vega33, and Anpr Mobile firmware lineups version 1.181.5 and earlier. No patch is currently available for this high-severity issue.
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. [CVSS 7.5 HIGH]
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.
X5000R Firmware versions up to 9.1.0cu.2415_b20250515 is affected by uncontrolled resource consumption (CVSS 7.5).
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 7.5 HIGH]
Actual is a local-first personal finance tool. [CVSS 7.5 HIGH]
Remote attackers can inject control characters into the SUPI parameter of free5GC UDM versions up to 1.4.1, causing URL parsing failures that leak sensitive system error details and enable service fingerprinting. Public exploit code exists for this vulnerability affecting the Nudm_UEAU service across all vulnerable deployments. A patch is available and should be applied immediately, as no application-level workaround exists.
free5GC SMF versions up to 1.4.1 crash when receiving malformed PFCP SessionReportRequest packets on UDP port 8805, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no official patch is currently available, requiring organizations to implement network-level mitigations such as ACL restrictions or PFCP message inspection.
free5GC SMF versions up to 1.4.1 crash when processing malformed PFCP SessionReportRequest messages on the UDP/8805 interface, allowing unauthenticated remote attackers to cause denial of service. Public exploit code exists for this vulnerability, and no upstream patch is currently available. Organizations running affected SMF instances should restrict PFCP interface access to trusted UPF nodes and implement network-level filtering of malformed requests.
Fiber web framework versions 2 and 3 are vulnerable to denial of service attacks when processing requests to routes containing more than 30 parameters, enabling remote attackers to crash affected applications without authentication. The vulnerability stems from insufficient validation during route registration and unbounded array writes in request matching logic. Public exploit code exists for this high-severity flaw, though patches are available in Fiber v2.52.12 and v3.1.0.
free5GC SMF versions up to 1.4.1 crash when processing malformed PFCP SessionReportRequest messages on the PFCP interface, allowing unauthenticated remote attackers to cause denial of service via nil pointer dereference. Public exploit code exists for this vulnerability and no upstream patch is currently available. Network operators should restrict PFCP interface access to trusted UPF sources and consider implementing message validation at network boundaries.
Fiber web framework versions 3.0.0 and earlier on Windows contain a path traversal vulnerability that allows remote attackers to bypass static file middleware protections and read arbitrary files from the server. Public exploit code exists for this vulnerability, which affects applications using the vulnerable Fiber versions. The issue has been patched in Fiber v3.1.0.
Path traversal in Linksys MR9600 and MX4200 firmware allows attackers with physical access to mount arbitrary USB drive partitions into the file system, potentially enabling root-level code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected versions include MR9600 1.0.4.205530 and MX4200 1.0.13.210200.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.
OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper integer handling when processing malformed EXR files, allowing attackers to trigger a denial of service through memory-mapped streams. Public exploit code exists for this vulnerability. Patched versions 3.3.7 and 3.4.5 are available.
Craft CMS versions 4.5.0 through 4.16.18 and 5.0.0 through 5.8.22 contain an SSRF bypass in GraphQL Asset mutations where IPv6-only hostnames bypass the security blocklist, allowing authenticated users with GraphQL asset editing permissions to perform server-side request forgery attacks. Public exploit code exists for this vulnerability, which is a regression of a previously patched SSRF issue. Authenticated users with appropriate GraphQL schema permissions can exploit this to access internal resources or perform requests to arbitrary IPv6 addresses.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
DNS rebinding attacks in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allow authenticated attackers to bypass SSRF protections in GraphQL asset mutations by exploiting a Time-of-Check-Time-of-Use race condition between DNS validation and HTTP requests. Attackers with appropriate GraphQL schema permissions can access blocked IP addresses and internal resources that should be restricted. Public exploit code exists for this vulnerability, which represents a bypass of the previous CVE-2025-68437 fix.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the content process sandbox.
Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows escaping the content process sandbox.
Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.
Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in this release, through the telemetry subsystem.
Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content sandbox to execute code with elevated privileges.
Insecure .NET Remoting deserialization in Altec DocLink (Beyond Limits) 4.0.336.0. Exposed TCP endpoints allow unauthenticated remote code execution via .NET Remoting deserialization attacks.
Memory exhaustion denial of service in Astro 9.0.0 through 9.5.3 allows remote attackers to crash server processes by sending oversized POST requests to server action endpoints without size restrictions. The framework buffers entire request bodies into memory with no limits, enabling a single large request to exhaust heap memory on affected deployments. Public exploit code exists for this vulnerability, which is particularly impactful in containerized environments where repeated crashes trigger persistent restart loops.
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
Command injection in Zyxel EX3510-B0 router UPnP functionality via firmware versions through 5.17. Allows remote code execution through the UPnP service.
PHP function injection in Slican NCP/IPL/IPM/IPU VOIP devices allows unauthenticated remote attackers to execute arbitrary PHP functions. Network telecommunications equipment vulnerability.
Memory safety bugs in Firefox ESR 115.32, ESR 140.7, and Firefox 147. Broader set of memory corruption issues than CVE-2026-2792.
Memory safety bugs in Firefox ESR 140.7 and Firefox 147 with evidence of memory corruption and potential code execution exploitability.
Boundary error in Firefox Audio/Video GMP (Gecko Media Plugins) component before 148. Media plugin processing triggers memory corruption.
Boundary error in Firefox Web Audio component before 148. Crafted audio processing triggers memory corruption.
Undefined behavior in Firefox DOM Core & HTML component before 148. Can lead to memory corruption and potential code execution.
JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.