Remote code execution in openDCIM 23.04 allows unauthenticated attackers to execute arbitrary OS commands as the web server user by poisoning the 'dot' configuration parameter in the database, then triggering execution via report_network_map.php. Public exploit code exists with a documented SQL injection to command injection attack chain. EPSS score of 0.57% (68th percentile) suggests moderate but not widespread exploitation probability, though the publicly available weaponized exploit significantly elevates real-world risk for exposed instances.
Missing authorization in openDCIM 23.04 (through commit 4467e9c4) lets any authenticated user — regardless of assigned role — reach LDAP configuration handling in install.php and container-install.php, and where REMOTE_USER is trusted without real authentication enforcement the endpoints may be reachable with no credentials at all. Because the same installer path also chains into a SQL injection in the configuration-update routine and a command injection in report_network_map.php (both fixed in the same PR), the broken access control is a stepping stone to full remote code execution. Publicly available exploit code exists (Chocapikk's 'SQLi to RCE' write-up and PoC); EPSS is low at 0.22% (44th percentile) and the CVE is not listed in CISA KEV, so no confirmed active exploitation.
SQL injection in openDCIM 23.04 (up to commit 4467e9c4) lets attackers execute arbitrary SQL through the Config::UpdateParameter routine, which the install.php and container-install.php handlers reach with unsanitized, string-interpolated input. Publicly available exploit code exists (Chocapikk PoC and write-up) demonstrating a chain from SQLi to remote code execution, though it is not listed in CISA KEV and EPSS rates real-world exploitation probability at only 0.04%. Note a data conflict: the CVSS 4.0 vector encodes PR:N (unauthenticated) while the description states an authenticated user is required.
Command injection in TOTOLINK N300RH router firmware 6.1c.1353 via setDiagnosisCfg handler. EPSS 4.0% with PoC available — high exploitation probability for consumer routers.
Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.
Authentication bypass via unsafe extract() function in WeGIA before 3.6.5. The extract() call on user-controlled data allows overwriting authentication variables. EPSS 0.7% with PoC available.
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.php script lacks authentication, allowing unauthorized access. PoC available.
Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.
Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.
Remote code execution in Tenda F453 firmware through a buffer overflow in the P2pListFilter HTTP handler allows authenticated attackers to achieve complete system compromise. Public exploit code exists for this vulnerability, creating immediate risk for deployed devices. No patch is currently available, leaving affected systems vulnerable to exploitation.
Remote code execution in Tenda F453 firmware allows authenticated attackers to achieve complete system compromise through a buffer overflow in the httpd address NAT function. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at immediate risk.
Remote code execution in Tenda F453 firmware through a buffer overflow in the L7Prot HTTP handler allows unauthenticated attackers to achieve full system compromise via a malicious page parameter. Public exploit code exists for this vulnerability, increasing the risk of widespread attacks. No patch is currently available, leaving affected devices vulnerable until firmware updates are released.
Remote code execution in Tenda F453 firmware version 1.0.0.3 allows authenticated attackers to execute arbitrary code via a buffer overflow in the wireless security settings endpoint. The vulnerability exists in the httpd component's formWrlsafeset function and can be triggered through manipulation of the mit_ssid_index parameter. Public exploit code is available and no patch has been released.
Unauthenticated remote attackers can execute arbitrary code on Tenda F453 devices running firmware 1.0.0.3 by exploiting a stack buffer overflow in the DHCP list client function through the httpd service. Public exploit code exists for this vulnerability and no patch is currently available. The attack requires network access but no user interaction, making it trivial to exploit.
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
CleverTap Web SDK through version 1.15.2 contains a cross-site scripting vulnerability in its postMessage handler that fails to properly validate message origins, allowing attackers to inject malicious scripts by exploiting subdomain bypass techniques. Public exploit code exists for this vulnerability, and affected applications can be compromised through user interaction. A patch is available to address the insufficient origin validation in the nativeDisplay.js component.
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation of postMessage events, allowing attackers to inject malicious scripts through crafted subdomains. Public exploit code exists for this vulnerability, which affects all users of the affected SDK versions. An attacker can execute arbitrary JavaScript in the context of a victim's browser session to steal sensitive data or perform unauthorized actions.
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. [CVSS 8.2 HIGH]
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. [CVSS 8.2 HIGH]
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. [CVSS 8.2 HIGH]
Unitree robotics firmware updates can be modified and executed by local attackers due to inadequate encryption of the firmware protection mechanism, allowing arbitrary code execution on affected Go1 and Go2 models. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with physical or local access could tamper with firmware packages to gain complete control over the device.
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
Unauthenticated account creation in phpMyFAQ versions before 4.0.18 allows remote attackers to register unlimited user accounts through the WebAuthn prepare endpoint without authentication, CSRF protection, or captcha validation, even when registration is disabled. Public exploit code exists for this vulnerability. Update to version 4.0.18 or later to remediate.
Inetutils versions up to 2.7 is affected by inclusion of functionality from untrusted control sphere (CVSS 7.4).
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. [CVSS 7.3 HIGH]
OpenEMR versions prior to 8.0.0 allow authenticated portal users to access other patients' protected health information through insecure direct object references (IDOR) in the payment portal, enabling horizontal privilege escalation to view and modify another patient's demographics, invoices, and payment history. The vulnerability stems from accepting patient ID values from user-controlled request parameters instead of validating against the authenticated user's session. Public exploit code exists for this vulnerability.
Cross-site scripting (XSS) in PMD's legacy vbhtml and yahtml report formats allows arbitrary JavaScript execution when HTML reports are opened in a browser, triggered by analyzing malicious source code containing crafted string literals. Public exploit code exists for this vulnerability affecting PMD versions prior to 7.22.0. The impact is limited since these legacy formats are rarely used and the default html format is properly escaped.
Path traversal in Beszel hub's container API endpoints allows authenticated users, including those with read-only roles, to bypass validation and access arbitrary Docker Engine API endpoints on agent hosts through improper URL path construction. This exposure of sensitive infrastructure details affects Beszel versions prior to 0.18.4 and Docker integrations, with public exploit code already available. The vulnerability requires valid authentication but no special privileges, making it exploitable by low-privileged users in multi-tenant environments.
Unauthorized collection manipulation in ClipBucket v5 prior to 5.5.3 #59 allows authenticated attackers to add or remove items from other users' collections due to missing and broken authorization checks in the add and delete item functions. An attacker with valid credentials can exploit this to alter collections they do not own without restriction. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenEMR versions up to 8.0.0 contain a path traversal vulnerability in the fax sending functionality that allows authenticated users to exfiltrate arbitrary files from the server, including database credentials, patient records, and source code. The fax endpoint fails to validate or restrict file paths, enabling attackers to read and transmit sensitive data to attacker-controlled phone numbers. Public exploit code exists for this vulnerability, and a patch is available.
HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject arbitrary headers through an unsanitized query parameter, potentially enabling cache poisoning, session fixation, or credential theft attacks. Any authenticated user can exploit this vulnerability directly or via social engineering, affecting all instances with authentication enabled. Public exploit code exists and no patch is currently available.
Authentication bypass in Copeland XWEB Pro HVAC controller version 1.12.1 and prior due to weak cryptographic algorithm. CVSS 10.0 — any unauthenticated attacker can gain full system access to building automation controllers.
Validation bypass in OpenClaw tools.exec.safeBins allows shell command execution through GNU long-option abbreviation. Attackers can abuse the 'sort' binary whitelist entry to execute arbitrary commands via abbreviated flags. CVSS 9.9.
Path traversal in Centreon Open Tickets module allows authenticated attackers to read or write files outside intended directories. CVSS 9.9 with scope change indicates impact beyond the vulnerable component.
Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.
Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.
OS command injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote attackers to execute arbitrary commands on industrial refrigeration control systems. CVSS 9.8.
Weak session identifier generation in SODOLA SL902-SWTGW124AS network switch firmware allows attackers to predict session tokens and hijack administrative sessions.
Second code injection vulnerability in Johnson Controls Frick Controls Quantum HD. Separate attack vector from CVE-2026-21656, same critical impact on industrial refrigeration control.
Code injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote code execution on industrial refrigeration systems. Second critical vulnerability in the Quantum HD product line.
Path traversal vulnerability in Xerox FreeFlow Core allows attackers to access files outside restricted directories, potentially exposing sensitive print job data and system configurations.
Privilege escalation in Listee WordPress theme allows unauthenticated attackers to gain administrator access. All versions up to 1.1.6 affected.
Default credentials in SODOLA SL902-SWTGW124AS network switch firmware allow unauthenticated remote access. Default credentials are publicly known, enabling complete device takeover.
Hardcoded email credentials stored as plaintext in Johnson Controls Frick Controls firmware. Sixth critical vulnerability — exposed credentials could enable account access and lateral movement.