Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.
Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. [CVSS 7.5 HIGH]
Mobility46.Se's WebSocket API fails to implement authentication rate limiting, enabling remote attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force attacks to compromise accounts. The vulnerability requires no authentication or user interaction and affects all network-accessible instances. No patch is currently available.
Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.
Ev2go.Io's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force attacks to compromise user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and low exploit prevalence, this represents a significant availability and authentication risk requiring immediate mitigation.
Cloudcharge.Se's WebSocket API fails to implement authentication rate limiting, enabling attackers to launch denial-of-service attacks against charger infrastructure or conduct brute-force credential attacks without restriction. The vulnerability affects remote, unauthenticated attackers and could result in service disruption or unauthorized system access. No patch is currently available.
Switchenergy.com's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against the platform's charger telemetry infrastructure or execute brute-force credential attacks. This network-accessible vulnerability requires no authentication or user interaction, making it trivial to exploit and potentially exposing the service to sustained availability disruptions or account compromise.
Chargemap.Com's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force credential attacks against user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and minimal exploit prerequisites (no authentication or user interaction required), this represents a significant availability risk.
Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.
Heap buffer overflow in Crypt::SysRandom::XS before version 0.010 allows denial of service through negative length parameter validation bypass in the random_bytes() function. When negative values are passed to the function, integer wraparound causes incorrect memory allocation and unbounded writes to heap memory, triggering application crashes. Exploitation requires attacker control over the length argument, which in typical usage is hardcoded, limiting practical attack scenarios.
Multiple IpTIME router firmware versions (T5008, AX2004M, AX3000Q, AX6000M) through 15.26.8 contain an authentication bypass vulnerability that exposes sensitive information to unauthenticated remote attackers. An attacker can leverage this flaw to access confidential device data without valid credentials. No patch is currently available for affected devices.
Fluent Forms Pro Add On Pack for WordPress versions up to 6.1.17 fail to verify PayPal Instant Payment Notifications by default, allowing unauthenticated attackers to forge payment confirmations and mark unpaid submissions as paid. An attacker can exploit this to trigger post-payment automation including email delivery, access grants, and digital product distribution without actual payment. The vulnerability affects all installations that have not manually enabled IPN verification and currently lacks a patch.
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Mobility46.Se's WebSocket implementation allows multiple connections to share predictable session identifiers, enabling attackers to intercept and hijack active charging station sessions without authentication. An attacker can impersonate legitimate stations to execute arbitrary backend commands, intercept communications, or launch denial-of-service attacks by flooding the service with valid session requests. No patch is currently available for this vulnerability.
Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers to hijack active charging station sessions through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate stations to intercept commands, authenticate as other users, or disrupt service by flooding the backend with spoofed session requests. No patch is currently available.
Session hijacking in Cloudcharge.Se's WebSocket backend allows remote attackers to impersonate legitimate charging stations by exploiting predictable session identifiers and the acceptance of duplicate connections, enabling command interception and station displacement. An attacker can authenticate as other users or trigger denial-of-service conditions by flooding the backend with valid session requests. No patch is currently available.
Session hijacking in Swtchenergy.Com's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept backend commands by exploiting predictable and non-unique session identifiers. An attacker can authenticate as other users, redirect charging station communications, or launch denial-of-service attacks by flooding the backend with valid session requests. No patch is currently available for this vulnerability.
Chargemap.Com's WebSocket backend accepts multiple connections with identical session identifiers, allowing attackers to hijack charging station sessions and intercept backend commands through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate charging stations, execute unauthorized operations, or disrupt service availability by flooding the backend with crafted session requests. No patch is currently available.
Session hijacking in Ev2go.Io's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept commands due to predictable session identifiers and insufficient endpoint validation. An unauthenticated attacker can establish multiple connections with the same session ID to displace legitimate stations, potentially gaining unauthorized access to charging infrastructure or disrupting service availability. No patch is currently available.
A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scan_string of the file src/be_lexer.c. [CVSS 3.3 LOW]
A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. [CVSS 3.3 LOW]
A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. [CVSS 3.3 LOW]
Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).
Authenticated validators in nimiq/core-rs-albatross prior to version 1.2.2 can crash validator nodes by submitting macro block proposals with mismatched body roots that pass verification but cause panics during processing. This vulnerability affects only validator nodes and requires the attacker to be an elected proposer with valid credentials. No patch is currently available, and there is no known workaround.
Statmatic is a Laravel and Git powered content management system (CMS). [CVSS 6.8 MEDIUM]
Unquoted service path handling in IJ Scan Utility versions 1.1.2 through 1.5.0 on Windows allows privileged local attackers to achieve arbitrary code execution by placing a malicious executable in a predictable directory location. An authenticated user with high privileges could exploit this weakness to execute commands with the same permissions as the vulnerable service. No patch is currently available for this issue.
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. [CVSS 6.7 MEDIUM]
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. [CVSS 6.7 MEDIUM]
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. [CVSS 6.7 MEDIUM]
Soliton Systems installers for Securebrowser For Onegate, Secureworkspace, and Securebrowser II fail to set proper file permissions during installation, enabling local authenticated users to execute arbitrary code with SYSTEM privileges. An attacker with user-level access can exploit this misconfiguration to achieve full system compromise. No patch is currently available.
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]
Mobility46.Se charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to obtain sensitive authentication data. This disclosure could enable unauthorized access to charging infrastructure and associated user accounts. No patch is currently available to address this exposure.
Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by improper restriction of excessive authentication attempts (CVSS 6.5).
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. [CVSS 6.5 MEDIUM]
Missing authentication checks on Indico's event series management API endpoint allows unauthenticated attackers to view event metadata, delete series, and modify series configurations. The vulnerability affects Indico versions prior to 3.3.11 and has limited impact as it does not grant access to actual event data beyond basic metadata. Upgrade to version 3.3.11 or restrict API endpoint access at the web server level to remediate.
Chargemap.Com exposes charging station authentication credentials through publicly accessible web-based mapping interfaces, allowing unauthenticated attackers to obtain sensitive authentication data. This vulnerability enables attackers to potentially access or manipulate charging station services, affecting users and operators who rely on the platform. No patch is currently available to remediate this exposure.
Ev.Energy charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain access identifiers. An attacker with these credentials could potentially intercept or manipulate charging sessions and related data. No patch is currently available for this exposure.
Switchenergy.Com exposes charging station authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to discover and potentially intercept sensitive authentication data. This vulnerability affects users and operators relying on the platform's mapping functionality and could enable unauthorized access to charging infrastructure. No patch is currently available to address this exposure.
Ev2go.Io charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated remote attackers to obtain sensitive identification data. This exposure could enable unauthorized access to charging infrastructure or facilitate further attacks against connected systems. No patch is currently available for this vulnerability.
Cloudcharge.Se charging stations expose authentication credentials through publicly accessible web-based mapping platforms, allowing unauthenticated attackers to discover and potentially intercept sensitive station identifiers. This exposure could enable unauthorized access to charging infrastructure or user accounts without requiring authentication bypass techniques. No patch is currently available for this vulnerability.
Statamic CMS versions before 5.73.11 and 6.4.0 expose user email addresses through the user fieldtype data endpoint to authenticated users lacking "view users" permissions, allowing information disclosure. An authenticated attacker with limited privileges can retrieve sensitive email information that should be restricted, potentially enabling targeted attacks or account enumeration.
Seerr prior to version 3.1.0 leaks sensitive third-party API credentials (Pushover, Pushbullet, Telegram) through the GET /api/v1/user/:id endpoint to any authenticated user regardless of privilege level. When combined with CVE-2026-27707 (unauthenticated account creation), an attacker can gain zero-prior-access to extract credentials for all users including administrators. The vulnerability is fixed in version 3.1.0.
Kiteworks versions prior to 9.2.0 contain a DNS rebinding vulnerability that allows authenticated administrators to circumvent SSRF protections and access restricted internal services. An attacker with administrative privileges could exploit this misconfiguration to reach backend systems that should be isolated from external access. No patch is currently available for affected deployments.
HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. [CVSS 6.5 MEDIUM]
Session cookie forgery in SODOLA SL902-SWTGW124AS firmware through version 200.1.20 stems from the use of cryptographically broken MD5 hashing for session token generation, allowing unauthenticated remote attackers to forge valid session cookies and gain unauthorized device access. The vulnerability requires no user interaction and affects all default configurations, with no patch currently available. MD5's known collision vulnerabilities combined with predictable token generation significantly lower the computational barrier for successful exploitation.
Outdated MAC algorithms in SSH implementations for Mrs1000 and Lms1000 device firmware enable network-positioned attackers to tamper with session data integrity without user interaction. An attacker with network access can manipulate transmitted SSH traffic due to the use of cryptographically weak message authentication codes. No patch is currently available for affected devices.
Weak CBC cipher suite implementations in SSH services across SSH, LMS1000, and MRS1000 devices enable network-positioned attackers to observe or modify encrypted SSH traffic without authentication. The vulnerability requires user interaction and network access but poses a confidentiality risk to sensitive communications. No patch is currently available.
HTTP::Session2 before version 1.12 for Perl generates predictable session identifiers on Windows systems when /dev/urandom is unavailable, falling back to weak randomization using rand() combined with guessable values like PID and epoch time. An attacker could predict valid session IDs to hijack user sessions, as SHA-1 hashing of these weak inputs provides insufficient cryptographic protection. This affects Perl applications using HTTP::Session2 on Windows platforms where secure random sources are not accessible.
authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensitive information.