File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.
Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.
Command injection in D-Link DIR-868L via SSDP service. PoC available.
Heap overflow in libbiosig 3.9.2 Intan CLP parsing. PoC available.
Privilege escalation in User Registration & Membership WordPress plugin.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard51. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard55. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetQoS. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWANType_Wizard5. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetPortTr. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDomainFilter. Part of a family of 15+ critical buffer overflows in this router.
Buffer overflow in Tenda AC15V1.0 via formSetMacFilterCfg. PoC available.
SQL injection in renren-security before v5.5.0 in BaseServiceImpl.java. PoC available.
Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.
Information disclosure in OpenEMR 5.0.2 to before 8.0.0 exposes sensitive data. PoC and patch available.
Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.
Zip slip to arbitrary file write in Zdir Pro 4.x ZIP extraction API. PoC available.
Out-of-bounds heap write in OpenEXR's CompositeDeepScanLine::readPixels lets a crafted multi-part deep-scanline EXR file corrupt memory when parsed by an application that links the library. Attacker-controlled per-part sample counts are accumulated into 32-bit total_sizes entries that wrap modulo 2^32, yielding an undersized overall_sample_count used to size the composite sample buffer, while decode setup and generic_unpack_deep_pointers in core unpack consume the true (larger) counts and write past the buffer. Publicly available exploit code exists, but EPSS exploitation probability is very low (0.01%, 2nd percentile) and it is not listed in CISA KEV, so no public evidence of active exploitation exists at time of analysis.
Unbounded recursion in Underscore.js versions before 1.13.8 enables denial of service attacks when the _.flatten or _.isEqual functions process deeply nested untrusted data structures. An attacker can trigger stack overflow conditions by supplying specially crafted recursive input, causing affected applications to crash. Public exploit code exists for this vulnerability, and patches are available.
Arbitrary code execution in libbiosig 3.9.2 and Master Branch can be triggered by parsing malicious Nicolet WFT files through a heap buffer overflow in the WFT parsing functionality. An attacker can exploit this vulnerability by supplying a crafted .wft file to execute arbitrary code on affected systems. Public exploit code exists for this vulnerability, though no patch is currently available.
Arbitrary file write in BentoML prior to version 1.4.36 allows local attackers to write files to arbitrary locations on the host system by crafting malicious tar archives containing symlinks that point outside the extraction directory. The vulnerability exists because the safe_extract_tarfile() function fails to validate symlink targets, only validating the symlink path itself, enabling attackers to bypass directory traversal protections. Public exploit code exists for this vulnerability; users should upgrade to version 1.4.36 or later.
Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formGetIptv function and the list parameter, which can cause memory corruption and enable remote code execution. [CVSS 7.5 HIGH]
Joserfc versions 1.6.2 and earlier fail to validate the PBES2 iteration count parameter in JWE tokens, allowing unauthenticated attackers to trigger CPU exhaustion by specifying arbitrarily large values in the p2c header field. An attacker can exploit this resource exhaustion vulnerability to cause denial of service against any system using the library to decrypt JWE tokens. Public exploit code exists for this vulnerability, and a patch is available.
Tranzman versions up to 4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to contain an authenticated command injection vulnerability. [CVSS 7.2 HIGH]
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). [CVSS 7.2 HIGH]
Tranzman versions up to 4.0 is affected by insufficient verification of data authenticity (CVSS 7.2).
Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 7.2).
Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files. [CVSS 7.2 HIGH]
An issue in the WiseDelfile64.sys component of WiseCleaner Wise Force Deleter 7.3.2 and earlier allows attackers to delete arbitrary files via a crafted request. [CVSS 7.1 HIGH]
Heap buffer overflow in dr_libs 0.14.4 and earlier allows attackers to corrupt memory by supplying maliciously crafted WAV files to any application using drwav_init_*_with_metadata() functions. The vulnerability exploits inconsistent validation of sample loop counts between processing passes, enabling 36 bytes of attacker-controlled data to overflow heap allocations. Public exploit code exists for this vulnerability.
Command injection in PhialsBasement nmap-mcp-server allows authenticated remote attackers to execute arbitrary system commands through the Nmap CLI Command Handler component due to improper input sanitization in child_process.exec. Public exploit code exists for this vulnerability, and affected users should apply the available patch to remediate the risk.
Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.
An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. [CVSS 6.1 MEDIUM]
RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.
Command injection in Weintek cMT-3072XH2 HMI DHCP activation. EPSS 0.30%.
Auth bypass in All-in-One Microsoft 365 SSO WordPress plugin.
Improper authorization in Google Cloud Build GitHub Trigger allowing unauthenticated build execution. EPSS 0.19%.
Default admin credentials in OpenMQ message broker. Shipped with known default admin password.
Missing authorization in OpenText Filr allows auth bypass via XSRF tokens.
Command execution via reset_pj.cgi in Weintek cMT-3072XH2.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
Input validation flaw in Devolutions Server error message page enables remote spoofing attacks.
Auth bypass in Weintek cMT-3072XH2 authorization mechanism.
Azure AD auth bypass in Devolutions Server 2025.3.15.0 and earlier.
Insecure password saving enforcement in Devolutions Remote Desktop Manager 2025.3.
Behavioral control bypass in Devolutions Server 2025.3.15 allows authenticated users to exploit delete permissions.
Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.