Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Path traversal in D-Link DIR-513 verification code processing. PoC available.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetEnableWizard. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetMACFilter. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDDNS. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSchedule. Part of a family of 15+ critical buffer overflows in this router.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Unauthorized file operations in File Browser before fix. PoC and patch available.
Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. No patch is currently available.
Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV).
The setuid bit on the /sbin/ip utility in IDC SFX2100 satellite receiver firmware allows local users to execute privileged operations as root, enabling unauthorized file reads and potential privilege escalation attacks. Public exploit code exists for this vulnerability, and affected users have no available patch. This vulnerability impacts any local user with access to the device.
Sfx2100 Firmware versions up to - is affected by incorrect permission assignment for critical resource (CVSS 7.8).
A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. [CVSS 7.8 HIGH]
Sfx2100 Satellite Receiver firmware contains multiple SUID root binaries in predictable locations that allow local privilege escalation from the monitor user to root. Public exploit code exists for this vulnerability, enabling any local user with monitor privileges to gain complete system control. A patch is not currently available, leaving affected devices vulnerable to privilege escalation attacks.
Local privilege escalation in IDC SFX2100 firmware affects Linux systems through a SUID binary vulnerable to PATH hijacking, symlink abuse, and shared object hijacking. A local attacker can exploit this to gain root-level privileges, and public exploit code is available. No patch is currently available to address this HIGH severity vulnerability.
Local privilege escalation in IDC SFX2100 Satellite Receiver firmware occurs due to overly permissive file system permissions (0777) on a privileged user's home directory, allowing any local user to read, write, and execute files within it. An attacker with local access can leverage highly privileged processes and binaries in this directory to escalate their privileges on the system. Public exploit code exists for this vulnerability, and no patch is currently available.
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.
Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus is affected by path traversal (CVSS 7.5).
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter. [CVSS 8.1 HIGH]
lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.
lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.
Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.
Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).
Unrestricted file upload in Charety (charety) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Nutrie (nutrie) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Keenarch (keenarch) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.
RCE in Microsoft Devices Pricing Program.
Unauthenticated RCE via file upload in industrial/enterprise application.
The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
Windows cmd.exe metacharacter injection in OpenClaw before 2026.2.2. Bypass exec whitelist. Patch available.
Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.
Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.
Auth bypass in WeDesignTech Ultimate Booking Addon for WordPress.
Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.