2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. [CVSS 6.5 MEDIUM]
Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'mod_id' parameter. [CVSS 7.1 HIGH]
Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the mailid parameter in outmail and inmail modules. [CVSS 7.1 HIGH]
Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'type' parameter. [CVSS 7.1 HIGH]
{workspace}/jobs_u/get_log_file/{filename})".
Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the content parameter. [CVSS 6.2 MEDIUM]
Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. [CVSS 5.3 MEDIUM]
ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify administrator credentials by submitting forged requests to _configurar_perfil.php. [CVSS 5.3 MEDIUM]
eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying oversized input buffers. Attackers can create a payload file containing 255 bytes of data that triggers a buffer overflow condition when processed by the application. [CVSS 6.2 MEDIUM]
OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.
Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user with the TEAMLEAD role to enumerate and read all invoices across the entire system regardless of customer ownership. Public exploit code exists for this authorization bypass vulnerability, which can lead to unauthorized disclosure of sensitive financial and customer data. A patch is available in version 2.51.0 and should be applied immediately.
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated users to read, modify, or delete charts from other projects they shouldn't access. An attacker with valid credentials to any project can exploit this authorization bypass to manipulate arbitrary charts across the application. Public exploit code exists for this vulnerability, and no patch is currently available.
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation, enabling stored XSS attacks through malicious HTML files served from the uploads directory. An attacker can exploit this to steal authentication tokens stored in localStorage and achieve account takeover. Public exploit code exists for this vulnerability, and no patch is currently available.
CoreDNS versions prior to 1.14.2 allow authenticated attackers to bypass DNS access controls through a Time-of-Check Time-of-Use race condition in the plugin execution chain, where the rewrite plugin processes requests after security plugins like ACL have already validated them. An attacker with network access can exploit this logical flaw to access DNS records that should be restricted by configured access control policies. No patch is currently available for affected deployments.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]
Reflected cross-site scripting in GroupOffice versions before 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the Base64-encoded f parameter. The vulnerability exists in the external/index flow where user input is decoded and inserted into inline JavaScript without proper sanitization. Public exploit code exists for this vulnerability.
Reflected XSS in changedetection.io versions prior to 0.54.4 allows unauthenticated remote attackers to inject malicious JavaScript through the /rss/tag/ endpoint via an unescaped tag_uuid parameter, enabling session hijacking or credential theft when victims visit crafted links. The vulnerability requires user interaction to trigger and affects the Flask-based application with public exploit code available. Users should upgrade to version 0.54.4 or later immediately.
Reflected cross-site scripting in GroupOffice installer versions prior to 6.8.155, 25.0.88, and 26.0.10 allows unauthenticated attackers to inject arbitrary scripts through the license parameter in install/license.php. Public exploit code exists for this vulnerability, enabling attackers to execute malicious JavaScript in users' browsers with moderate impact to confidentiality and integrity. The vulnerability requires user interaction and affects the web-accessible installation endpoint.
Missing authorization in Vito server management before 3.20.3. CVSS 9.9.
Unauthenticated file read/write via AppEngine Fileaccess over HTTP.
Auth bypass in Rocket.Chat before 7.8.6+. Multiple versions affected.
Auth bypass in PowerPack for LearnDash WordPress plugin before 1.3.0.
Improper authentication in Acronis Cyber Protect 17.
Auth bypass in Rocket.Chat before 7.10.8+. Second auth bypass CVE.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
Mimekit versions up to 4.15.1 contains a vulnerability that allows attackers to embed \r\n into the SMTP envelope address local-part (when the local-part is a q (CVSS 5.3).
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]
Filesystem access via CROWN REST interface on industrial device. EPSS 0.25%.
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.
WebSocket auth bypass — same industrial platform family.
Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.
Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.
OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.
Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. [CVSS 4.3 MEDIUM]
OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. [CVSS 5.3 MEDIUM]
SSRF in Ghostfolio wealth management before 2.245.0. Patch available.
Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. [CVSS 5.3 MEDIUM]
Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. [CVSS 5.3 MEDIUM]
Integer overflow in TinyWeb before 2.03.
Second stored XSS in Chamilo LMS before 1.11.34.
Stored XSS in Chamilo LMS before 1.11.34.
Unauthenticated administrators in WWBN AVideo versions before 24.0 can achieve remote code execution by uploading malicious ZIP files through the plugin upload functionality, which extracts files without proper validation into web-accessible directories. This allows attackers to execute arbitrary PHP code on the server with high impact to confidentiality, integrity, and availability. No patch is currently available for affected PHP installations using vulnerable AVideo versions.
Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.
OpenShift versions prior to 1.6.3-alpha contain a path traversal vulnerability in multiple storage helpers that fail to properly validate directory boundaries, allowing authenticated attackers to read, write, or delete arbitrary files on the system. An attacker with valid credentials can exploit insufficient path sanitization to escape the intended base directory and access sensitive data or modify system files. No patch is currently available for affected versions.
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]
Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.
Unrestricted authentication requests in the WebSocket API enable attackers to launch denial-of-service attacks against charger telemetry systems or execute brute-force attacks to gain unauthorized access. The vulnerability affects systems relying on this API without rate-limiting controls, and no patch is currently available. An unauthenticated remote attacker can exploit this over the network with minimal complexity to disrupt service availability or compromise system access.
Denial-of-service and credential brute-forcing vulnerabilities in ePower.ie's WebSocket API allow remote unauthenticated attackers to disrupt electric vehicle charger operations or gain unauthorized system access. The API accepts unlimited authentication attempts without rate limiting (CWE-307), enabling attackers to suppress critical charger telemetry, mis-route charging station data, or systematically guess credentials. CISA ICS-CERT has published an advisory (ICSA-26-062-07) indicating industrial control system impact. EPSS score of 0.07% (21st percentile) suggests low automated exploitation probability, and no active exploitation or public POC is identified at time of analysis.