Unauthenticated OS command injection in AVideo before 7.0.
Prototype pollution in oRPC before 1.13.6. PoC and patch available.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
SQL injection in Chartbrew before 4.8.3. PoC available.
Unauthenticated SQL injection in AVideo before 24.0.
Reflected XSS in SiYuan knowledge management before 3.5.9.
Zip Slip in changedetection.io before 0.54.4 via backup restore. PoC and patch available.
Missing authorization in Vito server management before 3.20.3. CVSS 9.9.
Unauthenticated file read/write via AppEngine Fileaccess over HTTP.
Auth bypass in Rocket.Chat before 7.8.6+. Multiple versions affected.
Auth bypass in PowerPack for LearnDash WordPress plugin before 1.3.0.
Improper authentication in Acronis Cyber Protect 17.
Auth bypass in Rocket.Chat before 7.10.8+. Second auth bypass CVE.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
Filesystem access via CROWN REST interface on industrial device. EPSS 0.25%.
WebSocket auth bypass — same industrial platform family.
Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.
Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.
SSRF in Ghostfolio wealth management before 2.245.0. Patch available.
Integer overflow in TinyWeb before 2.03.
Second stored XSS in Chamilo LMS before 1.11.34.
Stored XSS in Chamilo LMS before 1.11.34.