Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
Stack overflow in Tenda FH451 firmware's setcfm function allows authenticated remote attackers to achieve complete system compromise through malicious funcname or funcpara1 parameters. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects firmware version 1.0.0.9 and enables remote code execution with high impact to confidentiality, integrity, and availability.
Remote code execution in Tenda FH451 firmware via stack-based buffer overflow in the QuickIndex function allows unauthenticated attackers to execute arbitrary code by sending crafted requests with oversized PPPOEPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and affects firmware version 1.0.0.9 and potentially other versions.
Remote code execution in Tenda FH451 firmware via stack-based buffer overflow in the WAN configuration endpoint allows unauthenticated attackers to achieve full system compromise through malicious wanmode or PPPOEPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available. Stack Overflow products are also reported as affected.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Arbitrary file overwrite in node-tar before 7.5.10 lets a malicious tar archive write files outside the intended extraction directory on Windows by embedding a hardlink whose target uses a drive-relative path such as 'C:../target.txt'. The flaw triggers during ordinary tar.x() extraction, so any Node.js application that unpacks untrusted archives on Windows is exposed. Publicly available exploit code exists via the GitHub Security Advisory, though EPSS exploitation probability is very low (0.02%) and it is not listed in CISA KEV.
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Path traversal in Wallos subscription tracker versions prior to 4.6.2 allows unauthenticated remote attackers to read arbitrary files from the hosting system via a malicious url parameter. Public exploit code exists for this vulnerability, which has a high severity CVSS score of 7.5. The vulnerability is patched in version 4.6.2 and later.
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
{env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.
Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. No patch is currently available; mitigation requires upgrading to ZooKeeper 3.8.6 or 3.9.5 or disabling reverse DNS lookup via configuration.
Path traversal in pyLoad versions 0.5.0b3.dev13 through 0.5.0b3.dev96 allows authenticated attackers to manipulate package folder locations through insufficient sanitization of the pack_folder parameter, bypassing directory traversal protections with recursive sequences. An attacker can exploit this to write files outside intended directories, causing data integrity issues and potential denial of service. Public exploit code exists for this vulnerability and no patch is currently available.
The Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an a...
Denial of service in Gravitl Netmaker prior to 1.2.0 allows any remote unauthenticated attacker to terminate the server process by calling the unprotected /api/server/shutdown endpoint, which issues a SIGINT to the running process. Because the service restarts in roughly three seconds, attackers can loop the request to sustain a cyclic outage of the WireGuard-based overlay network. No public exploit identified at time of analysis and EPSS is low (0.04%), but the trivial nature of the request makes opportunistic abuse plausible once exposure is known.
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.
DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the Forwarded and X-Forwarded-Host headers used in password reset links. An attacker can craft a malicious request to redirect users to an attacker-controlled domain when they click password reset confirmation links, enabling credential harvesting or phishing attacks. The vulnerability affects all deployments using affected versions and has been patched in version 4.7.1.
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.
Unauthenticated remote attackers can download sensitive configuration files from ZikeStor SKS8310-8X network switches (firmware 1.04.B07 and earlier) via an unprotected /switch_config.src endpoint, exposing VLAN settings and IP addressing details without requiring credentials. This HIGH severity vulnerability (CVSS 7.5) affects confidentiality of device configurations and currently has no available patch.
PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.
ZIP Code Based Content Protection (WordPress plugin) versions up to 1.0.2 is affected by sql injection (CVSS 7.5).
UptimeFlare's configuration management fails to segregate server-only sensitive data from client-side code, causing the workerConfig object containing confidential settings to be exposed in the JavaScript bundle delivered to all website visitors. This information disclosure allows attackers to view sensitive configuration details without authentication. The vulnerability affects UptimeFlare instances prior to commit 377a596 and has been patched.
Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.
Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.
dpkg-deb fails to properly validate zstd-compressed .deb archives during decompression, allowing unauthenticated remote attackers to trigger infinite loops that exhaust CPU resources on Debian systems. This denial of service condition affects the package management system without requiring user interaction or elevated privileges. No patch is currently available for this vulnerability.
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]
Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.
Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.