File path control in Zoom Workplace for Windows Mail feature before 6.6.0.
Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.
SQL injection in itsourcecode University Management System 1.0 via the Name parameter in /att_add.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
Remote attackers can completely bypass authentication on MR-GM5L-S1 and MR-GM5A-L1 devices to arbitrarily modify device configurations. The vulnerability requires no authentication, no user interaction, and low attack complexity (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), scoring 9.3 critical. EPSS exploitation probability is low (0.10%, 28th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis, suggesting limited real-world targeting to date despite the severe access control failure.
embedded SwiFTP FTP server component contains a vulnerability that allows attackers to log in without valid credentials.
Hard-coded credentials in MR-GM5L-S1 and MR-GM5A-L1 enable remote unauthenticated attackers to gain administrative access with critical CVSS 9.3 score. The CWE-798 flaw allows complete system compromise through embedded default credentials that cannot be changed by users. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite the critical severity, though authentication bypass capabilities make this a priority for affected deployments.
SSRF in Plunk email platform before 0.7.0.
OAuth2 bearer token leakage in curl and .NET occurs when HTTP redirects are followed to a second hostname that matches entries in the .netrc configuration file, allowing attackers to obtain valid authentication tokens for unintended hosts. Public exploit code exists for this vulnerability affecting curl and .NET applications that rely on OAuth2 authentication with automatic redirect handling. This medium-severity vulnerability (CVSS 5.3) requires network access but no user interaction, and patches are available from vendors.
Blind SSRF in 2FAuth 2FA manager before 6.1.0.
Command injection in Cloud CLI (Claude Code UI) Git operations before 1.24.0.
Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.
Auth bypass in Unity Catalog 0.4.0 and earlier.
Default credentials in netbox-docker before 2.5.0.
Shopware versions before 6.6.10.15 and 6.7.8.1 contain an authentication bypass in the app registration flow that allows attackers to hijack the communication channel between a shop and third-party apps by re-registering with a controlled domain without domain ownership verification. An attacker with knowledge of the app secret can redirect app traffic and intercept API credentials intended for legitimate shops. This vulnerability affects all Shopware installations using the legacy app registration mechanism and currently has no available patch.
OpenClaw versions before 2026.2.14 allow authenticated attackers to bypass filesystem restrictions in the apply_patch function through path traversal, enabling arbitrary file write and deletion operations outside the intended workspace. The vulnerability requires an authenticated user but no additional user interaction, and affects systems with apply_patch enabled without sandbox containment. No patch is currently available.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Authenticated remote attackers can execute arbitrary commands through malformed parameters in AOS-CX CLI commands, achieving remote code execution with high integrity and confidentiality impact. The vulnerability affects low-privileged users on networked systems and requires no user interaction to exploit. No patch is currently available for this command injection flaw.
Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Arbitrary plugin installation and remote code execution in ExactMetrics WordPress plugin versions 8.6.0-9.0.2 allows authenticated users with report-viewing permissions to bypass administrative capability checks via parameter manipulation. An attacker can exploit an Insecure Direct Object Reference in the onboarding process to install malicious plugins and execute arbitrary code on vulnerable WordPress installations. This vulnerability requires the site administrator to have previously granted non-admin users report access permissions.
OpenClaw version 2026.2.22-2 versions up to 2026.2.23 is affected by incorrect authorization (CVSS 8.8).
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Arbitrary OS command execution in Cloud CLI versions prior to 1.24.0 allows authenticated users to inject malicious commands through improperly sanitized git configuration parameters passed to shell execution functions. The /api/user/git-config endpoint fails to properly escape bash metacharacters like backticks and $() substitutions, enabling attackers to execute arbitrary operating system commands with application privileges. No patch is currently available for affected deployments.
Privilege escalation in ExactMetrics WordPress plugin versions 7.1.0-9.0.2 allows authenticated users with the `exactmetrics_save_settings` capability to modify any plugin configuration without restrictions, potentially escalating themselves to administrative access. An attacker could exploit the missing input validation in the `update_settings()` function to grant plugin permissions to arbitrary user roles, including subscribers, effectively bypassing intended access controls. No patch is currently available for this vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Insufficient CLI argument validation in Cisco IOS XR Software enables authenticated local attackers to achieve root-level code execution through crafted commands. An attacker with low-privileged account access can exploit this vulnerability to bypass privilege restrictions and execute arbitrary commands on the affected device's underlying operating system. No patch is currently available for this high-severity vulnerability.
Use after free in WebView in Google Chrome on Android versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Heap buffer overflow in Skia in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
OpenEMR versions prior to 8.0.0.1 contain a SQL injection vulnerability in the ajax graphs library that allows authenticated users to execute arbitrary database queries, potentially leading to complete compromise of patient health records and system data. The vulnerability stems from insufficient input validation and requires valid credentials to exploit, but poses a critical risk given the sensitive nature of healthcare data stored in OpenEMR systems. No patch is currently available for affected versions.
WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).
SQL injection in Craft CMS ElementSearchController allows authenticated control panel users to execute arbitrary SQL queries and extract complete database contents through the criteria[where] and criteria[orderBy] parameters. The vulnerability exists because a previous SQL injection fix applied to ElementIndexesController was never implemented in this endpoint. An attacker with any control panel user account can exploit this via boolean-based blind injection without requiring administrative privileges.
Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attackers to bypass privilege checks and gain full administrative access to affected devices. An attacker with low-privileged credentials can exploit this misconfiguration to execute unauthorized administrative actions without proper authorization validation. No patch is currently available.
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. [CVSS 8.8 HIGH]
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. [CVSS 8.8 HIGH]
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. [CVSS 8.8 HIGH]
Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal.
OpenClaw versions2026.2.21-2 versions up to 2026.2.22 is affected by allocation of resources without limits or throttling (CVSS 7.5).
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.