Authorization bypass in Argo Workflows (2.9.0 through 4.0.1 and 3.7.x before 3.7.11) lets any user permitted to submit Workflows override admin-defined WorkflowTemplate security controls by attaching a podSpecPatch to their submission. Because podSpecPatch is merged with Workflow-spec precedence and applied to the pod with no security validation, even controllers locked down with templateReferencing: Strict can be circumvented to run arbitrary pod settings such as privileged: true. Publicly available exploit code exists, but EPSS is low (0.04%) and it is not in CISA KEV.
Varient 1.6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_id parameter. [CVSS 8.2 HIGH]
Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. [CVSS 7.5 HIGH]
ARMBot contains an unrestricted file upload vulnerability in upload.php that allows unauthenticated attackers to upload arbitrary files by manipulating the file parameter with path traversal sequences. [CVSS 7.5 HIGH]
GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. [CVSS 7.5 HIGH]
eWON Firmware versions 12.2 to 13.0 contain an authentication bypass vulnerability that allows attackers with minimal privileges to retrieve sensitive user data by exploiting the wsdReadForm endpoint. [CVSS 7.5 HIGH]
Easy File Sharing Web Server 7.2 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by creating a malicious username. [CVSS 8.4 HIGH]
Comtrend AR-5310 GE31-412SSG-C01_R10.A2pG039u.d24k contains a restricted shell escape vulnerability that allows local users to bypass command restrictions by using the command substitution operator $( ). [CVSS 8.4 HIGH]
Verypdf docPrint Pro 8.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized alphanumeric encoded payload in the User Password or Master Password fields. [CVSS 8.4 HIGH]
Unauthenticated attackers can extract sensitive database information from WordPress sites running the Ally plugin (versions up to 4.0.3) through SQL injection in the URL parameter handling of the Remediation module. The vulnerability exists because user input is insufficiently sanitized before being concatenated into SQL queries, allowing time-based blind SQL injection attacks despite URL escaping being applied. No patch is currently available.
Curl's SMB implementation contains a use-after-free vulnerability that causes denial of service when processing consecutive requests to the same host, as the library incorrectly dereferences freed memory on subsequent connections. Public exploit code exists for this vulnerability affecting Curl installations. An attacker can crash Curl-based applications or services by triggering multiple SMB requests, though remote code execution is not possible due to the nature of the memory corruption.
Information disclosure in Argo Workflows before 4.0.2 and 3.7.11 lets any unauthenticated client read WorkflowTemplates and ClusterWorkflowTemplates by sending a bogus 'Authorization: Bearer nothing' token, leaking embedded Secret manifests and other sensitive template content. The CVSS 3.1 base score is 7.5 (confidentiality-only, network, no privileges) and publicly available exploit code exists, though EPSS is very low (0.04%) and it is not in CISA KEV, indicating no confirmed widespread exploitation yet.
IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via the cgiServer.exx endpoint. [CVSS 7.5 HIGH]
Shopware versions before 6.6.10.15 and 6.7.8.1 contain an authentication bypass in the app registration flow that allows attackers to hijack the communication channel between a shop and third-party apps by re-registering with a controlled domain without domain ownership verification. An attacker with knowledge of the app secret can redirect app traffic and intercept API credentials intended for legitimate shops. This vulnerability affects all Shopware installations using the legacy app registration mechanism and currently has no available patch.
OpenClaw versions before 2026.2.14 allow authenticated attackers to bypass filesystem restrictions in the apply_patch function through path traversal, enabling arbitrary file write and deletion operations outside the intended workspace. The vulnerability requires an authenticated user but no additional user interaction, and affects systems with apply_patch enabled without sandbox containment. No patch is currently available.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Authenticated remote attackers can execute arbitrary commands through malformed parameters in AOS-CX CLI commands, achieving remote code execution with high integrity and confidentiality impact. The vulnerability affects low-privileged users on networked systems and requires no user interaction to exploit. No patch is currently available for this command injection flaw.
Royal Addons for Elementor (WordPress plugin) versions up to 1.7.1049. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Arbitrary plugin installation and remote code execution in ExactMetrics WordPress plugin versions 8.6.0-9.0.2 allows authenticated users with report-viewing permissions to bypass administrative capability checks via parameter manipulation. An attacker can exploit an Insecure Direct Object Reference in the onboarding process to install malicious plugins and execute arbitrary code on vulnerable WordPress installations. This vulnerability requires the site administrator to have previously granted non-admin users report access permissions.
OpenClaw version 2026.2.22-2 versions up to 2026.2.23 is affected by incorrect authorization (CVSS 8.8).
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Arbitrary OS command execution in Cloud CLI versions prior to 1.24.0 allows authenticated users to inject malicious commands through improperly sanitized git configuration parameters passed to shell execution functions. The /api/user/git-config endpoint fails to properly escape bash metacharacters like backticks and $() substitutions, enabling attackers to execute arbitrary operating system commands with application privileges. No patch is currently available for affected deployments.
Privilege escalation in ExactMetrics WordPress plugin versions 7.1.0-9.0.2 allows authenticated users with the `exactmetrics_save_settings` capability to modify any plugin configuration without restrictions, potentially escalating themselves to administrative access. An attacker could exploit the missing input validation in the `update_settings()` function to grant plugin permissions to arbitrary user roles, including subscribers, effectively bypassing intended access controls. No patch is currently available for this vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Insufficient CLI argument validation in Cisco IOS XR Software enables authenticated local attackers to achieve root-level code execution through crafted commands. An attacker with low-privileged account access can exploit this vulnerability to bypass privilege restrictions and execute arbitrary commands on the affected device's underlying operating system. No patch is currently available for this high-severity vulnerability.
Use after free in WebView in Google Chrome on Android versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Heap buffer overflow in Skia in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
OpenEMR versions prior to 8.0.0.1 contain a SQL injection vulnerability in the ajax graphs library that allows authenticated users to execute arbitrary database queries, potentially leading to complete compromise of patient health records and system data. The vulnerability stems from insufficient input validation and requires valid credentials to exploit, but poses a critical risk given the sensitive nature of healthcare data stored in OpenEMR systems. No patch is currently available for affected versions.
WeGIA is a web manager for charitable institutions. versions up to 3.6.6 is affected by sql injection (CVSS 8.8).
SQL injection in Craft CMS ElementSearchController allows authenticated control panel users to execute arbitrary SQL queries and extract complete database contents through the criteria[where] and criteria[orderBy] parameters. The vulnerability exists because a previous SQL injection fix applied to ElementIndexesController was never implemented in this endpoint. An attacker with any control panel user account can exploit this via boolean-based blind injection without requiring administrative privileges.
Cisco IOS XR Software contains a task group mapping flaw in a specific CLI command that allows authenticated local attackers to bypass privilege checks and gain full administrative access to affected devices. An attacker with low-privileged credentials can exploit this misconfiguration to execute unauthorized administrative actions without proper authorization validation. No patch is currently available.
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. [CVSS 8.8 HIGH]
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. [CVSS 8.8 HIGH]
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. [CVSS 8.8 HIGH]
Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.
In Microsoft DirectX End-User Runtime Web Installer 9.29.1974.0, a low-privilege user can replace an executable file during the installation process, which may result in unintended elevation of privileges. [CVSS 8.8 HIGH]
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Coppermine Photo Gallery in versions 1.6.09 through 1.6.27 is vulnerable to path traversal.
OpenClaw versions2026.2.21-2 versions up to 2026.2.22 is affected by allocation of resources without limits or throttling (CVSS 7.5).
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.