create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.
SQL injection in OneUptime telemetry API before 10.0.23.
Prototype pollution in Apollo Federation before multiple versions.
Arbitrary file upload in Pix for WooCommerce WordPress plugin.
Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.
OOB write in GNU inetutils telnetd through 2.7 via LINEMODE SLC handler.
XSS in AnythingLLM 1.11.1 and earlier.
Heap buffer overflow in FreeRDP's NSCodec surface-bits handler (versions prior to 3.24.0) lets a malicious or compromised RDP server corrupt heap memory on connecting clients. The gdi_surface_bits() path passes server-supplied bmp.width and bmp.height into nsc_process_message() without validating them against the actual desktop dimensions, and because the attacker also controls the decoded pixel data, the out-of-bounds write can overwrite adjacent heap allocations with attacker-chosen bytes - a potential path to remote code execution. EPSS is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.
SSRF in Centrifugo real-time messaging before 6.7.0.
Path traversal via dagRunId in DAG execution endpoints.
RCE via code injection in Modal Dialog WordPress plugin.
Weak encryption in HMS Networks Ewon Flexy/Cosy+ firmware.