Critical command injection vulnerability in Wavlink WL-WN579A3 wireless router firmware version 220323, allowing unauthenticated remote attackers to execute arbitrary commands via the SetName/GuestWifi functions in /cgi-bin/wireless.cgi. A public proof-of-concept exploit is available, and while a vendor patch exists, the vulnerability has not yet been added to CISA's KEV catalog despite its high severity (CVSS 9.8).
This issue affects Apache Spark: before 3.5.7 and 4.0.1.
A cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts (CVSS 6.4) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
The STM32 USB device driver in Zephyr contains a logic error that can trigger an infinite loop, allowing a local attacker with user-level privileges to cause a denial of service by halting system responsiveness. No patch is currently available for this medium-severity defect that affects the USB subsystem's operational stability.
The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. No patch is currently available for this medium-severity flaw affecting WordPress installations using the vulnerable plugin.
The NEX-Forms Ultimate Forms Plugin for WordPress contains a missing capability check vulnerability in the deactivate_license() function, allowing authenticated attackers with Subscriber-level privileges to deactivate the plugin license without proper authorization. This authorization bypass affects all versions up to and including 9.1.9 and has a CVSS score of 4.3 (Low severity), indicating limited direct impact but meaningful privilege escalation concerns for multi-user WordPress installations.
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.