Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.
Critical OS command injection vulnerability in Topsec TopACM 3.0's web management interface that allows unauthenticated remote attackers to execute arbitrary system commands. A public proof-of-concept exploit is available, and the vulnerability has a CVSS score of 9.8, though no active exploitation has been confirmed in CISA's KEV catalog. The vendor has not responded to disclosure attempts, leaving systems unpatched.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (firmware version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.
An improper access control vulnerability in Serviio PRO 1.8's Configuration REST API allows unauthenticated remote attackers to change the mediabrowser login password without any authentication. Multiple public proof-of-concept exploits are available on Exploit-DB and PacketStorm, making this vulnerability trivially exploitable. The vulnerability affects Serviio PRO versions 1.6.1 through 1.8.0.0 PRO and represents a complete authentication bypass allowing full account takeover.
An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.
Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.
Persistent cross-site scripting (XSS) vulnerability affecting Qool CMS 2.0, allowing unauthenticated attackers to inject malicious JavaScript through multiple administrative POST parameters that execute in administrator browsers. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation is reported (not in KEV), and the CVSS score appears inflated given the actual attack requirements.
Serviio PRO 1.8 and earlier versions contain an unquoted service path vulnerability combined with insecure directory permissions that allows local authenticated users to escalate privileges to SYSTEM level. A public exploit is available, making this vulnerability easily exploitable by any authenticated user on the system. With a CVSS score of 7.8 and multiple proof-of-concept exploits published, this represents a significant risk for organizations running affected versions.
Multiple time-based blind SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to extract database information by injecting malicious SQL queries with time-delay payloads. Attackers can infer database contents character by character based on response timing differences. A public proof-of-concept exploit is available on Exploit-DB, significantly increasing the risk of exploitation.
SQL injection vulnerabilities in RealtyScript 4.0.2 allow unauthenticated remote attackers to manipulate database queries through vulnerable parameters in admin panel files (/admin/users.php and /admin/mailer.php). Attackers can extract sensitive database information using time-based blind SQL injection or cause denial of service. A public proof-of-concept exploit is available on Exploit-DB, though the vulnerability is not currently in CISA's KEV catalog.
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability where authenticated users can gain SYSTEM-level access by replacing service executables due to overly permissive file permissions that grant the Everyone group full control. A public proof-of-concept exploit is available, making this vulnerability easily exploitable by any authenticated local user to completely compromise the system.
Remote code execution in D-Link DIR-619L 2.06B01 results from a stack-based buffer overflow in the formSchedule function when the curTime parameter is manipulated via the /goform/formSchedule endpoint. An authenticated remote attacker can exploit this vulnerability to achieve full system compromise, and public exploit code is currently available. This vulnerability affects only end-of-life devices that no longer receive security updates.
Remote code execution via stack-based buffer overflow in Belkin F9K1122 router firmware allows authenticated attackers to achieve complete system compromise through the /goform/formReboot endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The high CVSS score of 8.8 reflects the severity of unauthenticated remote exploitation potential in networked deployments.
Stack-based buffer overflow vulnerability in TRENDnet TEW-632BRP firmware version 1.010B32, specifically in the ping_response.cgi file's HTTP POST request handler. An authenticated attacker with high privileges can exploit this vulnerability remotely to achieve code execution with high impact to confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub, though the vulnerability is not listed in CISA KEV and no EPSS score is provided.
A stored cross-site scripting (XSS) vulnerability exists in RealtyScript 4.0.2's admin locations interface, allowing unauthenticated attackers to inject malicious JavaScript through the location_name parameter. Successful exploitation enables arbitrary code execution in administrator browsers when they view compromised location entries. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation has been reported (not in CISA KEV).
Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows attackers to upload malicious JavaScript files through unsanitized file uploads in admin/tools.php. With a publicly available proof-of-concept exploit and a CVSS score of 7.2, attackers can execute JavaScript in the context of other users' browsers without authentication, though the vulnerability is not listed in CISA KEV and has no EPSS score indicating limited real-world exploitation.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
CVE-2026-1947 is an Insecure Direct Object Reference vulnerability in NEX-Forms WordPress plugin (versions ≤9.1.9) that allows unauthenticated remote attackers to overwrite arbitrary form entries without any authentication. The vulnerability has a CVSS score of 7.5 and while not currently in KEV or having public POCs, it represents a significant data integrity risk for WordPress sites using this forms plugin.
Arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in its WiFiUDP component that allows unauthenticated attackers on the same local network to trigger a denial-of-service condition by flooding the device with malicious UDP packets. The vulnerability causes memory exhaustion leading to application crashes; while not actively exploited in the wild (KEV status unknown from provided data), the local network attack vector and high availability impact (CVSS 6.5) warrant prompt patching for affected IoT deployments.
Information disclosure and denial-of-service in GNU Binutils' BFD linker (ld) arises from an out-of-bounds heap read when parsing malformed XCOFF object files. A local attacker who convinces a user to link or otherwise process a specially crafted XCOFF file can leak adjacent heap memory (CWE-125) or crash the linking process. Tracked by Red Hat across RHEL 6 through 10 and OpenShift 4; no public exploit is identified and EPSS exploitation probability is negligible (0.01%, 2nd percentile).
Out-of-bounds heap read in the BFD linker (ld) component of GNU Binutils allows information disclosure or an application-level crash when a victim is induced to process a crafted XCOFF object file. Affected across Red Hat Enterprise Linux 6 through 10 (and OpenShift Container Platform 4), exploitation requires user interaction and local file processing - there is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.01%, 2nd percentile).