Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products.
Server-side request forgery in Vanna AI versions up to 2.0.2 allows unauthenticated remote attackers to manipulate the update_sql and run_sql endpoints in the Flask component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.
An unrestricted file upload vulnerability exists in Technologies Integrated Management Platform version 7.17.0 that allows remote attackers to upload malicious files without authentication through the /SetWebpagePic.jsp endpoint by manipulating the targetPath/Suffix parameters. A public proof-of-concept exploit is available, though the vulnerability is not currently in CISA's Known Exploited Vulnerabilities catalog, making this a confirmed exploitable vulnerability with demonstrated attack code that could lead to unauthorized file uploads and potential remote code execution.
An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.
Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate parameters in the enrollment module via the txtsearch, deptname, or name arguments. Public exploit code exists for this vulnerability, which enables attackers to read, modify, or delete database contents. No patch is currently available.
SQL injection in Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Home parameter in /hotel/admin/mod_reports/index.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems running the vulnerable PHP application are at immediate risk of data theft and database compromise.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the user_email parameter in /sms/login.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to read, modify, or delete sensitive enrollment data without authentication. No patch is currently available.
SQL injection in itsourcecode Payroll Management System 1.0 via the ID parameter in /manage_employee.php allows unauthenticated remote attackers to execute arbitrary SQL queries and access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running this system should implement network-level protections and consider upgrading to a patched version once released.
SQL injection in Tiandy Integrated Management Platform 7.17.0 via the /rest/user/getAuthorityByUserId endpoint allows unauthenticated remote attackers to manipulate the userId parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation could enable unauthorized data access, modification, or system disruption.
SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.
Modern Events Calendar versions up to 7.29.0 contain an access control vulnerability that allows unauthenticated remote attackers to modify data through improperly configured authorization checks. This vulnerability enables attackers to perform unauthorized actions without authentication, affecting all installations of the affected versions. No patch is currently available, requiring organizations to implement alternative mitigation strategies.
A cross-site request forgery (CSRF) vulnerability exists in Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 that allows authenticated attackers to execute arbitrary system commands without additional validation. An attacker can craft a malicious webpage that, when visited by a logged-in router administrator, triggers unauthorized administrative actions with full router privileges. While the CVSS score of 4.3 is moderate and no active exploitation has been widely reported, the ability to achieve command execution on network infrastructure devices represents a meaningful risk to affected deployments.
libexpat before version 2.7.5 contains a NULL pointer dereference vulnerability in the setContext function that occurs when the library retries operations following an out-of-memory condition. This flaw affects all users of vulnerable libexpat versions and can result in application crashes leading to denial of service. While the CVSS score of 2.9 is low and exploitation requires specific local conditions and high complexity, this vulnerability represents a stability risk for XML parsing operations in memory-constrained or stressed environments.
libexpat before version 2.7.5 contains an infinite loop vulnerability triggered during DTD (Document Type Definition) parsing, allowing local attackers to cause a denial of service condition. The vulnerability affects all applications and libraries that depend on libexpat for XML parsing, with a CVSS score of 4.0 reflecting limited severity due to local-only attack vector and availability impact. While the CVSS base score is moderate, the infinite loop condition presents a real denial of service risk for services that parse untrusted XML documents containing malicious DTD content.
libexpat before version 2.7.5 contains a NULL pointer dereference vulnerability triggered by malformed XML containing empty external parameter entity content, resulting in denial of service through application crashes. The vulnerability affects all versions of libexpat prior to 2.7.5 across multiple platforms and applications that embed this XML parsing library. An attacker with local access can craft a malicious XML document to crash any application using vulnerable libexpat, though the impact is limited to availability (CVSS 4.0) with no code execution or data compromise possible.
A URL redirection vulnerability in Samsung Account allows remote attackers to potentially steal user access tokens through malicious redirect chains. The vulnerability affects Samsung Account versions prior to 15.5.01.1 and requires user interaction to exploit. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a moderate CVSS score of 7.0 and could lead to account takeover if successfully exploited.
An Insecure Direct Object Reference (IDOR) vulnerability exists in Campus Educativa at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' that allows unauthenticated attackers to enumerate and download profile photographs of all users by manipulating URL parameters. Successful exploitation enables mass collection of user photos for identity impersonation, social engineering, facial recognition-based identity linking across platforms, and doxxing attacks. With a CVSS score of 6.9 and no authentication required, this vulnerability poses a moderate-to-significant risk to user privacy and security.
Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages reveal whether a login exists in the system, enabling attackers to build valid user lists for targeted brute force attacks. This vulnerability affects Raytha CMS versions prior to 1.5.0. The moderate CVSS score of 6.9 reflects the information disclosure risk, though real-world impact depends on how attackers chain this enumeration with other attacks.
Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts without triggering account lockout, rate limiting, or multi-factor authentication challenges. Versions prior to 1.4.6 are affected, and an attacker can systematically enumerate valid usernames and crack passwords through high-volume credential stuffing attacks. The vulnerability represents a significant authentication bypass risk that could lead to unauthorized administrative access depending on password strength and user enumeration feasibility.
Smart Switch versions prior to 3.7.69.15 contain an improper authentication vulnerability that allows adjacent network attackers to trigger denial of service conditions without requiring user privileges or interaction. The vulnerability has a CVSS score of 6.9 with medium-to-high availability impact, making it a notable threat in local network environments where Smart Switch is deployed.
Raytha CMS contains a Cross-Site Request Forgery (CSRF) vulnerability across multiple endpoints that fails to enforce token verification on POST requests. An authenticated user can be tricked into visiting a malicious website crafted by an attacker, which automatically submits unauthorized requests (such as data deletion) to the Raytha CMS application without requiring explicit user confirmation. This vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 6.9 with medium real-world exploitability.
The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.
CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.
SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.
Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.
An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.
AWS API MCP Server versions 0.2.14 through 1.3.9 contain an improper path protection flaw in the no-access and workdir features that allows local attackers to bypass file access restrictions and read arbitrary files accessible to the MCP client application. An attacker with local access and user interaction can exploit this vulnerability to expose sensitive local file contents. Users should upgrade to version 1.3.9 or later to remediate this issue.
This vulnerability in Mattermost allows unauthenticated attackers to achieve remote code execution and exfiltrate sensitive credentials through malicious plugin installation on CI test instances that retain default admin credentials. Affected versions include Mattermost 10.11.x through 10.11.10, 11.2.x through 11.2.2, and 11.3.0, with the core issue stemming from insufficient access controls on plugin installation combined with default credential exposure. An attacker can upload a malicious plugin after modifying the import directory to gain full system compromise and access AWS and SMTP credentials stored in configuration files.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.com/centro/equipo/empleado' that allows authenticated users to inject NoSQL commands and enumerate sensitive employee data. The vulnerability has a CVSS 4.0 score of 7.1 (High) with network attack vector requiring low privileges. No proof-of-concept code, EPSS data, or KEV listing information is currently available for this vulnerability.
Path traversal in the resourcePatchHandler allows authenticated users with Create or Rename permissions to bypass access control rules by injecting path traversal sequences (`..\`) into PATCH requests, since validation occurs before path normalization. An attacker can exploit this to copy or rename files to restricted directories that should be protected by administrator-configured deny rules. No patch is currently available.
In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
OpenHarmony versions 5.0.3 and earlier contain an information disclosure vulnerability caused by use of uninitialized resources, allowing local attackers to leak sensitive case-sensitive data. The vulnerability affects OpenHarmony deployments across all product lines up to v5.0.3.x (per EUVD-2025-208673). An attacker with local access and standard user privileges can read uninitialized memory regions to obtain confidential information without requiring user interaction, though there is no indication of active exploitation in public KEV databases at this time.
This vulnerability allows arbitrary code execution in OpenHarmony pre-installed applications through improper handling of incompatible types, enabling local attackers to escalate privileges and execute arbitrary code within the context of trusted system applications. Affected versions include OpenHarmony v5.0.3 through v5.1.0.x, impacting the core application framework across the OpenHarmony ecosystem. While the CVSS score of 6.3 reflects moderate severity, the vulnerability requires local access and high attack complexity, limiting real-world exploitability to restricted scenarios as noted by the vendor.
LeafKit's HTML escaping mechanism fails to properly sanitize arrays and dictionaries when rendered via templates, enabling cross-site scripting (XSS) attacks where untrusted data is output unescaped. Applications using LeafKit templates to display user-controlled collections are vulnerable to arbitrary JavaScript execution in user browsers. A patch is available to address this vulnerability.
Cross Site scripting vulnerability (XSS) in NetBox 4.3.5 "comment" field on object forms.
Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.
CVE-2026-3644 is a security vulnerability (CVSS 6.0). Remediation should follow standard vulnerability management procedures.
A buffer overflow vulnerability (CVSS 6.0). Remediation should follow standard vulnerability management procedures.
LAPSWebUI before version 2.4 by Truesec improperly caches LAPS (Local Administrator Password Solution) passwords in browser storage, allowing a local attacker with user-level access to retrieve plaintext or weakly protected admin credentials from the browser cache. An attacker who gains access to a workstation where an administrator has used LAPSWebUI can escalate privileges to local administrator by exploiting this caching behavior. While the CVSS score is moderate at 6.0, the practical impact is high because successful exploitation directly enables privilege escalation to administrative access.
LAPSWebUI before version 2.4 contains a non-functional logout mechanism that allows an authenticated local attacker to obtain elevated privileges through disclosure of cached local administrator passwords. An attacker with existing workstation access and low privileges can exploit this flaw to escalate to local admin by recovering credentials that should have been cleared upon session termination. The vulnerability carries a CVSS v4.0 score of 6.0 (Medium) with local attack vector and requires prior login plus user interaction, though the confidentiality impact on sensitive credentials is marked as high.
Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.
The Glances system monitoring application accepts arbitrary HTTP Host headers on its REST API and WebUI endpoints, enabling DNS rebinding attacks that bypass browser same-origin policy and expose sensitive system data. While the MCP endpoint was recently hardened with host validation, the main FastAPI application for REST/WebUI/token routes lacks equivalent TrustedHostMiddleware protection, allowing attackers to rebind attacker-controlled domains to the victim's local Glances instance and read API responses as same-origin content. A proof-of-concept is code-validated through source inspection, and a patch is available in version 4.5.2 and later.
Galaxy Store versions prior to 4.6.03.8 contain a path traversal vulnerability that enables local attackers to create files with Galaxy Store privileges. This could allow an attacker with local access to escalate their capabilities by writing malicious files in unintended locations. No patch is currently available for this issue.
Galaxy Store prior to version 4.6.03.8 contains an improper cryptographic signature verification vulnerability that allows a local attacker to install arbitrary applications without proper authorization. An attacker with physical or local access to a device can bypass the signature validation mechanism, enabling installation of malicious or unauthorized apps. While the CVSS score of 5.9 is moderate, the integrity impact is high, making this a meaningful threat to device security and app ecosystem integrity.
Mattermost versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier contain an array length handling vulnerability in the calls plugin that allows unauthenticated remote attackers to trigger out-of-memory (OOM) errors and crash the server by sending maliciously crafted msgpack frames over websocket connections. With a CVSS score of 5.8 and network-based attack vector requiring no privileges or user interaction, this denial-of-service vulnerability poses a moderate but easily exploitable availability risk to any exposed Mattermost deployment.
Remote code execution in Bedrock AgentCore Starter Toolkit versions before v0.1.13 allows unauthenticated attackers to inject malicious code during the build process by exploiting missing S3 ownership verification, affecting only users who built the toolkit after September 24, 2025. An attacker can achieve arbitrary code execution within the AgentCore Runtime environment. Users must upgrade to version v0.1.13 to remediate this vulnerability, as no patch is currently available for earlier versions.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.
Admidio's profile membership management function fails to validate CSRF tokens on the save_membership action, allowing an attacker to forge requests that modify membership start and end dates for any member of roles led by the victim. While other membership-related actions (stop_membership, remove_former_membership) include CSRF protection, save_membership was omitted from validation, enabling silent privilege escalation or access revocation through cross-site request forgery. A proof-of-concept exists demonstrating immediate exploitation by embedding a form on an external page.