A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed.
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
BMC FootPrints ITSM contains a critical deserialization vulnerability in ASP.NET VIEWSTATE handling that allows authenticated attackers to execute arbitrary code remotely. Versions 20.20.02 through 20.24.01.001 are affected, and attackers with valid credentials can fully compromise the application by injecting malicious serialized objects. Security researchers from watchTowr have published detailed analysis of this vulnerability, significantly increasing exploitation risk.
An unauthenticated SQL injection vulnerability in AVideo allows remote attackers to execute arbitrary SQL queries through the doNotShowCats parameter in the getAllCategories() method. The vulnerability bypasses quote-stripping sanitization using backslash escape techniques, enabling attackers to extract sensitive data including user credentials, modify database contents, or potentially achieve remote code execution. No active exploitation has been reported in KEV, but proof-of-concept exploitation details are publicly available in the GitHub advisory.
BMC FootPrints ITSM contains an authentication bypass vulnerability allowing unauthenticated remote attackers to access restricted REST API endpoints and servlets without proper authorization. Affected versions range from 20.20.02 through 20.24.01.001, enabling attackers to invoke restricted functionality, access application data, and modify system resources. A public proof-of-concept exploit has been published by watchTowr Labs demonstrating pre-authentication remote code execution chains, significantly elevating the real-world risk.
Azure Cloud Shell contains a server-side request forgery vulnerability that allows unauthenticated remote attackers to escalate privileges without user interaction. The vulnerability affects Microsoft products and has a critical CVSS score of 10.0, though no patch is currently available. Attackers can leverage network access to achieve privilege elevation across system boundaries.
Authentication bypass in Smallstep Step CA (GitHub certificates package) allows remote unauthenticated attackers to completely circumvent authentication controls and gain high-level unauthorized access to certificate authority operations. Affects all versions before 0.30.0. Vendor has released patch version 0.30.0 with full vulnerability details embargoed until March 30, 2026. Despite maximum CVSS 10.0 severity, current EPSS score of 0.01% suggests no widespread exploitation activity detected, though limited public disclosure may suppress scanning/exploitation until full details release.
Microsoft 365 Copilot's Business Chat contains a server-side request forgery vulnerability that allows authenticated users to escalate privileges across network boundaries. An attacker with valid credentials can exploit this flaw to access or manipulate resources beyond their intended authorization level. No patch is currently available, making this a significant risk for organizations using the affected service.
Remote code execution in wgcloud version 2.3.7 and earlier allows unauthenticated attackers to execute arbitrary code through the test connection function. The vulnerability carries a critical CVSS score of 9.8 with network-based exploitation requiring no privileges or user interaction. No public exploit has been identified at time of analysis, though the EPSS score of 0.29% (52nd percentile) indicates low predicted exploitation probability despite the critical severity rating.
ThimPress BuilderPress, a WordPress plugin, contains a Local File Inclusion vulnerability through improper filename control in PHP include/require statements that allows unauthenticated remote attackers to read arbitrary files from the server. All versions through 2.0.1 are affected. With a CVSS score of 9.8 (Critical) and no authentication required, this represents a severe vulnerability allowing unauthorized information disclosure, though EPSS and KEV status data are not provided in the intelligence sources.
A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments.
A critical OS command injection vulnerability exists in Microsoft Bing Images that allows remote attackers to execute arbitrary commands without authentication. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. With a CVSS score of 9.8 and requiring no user interaction, this represents a severe risk to any systems running vulnerable versions of Bing Images.
OS command injection in the CWMP client (/ftl/bin/cwmp) of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers controlling the ACS endpoint to execute arbitrary commands as root via a crafted...
Remote code execution in OpenWrt's mDNS daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to overflow a 46-byte stack buffer by sending malformed IPv6 PTR queries over multicast DNS on UDP port 5353. The vulnerability stems from insufficient validation of domain name length before copying to a fixed-size buffer, enabling arbitrary code execution on affected embedded devices. No patch is currently available.
Use of a deterministic credential generation algorithm in /ftl/bin/calc_f2 in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote attackers to derive valid administrative/root credentials from the...
A remote code execution vulnerability in DedeCMS v.5.7.118 and (CVSS 9.8) that allows a remote attacker. Critical severity with potential for significant impact on affected systems.
Use of a hard-coded AES-256-CBC key in the configuration backup/restore implementation of Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to decrypt, modify, and re-encrypt...
A sandbox network isolation bypass vulnerability in OpenClaw allows trusted operators to escape container network boundaries and join other containers' network namespaces. OpenClaw versions before 2026.2.24 are affected, enabling attackers who have operator privileges to configure the docker.network parameter with 'container:<id>' values to reach services in target container namespaces and bypass network segmentation controls. The vulnerability has a critical CVSS score of 9.8 but requires trusted operator access, and there is no evidence of active exploitation in KEV or high EPSS probability.
A deserialization of untrusted data vulnerability in the Themeton Finag WordPress theme allows remote attackers to inject malicious PHP objects without authentication. This affects all versions of Finag through 1.5.0. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction, enabling attackers to achieve complete compromise of confidentiality, integrity, and availability.
A critical PHP object injection vulnerability exists in the Zuut WordPress theme due to insecure deserialization of untrusted data. The vulnerability affects all versions of Zuut through 1.4.2 and allows unauthenticated remote attackers to execute arbitrary PHP code, potentially leading to complete site compromise. With a CVSS score of 9.8, this vulnerability requires no privileges or user interaction and can be exploited over the network with low complexity.
An incorrect privilege assignment vulnerability exists in the WooCommerce Wholesale Lead Capture plugin for WordPress, allowing unauthenticated attackers to escalate privileges on affected sites. All versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. are vulnerable. With a CVSS score of 9.8 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe security risk for WordPress sites using this plugin.
Remote code execution in OpenWrt mdns daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to crash the service or execute arbitrary code by sending specially crafted DNS PTR queries to UDP port 5353, exploiting a stack buffer overflow in the parse_question function. The vulnerability occurs when domain names are expanded and copied without bounds checking, with non-printable characters inflating the payload beyond the fixed 256-byte buffer. No patch is currently available for affected embedded device deployments.
Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.
Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.
BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.
A blind server-side request forgery (SSRF) vulnerability exists in the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests through improper URL validation. Attackers can exploit this to perform internal network scanning or interact with internal services, potentially impacting system availability and confidentiality. A publicly available proof-of-concept exists, and vendor patches are available.
A critical authentication bypass vulnerability in OPEXUS eComplaint and eCASE applications allows unauthenticated attackers to take over any user account by exploiting improper exposure of password reset verification codes in HTTP responses. The vulnerability affects all versions before 10.1.0.0 and enables attackers who know a user's email address to reset passwords and security questions without any verification, granting full account access. With a CVSS score of 9.8 and requiring no authentication or user interaction, this represents a severe risk to organizations using these complaint and case management systems.
JWT algorithm confusion in MinIO's OpenID Connect authentication enables attackers with knowledge of the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with unrestricted IAM policies, including administrative access. Affected users can have their identities impersonated and their data accessed, modified, or deleted with 100% attack success rate. The vulnerability impacts MinIO deployments across Docker, Apple, and Microsoft platforms, with no patch currently available.
A critical remote code execution vulnerability in SuiteCRM versions 7.15.0 and 8.9.2 allows authenticated administrators to execute arbitrary system commands through a bypass of previous security patches. This vulnerability circumvents the ModuleScanner.php security controls by exploiting improper PHP token parsing that resets security checks when encountering single-character tokens, enabling attackers to hide dangerous function calls. The vulnerability represents a direct bypass of the previously patched CVE-2024-49774 and has been assigned a CVSS score of 9.1.
Command injection in OpenEMR's backup functionality (versions prior to 8.0.0.2) allows authenticated high-privilege users to execute arbitrary commands on the underlying system due to insufficient input validation. The CVSS 9.1 critical rating reflects the potential for complete system compromise, though exploitation requires valid administrative credentials. No patch is currently available for affected versions.
A Server-Side Request Forgery (SSRF) vulnerability in AVideo's Live plugin allows unauthenticated remote attackers to scan internal networks, access cloud metadata services, and bypass authentication mechanisms when the plugin is deployed in standalone mode. The vulnerability exists because user-controlled input is directly used to construct URLs for server-side requests without validation, enabling attackers to proxy requests through the vulnerable server and potentially chain this with command execution. With a CVSS score of 9.1 and requiring no authentication or user interaction, this represents a critical security risk for affected deployments.
The Mobile App Editor WordPress plugin contains an unrestricted file upload vulnerability that allows authenticated administrators to upload malicious web shells to the web server. This affects all versions through 1.3.1 and carries a critical CVSS score of 9.1 due to the potential for complete system compromise with changed scope. While requiring high privileges (administrator access), successful exploitation enables full server control including data theft, integrity compromise, and service disruption.
Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.
The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.
An unrestricted file upload vulnerability exists in the Woocommerce Wholesale Lead Capture plugin for WordPress, allowing remote attackers to upload and execute malicious files without authentication. The vulnerability affects all versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. With a CVSS score of 9.0 (Critical), this vulnerability enables attackers to achieve complete system compromise through arbitrary file upload, though the attack complexity is rated as high.
Misconfigured CORS headers in this web application permit cross-origin requests from any domain, enabling attackers to craft malicious webpages that perform unauthorized actions or exfiltrate sensitive data from victims' browsers when they visit attacker-controlled sites. Although the application is typically deployed on trusted local networks, the vulnerability can be exploited remotely by leveraging victim browsers as intermediaries without requiring direct network access. An attacker can silently harvest credentials, session tokens, or other sensitive information through transparent cross-site requests made on page load.
Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.
Prototype pollution in the flatted npm library (versions <= 3.4.1) lets an attacker who controls input to the parse() function leak a live reference to Array.prototype into the returned object, so any later write to that property poisons the global prototype chain. The flaw stems from parse() using attacker-supplied JSON string values such as "__proto__" as raw array index keys without numeric validation. Publicly available exploit code exists (a three-line proof of concept in the GitHub Security Advisory), though EPSS is only 0.01% (2nd percentile) and it is not in CISA KEV.
Claude Code, an AI coding assistant, contains an authentication bypass vulnerability where malicious repositories can silently skip the workspace trust confirmation dialog by setting permissions.defaultMode to bypassPermissions in a committed .claude/settings.json file. This affects users of the @anthropic-ai/claude-code npm package who open untrusted repositories. An attacker can place users into a permissive execution mode without explicit consent, enabling tool execution without the user seeing trust prompts, though no evidence of active exploitation or public proof-of-concept is currently available.
A symlink traversal vulnerability in OpenClaw allows authenticated attackers to read and write arbitrary files on the host system through the agents.files.get and agents.files.set methods. The vulnerability affects OpenClaw versions prior to 2026.2.25 and can lead to remote code execution through strategic file overwrites. With a high CVSS score of 8.8 and an RCE tag, this represents a critical security risk for organizations using affected versions.
Unauthenticated remote code execution in catalog parsing allows attackers to execute arbitrary commands on the host system by embedding shell() syntax in malicious catalog YAML files accessed by users. The vulnerability exploits automatic expansion of parameter default values during catalog source loading without proper sanitization. No patch is currently available, and exploitation requires only user interaction to load a compromised catalog.
WishList Member X, a WordPress membership plugin, contains a deserialization of untrusted data vulnerability that allows authenticated attackers with low-level privileges to perform PHP object injection attacks. This affects all versions up to and including 3.29.0. The vulnerability has a CVSS score of 8.8, indicating high severity with potential for complete compromise of confidentiality, integrity, and availability. There is no indication of active exploitation in KEV data, but the vulnerability has been publicly disclosed by Patchstack.
A configuration injection vulnerability in Kubernetes ingress-nginx controller allows authenticated attackers to inject arbitrary nginx configuration through specially crafted Ingress annotations, leading to remote code execution with controller privileges and exposure of all cluster Secrets. The vulnerability has a high CVSS score of 8.8 and affects the ingress-nginx controller's annotation parsing mechanism. No active exploitation (not in KEV) or public POC has been reported, though the attack requires only low privileges and network access.
SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.
Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to view restricted post titles and excerpts through inadequate permission validation on user action API endpoints. The vulnerability affects all deployments running vulnerable versions, with no available workarounds until patching to the fixed releases.
A stored cross-site scripting vulnerability in OpenEMR's patient portal payment flow allows authenticated patient users to inject malicious JavaScript that executes when staff members review payment submissions. The vulnerability affects OpenEMR versions prior to 8.0.0.2 and enables attackers to compromise staff accounts, potentially accessing sensitive medical records and administrative functions. No evidence of active exploitation exists, and no KEV listing or public POC has been identified.
Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.
A sensitive information exposure vulnerability exists in Microsoft Azure Data Factory that allows unauthorized remote attackers to access and disclose confidential data over the network without authentication. The vulnerability has a high CVSS score of 8.6 due to its network-based attack vector requiring no privileges or user interaction, with scope change indicating potential impact beyond the vulnerable component. No active exploitation has been reported and no proof-of-concept is currently available.