Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. This is a critical severity issue with network-based attack vector requiring no privileges or user interaction, and a proof-of-concept has been published by VulnCheck.
A critical authentication bypass and command injection vulnerability chain in AVideo's CloneSite plugin allows completely unauthenticated remote attackers to achieve full system compromise. The vulnerability affects AVideo installations with the CloneSite plugin enabled, allowing attackers to steal clone authentication keys, dump the entire database including MD5-hashed admin credentials, crack those credentials trivially, and finally execute arbitrary system commands via an rsync command injection. A detailed proof-of-concept demonstrating the complete attack chain is publicly available in the GitHub security advisory, making this an immediate exploitation risk.
The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction.
A critical authentication bypass vulnerability in Oracle Identity Manager and Oracle Web Services Manager allows remote attackers to completely compromise affected systems without any credentials. The vulnerability resides in the REST WebServices and Web Services Security components, affecting versions 12.2.1.4.0 and 14.1.2.1.0 of both products. With a CVSS score of 9.8 and no authentication required, this represents a severe risk to identity management infrastructure, though no current KEV listing or public POC has been documented in available sources.
Precurio Intranet Portal 4.4 contains a CSRF vulnerability that allows attackers to trick authenticated users into uploading malicious files to the server, potentially leading to remote code execution with web server privileges. A public exploit is available via PacketStorm (file ID 215644), significantly lowering the barrier for exploitation. The vulnerability carries a CVSS score of 8.8 with network-based attack vector requiring only user interaction.
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.
An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.
{flow_id}/{file_name} endpoint, while all other file operation endpoints properly implement these security controls. A proof-of-concept exploit exists demonstrating that any attacker with knowledge of a flow UUID and filename can retrieve sensitive image data without credentials, posing a critical risk in multi-tenant deployments where cross-tenant data leakage can occur.
Path traversal in Langflow's /profile_pictures endpoint allows unauthenticated remote attackers to read the application's secret_key through directory traversal in the folder_name parameter. Since the secret_key is used for JWT authentication, attackers can forge valid tokens to gain unauthorized system access. Public exploit code exists for this vulnerability and no patch is currently available.
Remote code execution in D-Link DIR-513 1.10 via stack-based buffer overflow in the /goform/formEasySetPassword endpoint allows unauthenticated attackers to achieve full system compromise through a malicious curTime parameter. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from the vendor. An attacker with network access can execute arbitrary code with high privileges without user interaction.
Stack-based buffer overflow in Tenda A18 Pro MAC filtering configuration allows remote authenticated attackers to achieve full system compromise through manipulation of the deviceList parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw impacts the /goform/setMacFilterCfg endpoint with a CVSS score of 8.8.
Remote code execution in Tenda A18 Pro firmware 02.03.02.28 allows authenticated attackers to achieve full system compromise through stack-based buffer overflow in the QoS configuration function. Public exploit code exists for this vulnerability and no patch is currently available, leaving deployed devices at immediate risk.
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows remote attackers with low privileges to achieve complete system compromise through manipulation of the SetIpMacBind function arguments. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker can execute arbitrary code remotely without user interaction, affecting confidentiality, integrity, and availability of affected devices.
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 enables authenticated remote attackers to achieve code execution with high privileges through the setSchedWifi function. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected devices exposed to active exploitation. An attacker with network access and valid credentials can trigger the overflow to compromise system integrity and confidentiality.
Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows authenticated remote attackers to achieve complete system compromise through the /goform/fast_setting_wifi_set endpoint. Public exploit code is available and actively being weaponized against this unpatched vulnerability. Attackers with network access and valid credentials can execute arbitrary code with full system privileges.
Remote code execution in UTT HiPER 1250GW firmware versions up to 3.2.7 allows authenticated attackers to overflow a buffer in the /goform/setSysAdm function via a malicious GroupName parameter. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can achieve complete system compromise including code execution, data theft, and denial of service.
Unauthenticated attackers can trigger a buffer overflow in UTT HiPER 1200GW firmware versions up to 2.5.3-170306 via the /goform/websHostFilter endpoint, enabling remote code execution with full system compromise. Public exploit code is available and there is currently no patch, leaving affected devices at immediate risk. The vulnerability requires only network access and valid credentials to exploit, making it readily actionable for threat actors.
CTEK Chargeportal's OCPP WebSocket endpoints accept unauthenticated connections, allowing remote attackers to impersonate charging stations by connecting with known or discovered station identifiers and issuing fraudulent OCPP commands to the backend infrastructure. This authentication bypass enables complete control over charging operations, data manipulation, and privilege escalation across the charging network. CISA ICS-CERT issued advisory ICSA-26-078-06 for this industrial control system vulnerability. EPSS score of 0.13% (33rd percentile) indicates relatively low predicted exploitation likelihood despite critical CVSS 9.3 severity, though SSVC assessment confirms the vulnerability is fully automatable with total technical impact.
Unauthenticated access to OCPP WebSocket endpoints allows remote attackers to impersonate legitimate charging stations and execute arbitrary commands against electric vehicle charging infrastructure without credentials. An attacker can connect using a known station identifier to manipulate charging operations, alter backend data, and escalate privileges across the charging network. No patch is currently available for this critical vulnerability affecting EV charging systems.
This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.
Missing rate limiting in CTEK Chargeportal's WebSocket API enables remote attackers to launch denial-of-service attacks against electric vehicle charging infrastructure telemetry or conduct brute-force authentication attacks. All versions of Chargeportal are affected. CISA ICS-CERT has issued an advisory (ICSA-26-078-06), indicating focus on critical infrastructure risk. EPSS exploitation probability is low (0.08%, 23rd percentile), and no active exploitation or public exploit is confirmed. SSVC assessment indicates the vulnerability is automatable but has no confirmed exploitation, suggesting moderate real-world urgency despite the high CVSS 8.7 score.
Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.
Ory Oathkeeper, an identity and access proxy, contains an authorization bypass vulnerability via HTTP path traversal that allows attackers to access protected resources without authentication. The vulnerability affects Ory Oathkeeper installations where the software uses un-normalized paths for rule matching, enabling requests like '/public/../admin/secrets' to bypass authentication requirements. With a CVSS score of 10.0 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe authentication bypass, though no current EPSS score or KEV listing indicates limited evidence of active exploitation at this time.
SiYuan personal knowledge management system versions 3.6.0 and below contain a path traversal vulnerability that allows authenticated attackers to exfiltrate arbitrary readable files from the system. An attacker with low-level privileges can exploit the /api/lute/html2BlockDOM endpoint to copy sensitive files to the workspace assets directory via malicious file:// links in pasted HTML, then retrieve them through the authenticated GET /assets/ endpoint. This is a critical vulnerability with a CVSS score of 9.9 due to its potential for high confidentiality impact and scope change, though no active exploitation (KEV) or public proof-of-concept has been documented.
OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.
An unauthenticated server-side request forgery (SSRF) vulnerability exists in AVideo's Live plugin test.php endpoint that allows remote attackers to force the server to send HTTP requests to arbitrary URLs. The vulnerability affects AVideo installations with the Live plugin enabled and can be exploited to probe internal network services, access cloud metadata endpoints, and retrieve content from internal HTTP resources. A proof-of-concept has been published demonstrating localhost service enumeration, and the vulnerability requires no authentication or user interaction to exploit.
A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, specifically in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can exploit this flaw to execute arbitrary operating system commands on the affected device. A public proof-of-concept exploit has been released on GitHub, significantly lowering the barrier to exploitation and increasing real-world risk.
The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution with no user interaction required. The vulnerability affects only applications explicitly configured with a built-in nameserver; users relying on OS resolvers or external resolver implementations are unaffected. No patch is currently available, but mitigation is possible by disabling DNS resolution or switching to an external resolver.
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the same network port used by the WebCTRL service. This enables the attacker to send malicious packets and impersonate the legitimate WebCTRL service without injecting code into the application, potentially compromising confidentiality and integrity of building automation system communications. The vulnerability affects Automated Logic's WebCTRL Premium Server and has been disclosed by ICS-CERT, though no KEV listing or public POC is currently documented.
An OS command injection vulnerability exists in the D-Link DIR-820LW router firmware version 2.03, specifically in the ssdpcgi_main function of the SSDP component. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands via manipulation of the HTTP_ST environment variable. A proof-of-concept exploit has been publicly disclosed on GitHub, making this an immediate concern for organizations using affected devices.
A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.
GPU shader compiler memory corruption via malicious shader code allows remote code execution when the compiler runs with elevated privileges, affecting multiple platforms through crafted switch statements that trigger out-of-bounds writes. An attacker can exploit this vulnerability by delivering specially-crafted GPU shader code through a web page, potentially gaining system-level control on vulnerable devices. No patch is currently available for this critical vulnerability.
WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.
SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.
libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.
QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.
SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.
WeGIA, a web manager for charitable institutions, contains a Reflected Cross-Site Scripting (XSS) vulnerability in the listar_memorandos_ativos.php endpoint affecting versions 3.6.6 and below. An attacker can inject arbitrary JavaScript or HTML into the sccd GET parameter, which is reflected without sanitization when the msg parameter equals 'success', enabling session hijacking, credential theft, and malicious actions in the context of victim users. The vulnerability has a critical CVSS score of 9.3 with changed scope, indicating potential impact beyond the vulnerable component.
WeGIA, a web manager for charitable institutions, contains an authenticated SQL injection vulnerability in versions 3.6.5 and below via the id_producto parameter in the restaurar_produto.php endpoint. An authenticated attacker can execute arbitrary SQL commands to fully compromise the database, extracting sensitive donor information, beneficiary records, and administrative credentials. No evidence of active exploitation (not in CISA KEV) is currently available, though proof-of-concept details are publicly disclosed in the GitHub security advisory.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in WeGIA, a web manager for charitable institutions. Versions 3.6.6 and below are affected through the novo_memorandoo.php endpoint, where an attacker can inject arbitrary JavaScript via the sccs GET parameter without sanitization. This allows execution of malicious scripts in victims' browsers when they click a crafted link, with a critical CVSS score of 9.3 due to cross-site scripting scope and high confidentiality and integrity impact.
AVideo, a video-sharing platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 8.0 affecting the public thumbnail endpoints getImage.php and getImageMP4.php. Unauthenticated attackers can exploit insufficient URL validation to force the server to make requests to internal network resources including cloud metadata endpoints (AWS EC2 169.254.169.254), localhost, and private IP ranges. The vulnerability has a CVSS 4.0 score of 9.3 with network attack vector requiring no privileges or user interaction, though there is no evidence of active exploitation or public proof-of-concept at this time.
Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.
MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.
A critical arbitrary method execution vulnerability affects Graphiti's JSONAPI write functionality, allowing attackers to invoke any public method on underlying model instances, classes, or associations through crafted JSONAPI payloads. Applications using Graphiti (a Ruby gem for building JSON:API compliant APIs) that expose write endpoints to untrusted users are affected, particularly versions prior to 1.10.2. The vulnerability scores CVSS 9.1 (Critical) with network-based exploitation requiring no authentication or user interaction, enabling both high integrity and availability impacts.
A second-order XSS vulnerability exists in Textpattern CMS version 4.9.0 where user-supplied input (such as category parameters) is improperly sanitized and lacks contextual XML escaping in Atom feed XML elements like <id> and <link href>. While the payload does not execute directly in raw XML contexts within modern browsers, it becomes exploitable when feed readers, admin dashboards, or CMS aggregators consume the feed and insert its content into the DOM using unsafe methods like innerHTML, resulting in arbitrary JavaScript execution in a trusted context. A public proof-of-concept exploit is available, making this an active threat to administrators and users consuming feeds from vulnerable Textpattern instances.
A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.