A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, specifically in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. An unauthenticated remote attacker can exploit this flaw to execute arbitrary operating system commands on the affected device. A public proof-of-concept exploit has been released on GitHub, significantly lowering the barrier to exploitation and increasing real-world risk.
An OS command injection vulnerability exists in the D-Link DIR-820LW router firmware version 2.03, specifically in the ssdpcgi_main function of the SSDP component. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands via manipulation of the HTTP_ST environment variable. A proof-of-concept exploit has been publicly disclosed on GitHub, making this an immediate concern for organizations using affected devices.
SQL injection in PbootCMS versions up to 3.2.12 allows unauthenticated remote attackers to manipulate the Username parameter in the Member Login function, potentially enabling unauthorized database access and data manipulation. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in eosphoros-ai db-gpt versions up to 0.7.5 allows unauthenticated remote attackers to manipulate the /api/v1/editor/ endpoint and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. This vulnerability impacts confidentiality, integrity, and availability of affected systems.
libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.
A second-order XSS vulnerability exists in Textpattern CMS version 4.9.0 where user-supplied input (such as category parameters) is improperly sanitized and lacks contextual XML escaping in Atom feed XML elements like <id> and <link href>. While the payload does not execute directly in raw XML contexts within modern browsers, it becomes exploitable when feed readers, admin dashboards, or CMS aggregators consume the feed and insert its content into the DOM using unsafe methods like innerHTML, resulting in arbitrary JavaScript execution in a trusted context. A public proof-of-concept exploit is available, making this an active threat to administrators and users consuming feeds from vulnerable Textpattern instances.
A session management vulnerability exists in the WebSocket backend of IGL Technologies' eparking.fi platform that allows multiple endpoints to connect using the same charging station identifier. An unauthenticated remote attacker can hijack legitimate charging station sessions by connecting with predictable session identifiers, enabling them to intercept backend commands, authenticate as other users, or cause denial-of-service by overwhelming the backend with concurrent session requests. This vulnerability affects operational technology (OT) infrastructure and has been disclosed by CISA ICS-CERT.
A session management vulnerability in CTEK ChargePortal's WebSocket backend allows attackers to hijack charging station sessions by connecting with the same predictable session identifier used by legitimate stations. This enables authentication bypass, interception of backend commands intended for legitimate charging stations, and denial-of-service through session flooding. The vulnerability affects CTEK ChargePortal with a CVSS score of 7.3 and is documented in ICS-CERT advisory ICSA-26-078-06, though no active exploitation (KEV) or public POC has been reported.
Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.
A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.
QuNetSwitch contains hard-coded credentials that allow remote attackers to bypass authentication and gain unauthorized access to affected systems. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, where credentials are embedded in the application code rather than properly managed through secure credential storage mechanisms. Remote attackers can exploit this weakness without requiring valid user credentials, leading to complete compromise of the network switch management interface.
A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. The vulnerability has been documented by Wordfence security researchers and affects all versions from release through 1.5.0, with a patch available in version 1.5.1 and later.
The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.
The Kubernetes NFS CSI Driver fails to properly validate the subDir parameter in volume identifiers, allowing privileged users to inject path traversal sequences that bypass intended directory restrictions. Attackers with PersistentVolume creation privileges can craft malicious volume identifiers to access and modify arbitrary directories on the NFS server during cleanup operations. No patch is currently available for this medium-severity vulnerability affecting Kubernetes environments.
Halloy, a Rust-based IRC application, contains a path traversal vulnerability in its DCC (Direct Client-to-Client) receive functionality that fails to sanitize filenames from incoming DCC SEND requests prior to commit 0f77b2cfc5f822517a256ea5a4b94bad8bfe38b6. Remote IRC users can exploit this vulnerability to write files outside the configured save directory using path traversal sequences like ../../.ssh/authorized_keys, potentially allowing arbitrary file placement on the victim's system with zero user interaction if auto-accept is enabled. The vulnerability has been patched and is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
A non-terminating loop denial-of-service vulnerability exists in tinytag version 2.2.0, a Python library for reading audio file metadata. An attacker can supply a malicious MP3 file containing a crafted ID3v2 SYLT (synchronized lyrics) frame that causes the parsing operation to enter an infinite loop, consuming CPU resources until the worker process is terminated. The vulnerability affects server-side deployments that automatically parse user-supplied files, and has been patched in version 2.2.1.
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization bypass vulnerability in the user actions endpoint that allows authenticated users to access other users' private activity data. An attacker with valid login credentials can enumerate and view private user actions without proper permission checks, resulting in information disclosure. This is a moderate-severity issue with a CVSS score of 5.3 that requires authentication to exploit but has no known active exploitation or public proof-of-concept at this time.
An unbounded image decoding and resizing vulnerability in Vikunja's task attachment preview generation allows authenticated attackers to exhaust server CPU and memory by uploading highly compressed but extremely large-dimension images. The vulnerability affects Vikunja API versions with task attachments enabled, and a proof-of-concept script demonstrates that a 10,000×10,000 PNG (~284 KB on disk) can expand to ~100M pixels in memory during decode, causing significant latency and potential denial of service. Multiple concurrent preview requests across different attachments can degrade or crash the service, with a CVSS score of 7.5 indicating high availability impact.
An authorization bypass vulnerability exists in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where non-staff users with elevated group membership can access deleted posts belonging to any user through an overly permissive authorization check on the deleted posts index endpoint. This is a CWE-863 (Incorrect Authorization) vulnerability that allows unauthorized information disclosure of deleted content. No public exploit or active exploitation in the wild has been reported, but patches are available and no workarounds exist.
SuiteCRM prior to version 8.9.3 contains an authenticated information disclosure vulnerability in an API endpoint that allows any authenticated user to retrieve sensitive user data including password hashes, usernames, and MFA configurations of other users. This enables attackers with valid credentials to enumerate and potentially crack administrative user passwords, escalating privileges within the CRM system. The vulnerability requires authentication but no additional user interaction, making it a practical attack vector for insider threats or compromised low-privilege accounts.
Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.
SuiteCRM versions prior to 8.9.3 contain an access control bypass in the RecordHandler::getRecord() method that allows authenticated users to retrieve any record from the system without proper ACL view permission checks. An attacker with valid credentials can enumerate and read sensitive customer data, financial records, or other confidential information across all modules by directly calling the vulnerable method. The vulnerability has a CVSS score of 6.5 (medium-high) and is information disclosure in nature with no active exploitation reports or public proof-of-concept available at this time.
Ory Oathkeeper improperly trusts the X-Forwarded-Proto header regardless of the serve.proxy.trust_forwarded_headers configuration setting, allowing attackers to bypass protocol-based access controls. This affects deployments of pkg:go/github.com_ory_oathkeeper where distinct HTTP and HTTPS rules are configured, enabling an attacker to craft requests with spoofed X-Forwarded-Proto headers to trigger unintended authorization rules. A vendor patch is available and exploitation requires specific preconditions (protocol-differentiated rules and ability to trigger one rule but not the other), limiting real-world impact despite the CVSS 6.5 score.
Command injection in QuNetSwitch allows authenticated remote attackers to execute arbitrary commands on affected systems with high impact to confidentiality and integrity. The vulnerability requires valid user credentials to exploit but poses significant risk to systems running versions prior to 2.0.5.0906. No patch is currently available for this CVSS 6.3 medium-severity issue.
File Thinghie version 2.5.7 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'dir' GET parameter that allows attackers to execute arbitrary JavaScript code in users' browsers. An attacker can craft a malicious URL containing JavaScript payload in the 'dir' parameter and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. While CVSS and EPSS scores are not available, proof-of-concept code exists in public repositories, indicating the vulnerability is well-documented and likely exploitable.
File Thingie version 2.5.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in its file upload functionality where attackers can craft malicious filenames to execute arbitrary JavaScript in users' browsers. An attacker with the ability to upload files to a File Thingie instance can inject JavaScript payloads via filename manipulation, affecting any user who views the uploaded file list or file details. While no CVSS score, EPSS probability, or KEV inclusion status is currently available, proof-of-concept code has been published on GitHub, indicating the vulnerability is publicly disclosed and likely exploitable.
Greenshot versions 1.3.312 and earlier contain an untrusted executable search path vulnerability (CWE-426) that allows local attackers with high privileges to achieve arbitrary code execution by hijacking the explorer.exe binary launch. When a user double-clicks the Greenshot tray icon to open the screenshot directory, the application launches explorer.exe using a relative path rather than an absolute path, enabling an attacker to plant a malicious executable in a prioritized search location. This vulnerability had no patch available at the time of publication and represents a real privilege escalation and code execution risk requiring immediate user action.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.
This is a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin affecting all versions up to and including 1.2. The vulnerability exists in the sfhg_shortcode() function, which insufficiently validates HTML attributes added to iframe elements, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 with medium real-world risk, as it requires authenticated access but affects stored content with site-wide impact.
ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. The vulnerability has been patched in version 7.0.2, and no evidence of active exploitation in the wild has been reported, though the attack requires only high-level privileges (admin access) and basic user interaction (viewing settings).
The Autoptimize WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the lazy-loading image processing function that allows authenticated attackers with Contributor-level access to inject arbitrary web scripts into pages. The flaw exists in all versions up to and including 3.1.14 and stems from an overly permissive regular expression that fails to properly validate image tag attributes, enabling attackers to craft malicious image tags that break HTML structure and promote attribute values into executable code. This vulnerability carries a moderate CVSS score of 6.4 and requires user interaction for stored XSS payloads to execute when pages are accessed.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Image Alt Text Manager plugin for WordPress (all versions up to 1.8.2) due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes via DOM parser. Authenticated attackers with Author-level access or higher can inject arbitrary JavaScript through post titles, which executes when other users visit affected pages. With a CVSS score of 6.4 and confirmed reporting by Wordfence, this vulnerability affects SEO-focused WordPress installations relying on this plugin for bulk alt text management.
An information disclosure vulnerability in Parse Server's LiveQuery functionality allows attackers to infer the values of protected fields by monitoring whether update events are generated when those fields change, effectively creating a binary oracle that reveals field modifications despite the field values themselves being stripped from event payloads. The vulnerability affects Parse Server npm package across multiple versions, and while no public exploit code or active exploitation has been documented, the attack requires only standard subscription capabilities without elevated privileges. The vendor has released patches that validate the watch parameter against protected fields at subscription time, mirroring existing where clause protections.
This is a deserialization of untrusted data vulnerability (PHP Object Injection) in the TotalContest Lite WordPress plugin that allows authenticated attackers with high-level privileges to inject arbitrary PHP objects. The vulnerability affects all versions through 2.9.1 of the TotalContest Lite plugin from TotalSuite. With a CVSS score of 7.2, successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected system.
A cross-site scripting (XSS) vulnerability exists in QuFTP Service that allows authenticated remote attackers with administrator credentials to bypass security mechanisms and read application data. The vulnerability affects multiple versions of QuFTP Service across different release branches (1.4.x, 1.5.x, and 1.6.x prior to specified patch versions). While no CVSS score, EPSS probability, or KEV status is currently available, the requirement for administrator-level access significantly constrains real-world exploitation risk.
The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.
A reflected cross-site scripting (XSS) vulnerability exists in the Zimbra Collaboration Suite (ZCS) Classic Webmail REST interface (/h/rest) affecting versions 10.0 and 10.1, allowing unauthenticated attackers to inject malicious JavaScript via crafted URLs. When a victim accesses the malicious link, the injected script executes within the Zimbra webmail application context, enabling the attacker to perform unauthorized actions on behalf of the victim such as reading emails, modifying settings, or sending messages. No CVSS score, EPSS probability, or public exploit code availability data is currently documented in the available intelligence sources, though the vulnerability is documented in the Zimbra Releases 10.1.16 security fixes, indicating a patch has been made available.
A stored cross-site scripting (XSS) vulnerability exists in Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1 within the Briefcase feature, caused by insufficient sanitization of uploaded file types. When an attacker crafts a malicious file and shares it via the Briefcase public sharing mechanism, the embedded JavaScript executes in the victim's browser session context when the file is opened, enabling arbitrary script execution, session hijacking, credential theft, and unauthorized actions on behalf of the victim. No CVSS score, EPSS data, or active KEV status is currently available, though the attack vector is network-based with low complexity and requires user interaction (file opening).
DooTask v1.6.27 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> endpoint via the projectDesc input field, allowing an attacker to inject malicious JavaScript that executes in the context of other users' browsers. An authenticated or unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A proof-of-concept has been publicly disclosed on GitHub, increasing the likelihood of active exploitation.
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the error_description parameter of Gainsight Assist, allowing unauthenticated attackers to inject malicious JavaScript payloads that execute in victims' browsers. The vulnerability is particularly dangerous because attackers can bypass the application's Web Application Firewall (WAF) using Safari-specific event handlers such as onpagereveal, which are not typically filtered by standard XSS protections. While the CVSS score of 6.1 indicates moderate severity with limited direct impact (integrity and availability degradation rather than confidentiality breach), the attack requires minimal technical complexity and no special privileges, making it exploitable by any attacker who can craft a malicious URL and socially engineer a victim into clicking it.
AVideo contains a reflected cross-site scripting (XSS) vulnerability in the password unlock functionality where the unlockPassword request parameter is directly reflected into HTML input tag attributes without output encoding. The vulnerability affects AVideo (pkg:composer/wwbn_avideo) and can be exploited by any unauthenticated attacker to execute arbitrary JavaScript in the victim's browser with no user interaction beyond clicking a crafted link, potentially leading to session hijacking, account takeover, or credential theft. A proof-of-concept has been published and the vulnerability is documented in the official GitHub advisory.
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Spring Framework applications using Java scripting engines (JRuby, Jython) for template views in Spring MVC or Spring WebFlux can leak sensitive file contents from outside intended directories through path traversal. Affected versions include 7.0.0-7.0.5, 6.2.0-6.2.16, 6.1.0-6.1.25, and 5.3.0-5.3.46, with no patch currently available. An unauthenticated remote attacker can read arbitrary files on the system with confidentiality impact.
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an access control bypass vulnerability where attackers can grant invites to private message topics even after losing direct access to those conversations. This authentication bypass (CWE-863) allows unauthorized lateral privilege escalation within discussion communities. No public exploit code has been widely reported, but the vulnerability is patched across multiple release branches, indicating vendor awareness of active exploitation risk.
Jexactyl, a game management panel and billing system, contains a stored DOM-based cross-site scripting (XSS) vulnerability in its template rendering engine where server-side objects are injected into client-side JavaScript without proper escaping. The vulnerability affects versions after commit 025e8dbb0daaa04054276bda814d922cf4af58da and before the patched commit e28edb204e80efab628d1241198ea4f079779cfd, allowing authenticated attackers with high privileges to inject malicious payloads through attacker-controlled fields such as usernames or display names that execute arbitrary JavaScript in the browsers of all users viewing the affected page. The CVSS score of 5.8 reflects local attack vector requirements and high privilege prerequisites, though the stored nature of the XSS and lack of user interaction requirements for viewing the malicious content represent meaningful security risk for multi-user deployments.
Heap-based buffer overflow in GPAC MP4Box's XML parsing function allows local attackers to corrupt memory and potentially crash the application or achieve code execution by crafting malicious NHML files with specially formatted BitSequence elements. The vulnerability affects systems processing untrusted multimedia files and remains unpatched as of this advisory. Exploitation requires user interaction to open a malicious file.
Arbitrary command execution in QuNetSwitch can be achieved by local attackers with administrator privileges due to insufficient input validation in command processing. This vulnerability affects QuNetSwitch versions prior to 2.0.5.0906, allowing authenticated high-privilege users to bypass security controls and execute system commands. No patch is currently available for affected versions.
A time-based one-time password (TOTP) reuse vulnerability exists in Vikunja's authentication implementation where a valid TOTP code can be used multiple times within its 30-second validity window, allowing an attacker who captures or obtains a valid code to authenticate as a targeted user. This affects all users who have enabled two-factor authentication (2FA) on Vikunja instances, and while the CVSS score of 5.7 reflects moderate severity, the vulnerability undermines a critical layer of the defense-in-depth authentication model. A proof-of-concept demonstrating the reuse attack has been publicly disclosed.