A Denial-of-Service vulnerability exists in the httpd component of TP-Link TD-W8961N v4.0 routers, caused by improper input sanitization (CWE-20) that allows attackers to craft malicious requests triggering httpd service crashes. The vulnerability enables service interruption and network unavailability for affected users. Although no CVSS score or EPSS metric is publicly available, a vendor patch is already available, indicating acknowledgment of the issue's severity and exploitability.
WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.
Xenstored on Ubuntu and Debian crashes when a guest VM submits a Xenstore command with an illegal node path "/local/domain/", causing a denial of service to that hypervisor component. An unprivileged guest can trigger this crash via a forced assert() statement, or if the service is built without debugging symbols, cause xenstored to consume excessive CPU resources while becoming unresponsive to further requests. No patch is currently available for this vulnerability.
An unauthenticated credential disclosure vulnerability exists in the /goform/ate endpoint of Nexxt Solutions Nebula 300+ firmware (including Tenda F3 v2.0 rebranded variants) through version 12.01.01.37, allowing adjacent network attackers to retrieve the Base64-encoded administrator password without authentication. The recovered credentials enable full device authentication and privilege escalation, facilitating further compromise when combined with other firmware weaknesses. No active KEV listing or public POC availability is currently documented, though the CVSS 6.5 score reflects the significant confidentiality impact despite network-adjacency requirement.
OpenClaw 2026.1.21 through 2026.2.18 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism. Local authenticated users with low privileges can execute arbitrary commands when spawn failures trigger shell fallback with cmd.exe, exploiting workflow-controlled parameters. A patch is available from the vendor, and while no KEV or EPSS data indicates active exploitation at this time, the vulnerability has a CVSS score of 7.0 (High).
Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.
Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.
cgltf versions 1.15 and earlier are vulnerable to integer overflow in sparse accessor validation that enables local attackers to craft malicious glTF/GLB files triggering heap buffer over-reads. Exploitation causes denial of service through application crashes and may leak sensitive memory contents. No patch is currently available for this high-severity vulnerability (CVSS 8.4).
A Server-Side Request Forgery (SSRF) vulnerability exists in the external page migration feature of the Page Management Plugin (Connect CMS), allowing authenticated attackers with page management screen access to make the server perform requests to internal destinations and disclose sensitive information. The vulnerability affects Connect CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, with patches available in versions 1.41.1 and 2.41.1 respectively. With a CVSS score of 6.8 and moderate attack complexity requiring high privileges, this represents a real but bounded risk primarily to organizations running older plugin versions with administrative users who may be compromised or malicious.
This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.
The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in plaintext within exported configuration backup files, enabling information disclosure through CWE-256 (Plaintext Storage of Password). This vulnerability affects firmware versions through 12.01.01.37 and allows an attacker who gains access to a backup file to immediately obtain full administrative and wireless network access without requiring cryptographic attacks. No CVSS score, EPSS data, or active KEV designation is currently available, but the plaintext credential exposure represents a critical risk for any environment relying on configuration backups.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.
An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. With a CVSS score of 6.5 and network-based attack vector requiring only low privileges, this represents a moderate but real threat to WordPress installations using this plugin.
Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. No patch is currently available.
Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. An attacker with valid credentials can abuse this flaw to overwrite critical application files, inject malicious code, or achieve remote code execution depending on file permissions and system configuration.
The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.
Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available.
OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.
A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.
HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.
XnSoft NConvert version 7.230 contains a stack buffer overflow vulnerability triggered by specially crafted TIFF files, allowing an attacker to overwrite stack memory and potentially execute arbitrary code or cause denial of service. The vulnerability affects the image conversion functionality of NConvert, a widely-used command-line image conversion tool. A proof-of-concept exploit has been documented on GitHub (PassMoon/Nconvert_Vul), indicating public awareness and potential active exploitation risk.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
Server-side request forgery in Kodbox 1.64's fileGet endpoint allows authenticated attackers to manipulate the path parameter in the PathDriverUrl function, enabling arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to users with valid credentials, though successful exploitation could facilitate further network reconnaissance or attacks against internal systems.
An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.
A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in SourceCodester Simple E-learning System 1.0's user profile update functionality allows authenticated remote attackers to manipulate the firstName parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read or modify sensitive database information. No patch is currently available.
SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.
SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.
SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.
A specially crafted XCOFF object file can trigger an out-of-bounds memory read in the GNU Binutils BFD library due to improper validation of relocation type values. This affects Red Hat Enterprise Linux versions 6 through 10 and Red Hat OpenShift Container Platform 4, potentially allowing local attackers with user interaction to crash affected tools or disclose sensitive memory contents. While not currently listed in CISA KEV as actively exploited, the vulnerability is tracked across Red Hat, Sourceware, and Bugzilla with upstream references indicating visibility and likely patch development.
Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.
OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.
The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.
A stored or reflected cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0, specifically in the /lawyers.php file where the first_Name parameter is inadequately sanitized. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. A public proof-of-concept exploit is available, and exploitation requires only low complexity with user interaction (UI:R), though the attack vector is network-accessible and does not require high privileges.
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. A proof-of-concept exists and the vulnerability has moderate real-world risk due to its low attack complexity and local attack vector.
A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s6.php file, where the sname parameter fails to properly sanitize user input. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially compromising admin accounts or exfiltrating sensitive exam data. A public proof-of-concept is available on GitHub, and while the CVSS score is low at 2.4, the vulnerability requires high privileges and user interaction to exploit, limiting real-world impact.
A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s3.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts through this parameter to perform actions in the context of other users' browsers. A public proof-of-concept is available, making this vulnerability actively exploitable despite its low CVSS score of 2.4.
A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s4.php endpoint, where the 'sname' parameter is not properly sanitized before output. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or administrative action abuse. A public proof-of-concept exploit is available, increasing real-world risk despite the low CVSS score of 2.4.
A Stored or Reflected Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s5.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript code through this parameter, which will execute in the context of other users' browsers when they interact with the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has a low CVSS score of 2.4 due to high privilege requirements and user interaction dependency, but the public disclosure increases practical exploitation likelihood.
A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s2.php endpoint where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the browser of other users who view the affected page, potentially leading to session hijacking, credential theft, or administrative action manipulation. A public proof-of-concept exploit is available on GitHub, and the vulnerability carries a low CVSS score of 2.4 due to requiring high privileges and user interaction, but the published exploit status indicates active reconnaissance and potential targeted exploitation.