Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Paint Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Tree Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.
SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.
SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.
SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.
SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.
SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.
A publicly accessible endpoint in Blinko prior to version 1.8.4 discloses sensitive user information including usernames, roles, and account creation dates without requiring authentication, allowing unauthenticated attackers to enumerate all user accounts. This information disclosure vulnerability (CWE-200) affects Blinko versions below 1.8.4 and has been patched in the latest release. The vulnerability is remotely exploitable over the network with minimal attack complexity and no privilege requirements, making it a significant privacy and enumeration risk for deployed instances.
The trx_addons WordPress plugin before version 2.38.5 contains an arbitrary file upload vulnerability in an AJAX action that fails to properly validate file types, allowing unauthenticated attackers to upload malicious files. This vulnerability represents an incomplete remediation of the previously disclosed CVE-2024-13448, meaning the original patch was insufficient. A public proof-of-concept exploit is available, and the vulnerability can lead to remote code execution or information disclosure depending on server configuration and file placement.
Blinko versions 1.8.3 and earlier contain a path traversal vulnerability in the plugin file server endpoint that fails to validate whether requested file paths remain within the plugins directory, enabling unauthenticated remote attackers to read arbitrary files. The vulnerability has a CVSS score of 5.3 and currently lacks a publicly available patch.
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the StartDate parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject malicious code through a crafted URL. A public proof-of-concept exploit is available, and a patch has been released by the vendor, making this a moderate-to-high priority issue for organizations running affected versions.
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser without requiring authentication or special privileges. The vulnerability exists in the FreeBusy.aspx form where the Attendees parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to craft malicious URLs that compromise user sessions and steal sensitive data. A public proof-of-concept exploit is available, increasing the practical risk to deployed MailEnable installations.
MailEnable versions prior to 10.55 contain a reflected cross-site scripting (XSS) vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL targeting the ManageShares.aspx form. The SelectedIndex parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling attackers to inject and execute malicious code. A publicly available proof-of-concept exploit exists, and a patch has been released by the vendor.
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.
cgltf versions 1.15 and earlier are vulnerable to integer overflow in sparse accessor validation that enables local attackers to craft malicious glTF/GLB files triggering heap buffer over-reads. Exploitation causes denial of service through application crashes and may leak sensitive memory contents. No patch is currently available for this high-severity vulnerability (CVSS 8.4).
A Server-Side Request Forgery (SSRF) vulnerability exists in the external page migration feature of the Page Management Plugin (Connect CMS), allowing authenticated attackers with page management screen access to make the server perform requests to internal destinations and disclose sensitive information. The vulnerability affects Connect CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, with patches available in versions 1.41.1 and 2.41.1 respectively. With a CVSS score of 6.8 and moderate attack complexity requiring high privileges, this represents a real but bounded risk primarily to organizations running older plugin versions with administrative users who may be compromised or malicious.
This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.
The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in plaintext within exported configuration backup files, enabling information disclosure through CWE-256 (Plaintext Storage of Password). This vulnerability affects firmware versions through 12.01.01.37 and allows an attacker who gains access to a backup file to immediately obtain full administrative and wireless network access without requiring cryptographic attacks. No CVSS score, EPSS data, or active KEV designation is currently available, but the plaintext credential exposure represents a critical risk for any environment relying on configuration backups.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.
An Insecure Direct Object Reference (IDOR) vulnerability in Blinko versions prior to 1.8.4 allows authenticated attackers to leak the superadmin token through the user.detail endpoint by manipulating user identifiers. This authentication bypass vulnerability has a CVSS score of 6.0 and affects the Blinko AI-powered note-taking application. A patch is available in version 1.8.4, and proof-of-concept information is available via the official GitHub security advisory.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
The Quiz and Survey Master (QSM) WordPress plugin versions up to 10.3.5 contains a SQL injection vulnerability in the 'merged_question' parameter that allows authenticated attackers with Contributor-level access or higher to extract sensitive database information. The vulnerability exists because the plugin uses sanitize_text_field() which does not prevent SQL metacharacters from being injected into an SQL IN() clause, and the resulting query is not properly parameterized using $wpdb->prepare() or integer casting. With a CVSS score of 6.5 and network-based attack vector requiring only low privileges, this represents a moderate but real threat to WordPress installations using this plugin.
Blinko versions 1.8.3 and earlier allow authenticated users to write arbitrary files to the filesystem through an unvalidated fileName parameter, exploiting a path traversal weakness. The vulnerability requires only basic user authentication and can be leveraged to place malicious files anywhere on the server, potentially leading to remote code execution or system compromise. No patch is currently available.
Blinko, an AI-powered card note-taking application, contains an authenticated arbitrary file write vulnerability in the saveAdditionalDevFile function that allows attackers to write files to arbitrary locations on the system via path traversal. This vulnerability affects all versions prior to 1.8.4 and requires authentication to exploit. An attacker with valid credentials can abuse this flaw to overwrite critical application files, inject malicious code, or achieve remote code execution depending on file permissions and system configuration.
The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.
Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available.
OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.
A SSRF vulnerability (CVSS 6.3) that allows an attacker. Remediation should follow standard vulnerability management procedures.
HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
XnSoft NConvert version 7.230 contains a stack buffer overflow vulnerability triggered by specially crafted TIFF files, allowing an attacker to overwrite stack memory and potentially execute arbitrary code or cause denial of service. The vulnerability affects the image conversion functionality of NConvert, a widely-used command-line image conversion tool. A proof-of-concept exploit has been documented on GitHub (PassMoon/Nconvert_Vul), indicating public awareness and potential active exploitation risk.
A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.
A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x where the customer.pl endpoint improperly handles the OTRSCustomerInterface parameter, allowing attackers to inject and execute arbitrary JavaScript in the context of victim browsers. This affects Znuny ITSM versions in the 6.5.x release line, and a proof-of-concept exploit has been publicly disclosed on GitHub, indicating active awareness and potential exploitation capability in the threat landscape.
A specially crafted XCOFF object file can trigger an out-of-bounds memory read in the GNU Binutils BFD library due to improper validation of relocation type values. This affects Red Hat Enterprise Linux versions 6 through 10 and Red Hat OpenShift Container Platform 4, potentially allowing local attackers with user interaction to crash affected tools or disclose sensitive memory contents. While not currently listed in CISA KEV as actively exploited, the vulnerability is tracked across Red Hat, Sourceware, and Bugzilla with upstream references indicating visibility and likely patch development.
Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.
OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.
OpenClaw versions 2026.2.26 through 2026.3.0 contain a current working directory (CWD) injection vulnerability in the Windows wrapper resolution mechanism for .cmd and .bat files, allowing attackers with local access to manipulate CWD and achieve command execution with integrity compromise. An attacker with local privileges can alter the working directory to inject malicious wrapper scripts that execute instead of legitimate ones, bypassing command execution controls. The vulnerability requires local access and moderate complexity but enables high-integrity impact; no active KEV or widespread exploitation has been reported, but proof-of-concept details are documented in vendor security advisories.
OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.
OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.
OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.
The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.
systemd (PID 1) contains a denial-of-service vulnerability triggered by malformed IPC API calls from unprivileged users that causes the service manager to assert and freeze. On versions v249 and earlier, the same vulnerability manifests as stack buffer overwriting with attacker-controlled data, potentially enabling code execution; versions v250 and newer include a safety check that converts this to a non-exploitable assertion failure. The vulnerability affects systemd versions v239 through v259 (with patched versions 260-rc1, 259.2, 258.5, and 257.11 available), impacting all Linux distributions using affected systemd builds including multiple Ubuntu releases tracked at medium priority.