phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WinMPG Video Convert 9.3.5 and older versions contain a buffer overflow vulnerability in the registration dialog that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by processing malformed AVI files. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.
SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.
SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.
SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.
Unauthenticated guests can access Config Sync updater endpoints to retrieve signed state data and execute privileged state-changing actions such as YAML regeneration and application without authentication. This vulnerability in ConfigSyncController stems from insufficient access controls on the base updater interface, allowing attackers to reuse captured signed data in subsequent requests to modify system configuration. A patch is available to address this authentication bypass.
An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.
LibVNCServer versions 0.9.15 and earlier contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows malicious VNC servers to disclose sensitive information or crash client applications. The vulnerability affects any application linking against the vulnerable LibVNCServer library, with exploitation requiring a malicious VNC server that manipulates subrectangle header counts to trigger improper bounds checking in the HandleUltraZipBPP() function. A patch is available from the vendor (commit 009008e), and no active exploitation or public proof-of-concept has been reported as of the intelligence sources reviewed.
Vikunja prior to version 2.2.1 contains an authorization bypass vulnerability in the DELETE /api/v1/projects/:project/shares/:share endpoint that fails to verify link share ownership. An attacker with administrative access to any project can delete link shares from arbitrary other projects by combining their own project ID with a target share ID, effectively allowing cross-project share manipulation. This is a privilege escalation and denial-of-service vector affecting self-hosted Vikunja deployments where multiple projects exist.
Mod_gnutls versions prior to 0.13.0 fail to validate the Extended Key Usage (EKU) extension during client certificate verification, allowing an attacker with a valid certificate issued for a different purpose to improperly authenticate for TLS client certificate-based access. Only Apache HTTPD servers configured to use client certificate authentication (via GnuTLSClientVerify settings other than 'ignore') are affected. The vulnerability enables unauthorized information disclosure through certificate misuse, with a CVSS score of 6.8 reflecting high confidentiality impact but requiring non-trivial attack complexity.
NVIDIA SNAP-4 Container contains a buffer size calculation vulnerability in its configuration interface that allows an authenticated attacker on the same virtualized environment to trigger a denial of service condition. An attacker with local VM access and low-level privileges can send specially crafted configuration payloads that cause incorrect buffer size calculations, resulting in crashes of the SNAP storage service and loss of storage availability to the host. There is currently no evidence of active exploitation or public proof-of-concept code, and the SSVC framework indicates no known exploitation has occurred, though the vulnerability is automatable in principle.
NVIDIA SNAP-4 Container contains a use-of-out-of-range pointer offset vulnerability in the VIRTIO-BLK component that allows a malicious guest VM to trigger memory corruption and denial of service. The vulnerability affects NVIDIA SNAP-4 Container across all versions as indicated by the CPE string. A successful exploit results in denial of service to the DPA (Data Processing Appliance) and impacts storage availability to other VMs, though no code execution or information disclosure is possible. There is no evidence of active exploitation in the wild (KEV status indicates none), and the CVSS score of 6.8 reflects moderate severity with high availability impact but limited exploitability due to requiring adjacent network access and user privileges.
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
sbt on Windows is vulnerable to command injection through unvalidated URI fragments in VCS dependency declarations. When resolving git, mercurial, or subversion repositories, sbt passes user-controlled branch, tag, or revision parameters directly to cmd.exe without sanitization, allowing attackers to inject arbitrary Windows commands via special characters like &, |, and ; that cmd /c interprets as command separators. An attacker who controls a dependency URI in a project's build.sbt file can execute arbitrary commands with the privileges of the user running sbt. A proof-of-concept exists demonstrating execution of calc.exe, and patches are available from the vendor for sbt versions 1.12.7 and later.
The Vikunja Desktop Electron wrapper enables Node.js integration in the renderer process without proper context isolation or sandboxing, allowing any cross-site scripting vulnerability in the web frontend to escalate directly to remote code execution on the victim's machine. Vikunja versions 0.21.0 through 2.1.x are affected, as confirmed by CPE cpe:2.3:a:go-vikunja:vikunja. An attacker exploiting an XSS flaw gains full access to Node.js APIs and the underlying operating system, making this a critical privilege escalation from web-based XSS to system-level RCE.
Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.
The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vulnerability that allows attackers to bypass platform-level security restrictions by manipulating the x-astro-path header and x_astro_path query parameter. Any remote attacker without authentication can rewrite internal request paths to access restricted endpoints such as /admin/*, with the attack preserving the original HTTP method and request body, enabling POST, PUT, and DELETE operations against protected resources. The vulnerability has been patched in version 10.0.2, and proof-of-concept code is available via the referenced GitHub security advisory and pull request.
GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the `/api/v1/file/content` API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended `config/` directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the `filename` query parameter with `../` sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.
The Product Filter for WooCommerce by WBW plugin for WordPress (versions up to 3.1.2) contains a critical authentication bypass vulnerability that allows unauthenticated attackers to permanently delete all filter configurations by truncating the wp_wpf_filters database table. The vulnerability stems from the plugin's MVC framework registering unauthenticated AJAX handlers without capability checks, combined with a magic method that forwards calls to the model layer and a permission check that defaults to true. An attacker can exploit this with a single crafted AJAX request, resulting in complete data loss and service disruption for WooCommerce installations using this plugin.
ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.
Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.
Wallos, an open-source self-hostable subscription tracker, contains an authentication bypass vulnerability in its password reset mechanism where reset tokens never expire. Versions prior to 4.7.2 are affected, allowing attackers who intercept a password reset link to use it indefinitely days, weeks, or months after generation. An attacker exploiting this vulnerability can gain unauthorized account access and potentially modify subscription data, though the CVSS score of 6.5 reflects moderate real-world risk due to the required interception precondition.
The LearnDash LMS plugin for WordPress contains a blind time-based SQL injection vulnerability in the 'filters[orderby_order]' parameter of the 'learndash_propanel_template' AJAX action, affecting all versions up to and including 5.0.3. Authenticated attackers with Contributor-level access or higher can exploit insufficient input escaping and lack of prepared statements to extract sensitive database information through time-based SQL injection techniques. While the CVSS score of 6.5 reflects medium severity with high confidentiality impact, the requirement for authentication and low network complexity means this poses a real but contained risk, particularly in multi-user WordPress environments where contributor accounts are common.
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
An access control list (ACL) bypass vulnerability exists in NATS.io nats-server that allows authenticated MQTT clients to bypass subject-based authorization controls. Affected versions include all nats-server releases before v2.12.6 and v2.11.15. When ACLs are configured to restrict access to message subjects, these controls are not enforced within the $MQTT.> namespace, enabling low-privileged MQTT users to publish or subscribe to subjects they should not have access to.
A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.
SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.
NATS-Server versions prior to 2.11.15 and 2.12.5 contain an authentication bypass vulnerability in the MQTT client interface that allows attackers to hijack sessions and messages through malicious MQTT Client ID manipulation. The vulnerability affects all versions of nats-server using the affected version ranges and has a CVSS score of 6.5 (medium-high severity) due to the combination of high confidentiality impact and low availability impact. No known public exploits or active exploitation in the wild has been confirmed, but the authentication bypass nature (CWE-287) and patch availability indicate this is a practical, exploitable issue that requires immediate attention for organizations running affected versions.
An information disclosure vulnerability exists in albfan miraclecast before version 1.0 that allows unauthenticated attackers on an adjacent network to access sensitive information. The vulnerability affects miraclecast across all versions prior to v1.0 via an unspecified mechanism (CWE-noinfo). While the CVSS score is 6.5 (medium-high), the attack vector is adjacent network (AV:A) rather than network-wide, and no active exploitation in the wild or known public proof-of-concept has been reported at this time.
Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. A security patch is available in version 0.11.6 and the vulnerability has been disclosed via GitHub Security Advisory GHSA-354j-rx28-jjxm.
A spoofing vulnerability exists in Firefox's Privacy: Anti-Tracking component that allows attackers to deceive users or bypass security mechanisms through fraudulent representation. Firefox versions prior to 149 are affected. While specific exploit details are limited in available intelligence, the spoofing nature suggests attackers could impersonate legitimate content or services, potentially leading to credential theft, phishing success, or privacy compromise. No CVSS score, EPSS data, or confirmed KEV status is currently available, limiting real-time risk quantification.
The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open() calls to shell.openExternal(), allowing attackers to invoke arbitrary local applications, open files, or trigger custom protocol handlers. Vikunja versions 0.21.0 through 2.1.x are affected, with the vulnerability patched in version 2.2.0. An attacker who can inject links with target="_blank" into user-generated content can exploit this to execute malicious actions on the victim's operating system without user awareness or explicit consent.
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.
NATS-server versions prior to v2.12.6 or v2.11.15 are vulnerable to authentication bypass through spoofed Nats-Request-Info headers in leafnode connections. An attacker with low privileges and network access can craft malicious messages with forged identity claims that propagate through untrusted leafnode connections, allowing clients that rely on this header for trust decisions to be deceived about message origins. This affects downstream NATS clients making security decisions based on the header, potentially compromising confidentiality and integrity of message-based applications.
NATS-server versions prior to v2.12.6 or v2.11.15 contain an authentication bypass vulnerability where the Nats-Request-Info message header, intended to guarantee request identity, is not fully stripped from inbound client messages. An attacker with valid credentials to any regular client interface can spoof their identity to downstream services that rely on this header for authorization decisions, potentially leading to unauthorized access or impersonation. While no confirmed active exploitation or public proof-of-concept is documented, the low attack complexity and low privilege requirements (any authenticated user) combined with the CVSS 6.4 score indicate moderate real-world risk, particularly in environments where message header-based identity verification is critical.
A Use After Free (UAF) vulnerability exists in No-Chicken Echo-Mate prior to version V250329, allowing an attacker with high privileges to cause memory corruption that may lead to information disclosure, data integrity violations, or denial of service. The vulnerability is classified as CWE-416 and carries a CVSS score of 6.4; a security patch is available from the vendor via GitHub pull request.
LibVNCServer versions 0.9.15 and earlier contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpd.c that allow remote attackers to cause denial of service by sending specially crafted HTTP requests. The vulnerability affects systems with both httpd and proxy features enabled, and while no CVSS score or EPSS data is currently available, the presence of a public patch and vendor advisory indicates this is a recognized security issue requiring prompt attention.
NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.
HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. While the CVSS score is moderate (6.3) and no active exploitation in the wild has been documented in KEV databases, the authentication bypass nature of this issue presents a real risk to organizations relying on Traveler for secure communications.
PinchTab versions 0.8.3 through 0.8.5 contain a security-policy bypass that allows arbitrary JavaScript execution through the POST /wait endpoint's fn mode, even when the security.allowEvaluate setting is explicitly disabled. While the /evaluate endpoint correctly enforces the allowEvaluate guard, the /wait endpoint fails to apply the same policy check before evaluating caller-supplied JavaScript expressions, enabling authenticated users with an API token to execute arbitrary code in browser tab contexts despite the operator's intention to disable JavaScript evaluation. A proof-of-concept demonstrating this bypass has been published by the vendor, showing that side effects can be introduced in page state and confirmed through subsequent requests.
The Zabbix Agent 2 Docker plugin contains an argument injection vulnerability in the 'docker.container_info' parameter handler that fails to properly sanitize user-supplied input before forwarding requests to the Docker daemon. An authenticated attacker who can invoke Agent 2 can exploit this flaw to read arbitrary files from running Docker containers by injecting malicious parameters through the Docker archive API, potentially exposing sensitive application data, credentials, and configuration files. While no CVSS score or EPSS data is currently available, and no indication of active exploitation in the wild has been reported, this represents a direct path to container escape and lateral movement for attackers with agent-level access.
iCMS v8.0.0 contains a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in the User Management component's index.html file, where the regip and loginip parameters fail to properly sanitize user input before rendering in the HTML response. Remote attackers can exploit this vulnerability without authentication to execute arbitrary JavaScript in the context of victim browsers, potentially leading to session hijacking, credential theft, or malware distribution. A proof-of-concept has been publicly disclosed by the researcher, increasing real-world exploitation risk.
This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in Android-ImageMagick7 versions before 7.1.2-11 that allows attackers to inject malicious scripts through crafted image inputs or related user-controlled data. Attackers with network access and no authentication required can exploit this vulnerability to execute arbitrary JavaScript in the context of affected applications, leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 6.1 (Medium) with cross-site scope, and a patch is available from the vendor, though no confirmed active exploitation in KEV or public proof-of-concept code has been widely documented.
A resource exhaustion vulnerability exists in Undertow where remote attackers can send HTTP GET requests with multipart/form-data content to trigger premature parsing and disk storage of request data, leading to Denial of Service when applications use parameter retrieval methods like getParameterMap(). The vulnerability affects multiple Red Hat products including Enterprise Linux 8, 9, and 10, JBoss Enterprise Application Platform 7 and 8, Red Hat Fuse 7, and several Apache Camel variants. An attacker with network access and no authentication can exhaust server disk resources with moderate attack complexity, causing service unavailability.
Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST handler that allows unauthenticated remote attackers to exhaust server memory and cause denial of service. The vulnerability affects all Astro SSR applications using the Node standalone adapter, regardless of whether Server Islands functionality is actually used, because the request body is parsed before route validation occurs. An attacker can craft a payload containing many small JSON objects to achieve approximately 15x memory amplification, crashing the process with a single malicious request.
This vulnerability in NVIDIA's B300 MCU (specifically the CX8 MCU component) allows privileged attackers with network access to modify unsupported hardware registries, potentially causing denial of service and data tampering. The flaw affects HGX and DGX B300 systems and requires high privileges and non-trivial attack complexity to exploit, though no public exploit code or active exploitation has been reported at this time. SSVC assessment indicates the vulnerability presents partial technical impact with no known automated exploitation capability.