OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Library CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in qdPM 9.1 timeReport endpoint enables remote unauthenticated attackers to extract database contents via crafted filter_by parameters in POST requests. Public exploit code exists (Exploit-DB 45767), and CISA SSVC framework confirms proof-of-concept availability with automatable exploitation. Despite 8.8 CVSS severity, EPSS risk probability remains low at 0.07% (21st percentile), suggesting limited observed exploitation activity. Attackers can retrieve sensitive project management data including credentials, user information, and business records without authentication.
ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_sec) allows low-privileged authenticated attackers to execute arbitrary code via crafted network packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches. Publicly available exploit code exists (GitHub/Gist), though EPSS probability remains low (0.05%, 16th percentile) and CISA has not listed this in KEV, suggesting limited observed exploitation despite high CVSS 8.8 score and total technical impact per SSVC framework.
KomSeo Cart 1.3 contains an SQL injection vulnerability that allows attackers to inject SQL commands through the 'my_item_search' parameter in edit.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).
River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab Excel Password Recovery 8.3.1 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab RAR Password Recovery 9.3.2 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Explorer 1.5.66.2 contains a structured exception handler (SEH) overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH records with malicious data. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Nsauditor 3.0.28.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input to the DNS Lookup tool. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok Video Splitter 3.1.1217 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service or execute arbitrary code by supplying an oversized string in the. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A critical OS command injection vulnerability exists in the Diagnostic Tool Interface of Netcore Power 15AX routers up to firmware version 3.0.0.6938. An authenticated attacker with low-level privileges can remotely execute arbitrary operating system commands by manipulating the IpAddr parameter in the setTools function of /bin/netis.cgi. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, though the vendor has not responded to disclosure attempts.
Remote authenticated attackers can execute arbitrary code on Tenda AC5 routers (firmware version 15.03.06.47) by exploiting a stack-based buffer overflow in the WPS configuration handler. The vulnerability resides in the formWifiWpsOOB function handling POST requests to /goform/WifiWpsOOB, where insufficient validation of the 'index' parameter allows memory corruption. A publicly available exploit code exists (CVSS 8.8, EPSS data not provided), enabling authenticated attackers with low-privilege access to achieve complete device compromise with high impact on confidentiality, integrity, and availability.
Stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 enables remote authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter in POST requests to /goform/setcfm. A publicly available exploit exists with proof-of-concept code disclosed through VulDB and documented in detailed technical write-ups, significantly lowering the barrier to exploitation for threat actors targeting vulnerable devices.
Remote attackers with low-level credentials can execute arbitrary code on Tenda AC5 wireless routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the formQuickIndex function via a crafted PPPOEPassword parameter in POST requests to /goform/QuickIndex. Publicly available exploit code exists, including detailed proof-of-concept documentation published on Notion, elevating immediate risk for devices exposed to authenticated network users. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability with network-based attack vector and low complexity.
Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation.
Buffer overflow in UTT HiPER 1250GW firmware versions up to 3.2.7-210907-180535 allows authenticated remote attackers to achieve code execution through a malformed GroupName parameter in the DNS filter configuration handler. Public exploit code exists for this vulnerability and no patch is currently available. Affected organizations should restrict network access to administrative interfaces until remediation is possible.
Remote attackers can exploit a stack-based buffer overflow in the /cgi-bin/nas.cgi endpoint of Wavlink WL-NU516U1 by manipulating the Content-Length parameter to achieve unauthenticated remote code execution. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Authentication is required to trigger the flaw, limiting exposure to authenticated users or those with network access to the device.
Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Malformed DICOM files with non-standard VR types trigger uncontrolled memory allocation in Grassroots DICOM (GDCM) library, enabling remote denial-of-service attacks without authentication. CISA ICS-CERT issued an ICSMA advisory (26-083-01) highlighting impacts to medical imaging systems that rely on GDCM for DICOM parsing. The vulnerability allows heap exhaustion from a single malicious file read operation, with CVSS 7.5 (High severity, network-accessible, no privileges required). No public exploit identified at time of analysis.
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Remote denial-of-service in Siemens CPCI85 Central Processing/Communication and RTUM85 RTU Base (versions below V26.10) allows adjacent network attackers to exhaust system resources via high-volume requests, forcing device reset or reboot to restore parameterization functionality. No public exploit identified at time of analysis. CVSS 7.1 (High) with adjacent network access vector and no privileges required indicates moderate real-world risk for industrial environments where these RTU and control processing devices operate.
Squid proxy versions prior to 7.5 contain use-after-free and premature resource release vulnerabilities in ICP (Internet Cache Protocol) traffic handling that enable reliable, repeatable denial of service attacks. Remote attackers can exploit these memory safety bugs to crash the Squid service by sending specially crafted ICP packets, affecting deployments that have explicitly enabled ICP support via non-zero icp_port configuration. While no CVSS score or EPSS value is currently published, the vulnerability is confirmed by vendor advisory and includes a public patch commit, indicating moderate to high real-world risk for affected deployments.
DOM-based Cross-Site Scripting in Ory Polis (formerly BoxyHQ Jackson) SAML-to-OAuth bridge allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via crafted callbackUrl parameters. Versions prior to 26.2.0 are affected, with vendor-released patch available in version 26.2.0. No public exploit identified at time of analysis. CVSS score of 8.8 reflects network-based attack vector with low complexity requiring only user interaction, though SSVC framework rates technical impact as partial with no observed exploitation and non-automatable attack pattern.
Authentication bypass in Incus webui (versions prior to 6.23.0) permits local or remote attackers to gain unauthorized access to the system container and virtual machine manager via an improperly validated authentication token. The vulnerability allows attackers who can reach the temporary localhost web server to escalate privileges to the level of the user running 'incus webui', enabling control over containers, virtual machines, and potentially underlying system resources. CVSS score of 8.8 (High) reflects network attack vector with low complexity requiring user interaction; no public exploit identified at time of analysis.
Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attackers to execute arbitrary code by sending malformed SLAC protocol frames. EVerest-core versions prior to 2026.02.0 are affected due to a stack buffer overflow in HomeplugMessage::setup_payload that trusts an attacker-controlled length parameter in release builds. SSVC analysis indicates proof-of-concept exploit code exists, though the vulnerability is not automatable and requires adjacent network access (CVSS 8.8, AV:A).
The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). No evidence of active exploitation (KEV) or public proof-of-concept is currently documented, but the vulnerability has been publicly disclosed by Wordfence.
The Masteriyo LMS plugin for WordPress contains a critical privilege escalation vulnerability that allows authenticated users with Student-level access or higher to elevate their privileges to administrator level. All versions up to and including 2.1.6 are affected. The vulnerability is exploitable over the network with low attack complexity and requires no user interaction, resulting in a critical CVSS score of 9.8, though the CVSS vector indicates no authentication required (PR:N) which conflicts with the description stating Student-level access is needed.
Vienna Assistant 1.2.542 on macOS allows local privilege escalation through an unauthenticated XPC service endpoint that accepts connections from any process. The vulnerable VSL privileged helper service exposes functions to write arbitrary files to any location and execute arbitrary binaries with any arguments, enabling a low-privileged local user to gain root access. A proof-of-concept exploit exists per SSVC assessment, with an EPSS score of 0.02% indicating low observed exploitation probability in the wild.
Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.
Netty HTTP/2 servers can be rendered unresponsive by remote attackers flooding CONTINUATION frames with zero-byte payloads, bypassing existing header size limits and exhausting CPU resources. The affected package is io.netty:netty-codec-http2 (tracked via GitHub Security Advisory GHSA-w9fj-cfpg-grvv). Authentication requirements are not confirmed from available data. No public exploit identified at time of analysis, though the technical details provided in the advisory enable straightforward reproduction. The low bandwidth requirement for this CPU-based denial of service makes it highly practical for disrupting services at scale.
Small HTTP Server 3.06.36 contains an unquoted service path vulnerability (CWE-428) allowing local authenticated attackers to execute arbitrary code with elevated privileges by placing malicious executables in higher-priority directories. Despite a CVSS 4.0 score of 8.7, real-world risk is significantly lower with only 0.02% EPSS probability (4th percentile) and no public exploit identified at time of analysis. INCIBE has reported this vulnerability with patches available from the vendor.
ClearanceKit 4.1 and earlier for macOS allows local authenticated users to completely bypass configured file access policies via seven unmonitored file operation event types. The opfilter Endpoint Security extension only intercepted ES_EVENT_TYPE_AUTH_OPEN events, enabling processes to perform rename, unlink, and five other file operations without policy enforcement or denial logging. Version 4.2 branch contains the fix via commit a3d1733. No public exploit identified at time of analysis, but exploitation requires only local access with low privileges (CVSS PR:L) and no special complexity.
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Web management interface of ASUS router models that allows an unauthenticated attacker to perform actions with the privileges of an authenticated administrator, potentially including arbitrary system command execution. The vulnerability affects ASUS router products across multiple versions due to insufficient CSRF token validation in the web interface. While no CVSS score or EPSS data is currently available, the ability to execute system commands on a network-critical device represents a critical severity threat.
RATOC RAID Monitoring Manager for Windows contains an insecure directory permissions vulnerability when the installation folder is customized to a non-default location. The installer fails to properly set access control lists (ACLs) on custom installation directories, allowing non-administrative users to modify folder contents and execute arbitrary code with SYSTEM privileges. With a CVSS 4.0 score of 8.5, this represents a high-severity local privilege escalation vulnerability affecting Windows systems where this RAID management software is installed.
TigerVNC x0vncserver versions prior to 1.16.2 expose screen contents to unauthorized local users through incorrect file permissions in Image.cxx, enabling information disclosure, screen manipulation, or denial of service. The vulnerability has CVSS 8.5 (High) with local attack vector requiring no privileges or user interaction, and scope change indicating potential impact beyond the vulnerable component. No public exploit identified at time of analysis, though technical details are available via GitHub commit and mailing list disclosure.
Small HTTP Server 3.06.36 allows local attackers with low privileges to execute arbitrary code through an unquoted service path vulnerability in the http.exe service executable. By placing a malicious executable in a higher-priority directory along the unquoted path 'C:\Program Files (x86)\shttps_mg\http.exe service', attackers can achieve full system compromise with high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and CISA SSVC framework indicates no current exploitation, though technical impact is rated as total.
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary code via overly long CAN interface names during initialization. The vulnerability (CWE-121) affects everest-core versions prior to 2026.02.0 with CVSS 8.4 (High severity). Proof-of-concept exploit code exists according to SSVC assessment, and the flaw triggers before privilege checks, enabling attack with no user privileges required. The vulnerability is tracked as EUVD-2026-16199 by ENISA.
RATOC RAID Monitoring Manager for Windows contains a DLL hijacking vulnerability in its installer that loads DLLs from the current directory without proper path validation. If an attacker can place a malicious DLL in the directory where a user runs the installer, arbitrary code can be executed with administrator privileges. The vulnerability has a CVSS score of 8.4 with local attack vector requiring user interaction, and has been publicly disclosed through JPCERT coordination with vendor advisory available.
Local authenticated attackers can bypass file access policies in ClearanceKit (macOS system extension) versions prior to 4.2.4 by using specific file operation event types (ES_EVENT_TYPE_AUTH_EXCHANGEDATA and ES_EVENT_TYPE_AUTH_CLONE) that were not intercepted by the opfilter enforcement mechanism. This policy bypass allows unauthorized file access, modification, and data exfiltration despite configured access controls. EPSS exploitation probability is minimal (0.01%, 2nd percentile) and no active exploitation or public POC has been identified. Patch available in version 4.2.4 via commit 6181c4a, requiring system extension reactivation.