Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.
Denial of service in Open5GS 2.7.6 via malformed CCA (Credit-Control-Answer) messages in the SMF (Session Management Function) component allows remote attackers to crash the service without authentication. The vulnerability affects the smf_gx_cca_cb, smf_gy_cca_cb, and smf_s6b functions in the CCA Message Handler, with publicly available exploit code demonstrating the attack despite high complexity requirements. CVSS 6.3 reflects the availability impact and remote attack vector, though exploitation requires crafted network conditions.
Page-Replica endpoint /sitemap improperly validates the url parameter in the sitemap.fetch function, enabling server-side request forgery (SSRF) attacks by authenticated users. An attacker with login credentials can craft malicious requests to make the vulnerable server fetch arbitrary internal or external resources, potentially exposing sensitive data or facilitating lateral movement. The vulnerability affects all versions up to commit e4a7f52e75093ee318b4d5a9a9db6751050d2ad0 under the product's rolling release model, with publicly available exploit code and an EPSS score indicating elevated exploitation probability, though the vendor has not responded to early disclosure.
HTML injection in wandb OpenUI up to version 1.0 allows remote unauthenticated attackers to inject arbitrary HTML via manipulation of the ID argument in the create_share and get_share functions in backend/openui/server.py. The attack requires user interaction and has a publicly available exploit. CVSS score is 5.3 (moderate) with EPSS indicating limited practical exploitation probability. The vendor has not responded to disclosure attempts.
SQL injection in code-projects Social Networking Site 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in delete_photos.php, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects an unknown function in the Endpoint component and has publicly available exploit code, increasing the likelihood of active abuse despite the moderate CVSS 5.3 score.
SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/mod_room/index.php?view=edit, leading to unauthorized database query execution. The vulnerability requires valid admin credentials (CVSS PR:L) but has publicly available exploit code and represents a moderate information disclosure and integrity risk (CVSS 5.3 with limited confidentiality, integrity, and availability impact). Active exploitation status is not confirmed via CISA KEV, but proof-of-concept code is documented in public repositories.
SQL injection in mingSoft MCMS 5.5.0 allows authenticated remote attackers to manipulate the Web Content List Endpoint (ContentAction.java) and execute arbitrary database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The vulnerability requires low-privilege authentication (CVSS PR:L) and has publicly available exploit code disclosed on GitHub, making it an active threat to deployed MCMS instances.
Cross-site request forgery (CSRF) in SourceCodester Note Taking App up to version 1.0 allows remote attackers to perform unauthorized actions via crafted requests, exploiting lack of CSRF token validation. The vulnerability requires user interaction (clicking a malicious link) but carries no authentication barrier. Publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 4.3.
Cross-site request forgery (CSRF) in SourceCodester Diary App 1.0 allows unauthenticated remote attackers to manipulate an unknown function within diary.php, potentially leading to unauthorized state-changing actions. The vulnerability has a moderate CVSS score of 5.3 with user interaction required, and publicly available exploit code exists, though active exploitation status is unconfirmed. An attacker could craft malicious web pages to trick users into performing unwanted actions within the application.
Code injection in HuggingFace smolagents 1.25.0.dev0 allows remote attackers without authentication to execute arbitrary code through incomplete remediation of CVE-2025-9959 in the local Python executor component. The vulnerability affects the evaluate_augassign, evaluate_call, and evaluate_with functions in src/smolagents/local_python_executor.py, with publicly available exploit code and active public disclosure despite lack of vendor response.
Server-side request forgery in letta-ai letta 0.16.4 allows authenticated remote attackers to manipulate ImageContent parameters in the _convert_message_create_to_message function within the file URL handler, enabling arbitrary HTTP requests to internal or external systems. Letta versions up to and including 0.16.4 are affected. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications, leaving affected deployments without an official patch at time of analysis.
Stored cross-site scripting (XSS) in code-projects Social Networking Site 1.0 allows authenticated remote attackers to inject malicious scripts via the content parameter in the Alert Handler component (/home.php), requiring user interaction to trigger. The vulnerability carries a CVSS score of 5.1 (medium) with publicly available exploit code, though no confirmed active exploitation in the wild has been reported. Affected users can have their sessions hijacked or credentials stolen if they interact with malicious alerts crafted by authenticated attackers.
Stored cross-site scripting (XSS) in code-projects Online Reviewer System up to version 1.0 allows authenticated users with high privileges to inject malicious scripts via the Description parameter in /system/system/students/assessments/databank/btn_functions.php, which are then executed in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and has publicly available exploit code, but poses minimal real-world risk given the high privilege requirement (PR:H) and low impact severity (CVSS 2.4).
Stored cross-site scripting (XSS) in code-projects Exam Form Submission 1.0 allows authenticated remote attackers to inject malicious scripts via the sname parameter in /admin/update_s7.php, potentially compromising administrator sessions and enabling unauthorized actions. Publicly available exploit code exists for this vulnerability, though it requires high-privilege authentication to trigger. The CVSS 2.4 score reflects limited impact (information integrity only) and the requirement for authenticated access and user interaction, but the public availability of working exploit code elevates practical risk.
OpenBMB XAgent 1.0.0 allows authenticated remote attackers to bypass authorization controls via manipulation of the interaction_id argument in the WebSocket ReplayServer endpoint (XAgentServer/application/websockets/replayer.py), enabling unauthorized access to replay functionality. The vulnerability requires low privileges and is difficult to exploit due to high attack complexity, but publicly available exploit code exists. No vendor patch has been released despite early disclosure notification.
Open WebUI versions prior to 0.8.6 allow authenticated users to read other users' private memories through an insufficiently restricted API endpoint at `/api/v1/retrieval/query/collection`, exposing sensitive user data stored within the self-hosted AI platform. The vulnerability requires valid authentication credentials and carries a CVSS score of 3.1 with low attack complexity, indicating limited real-world exploitability despite the information disclosure impact. No public exploit code or active exploitation has been confirmed at the time of analysis.
The FLIP login page in versions 0.1.1 and prior lacks rate limiting and CAPTCHA protection, enabling unauthenticated remote attackers to conduct brute-force and credential-stuffing attacks against user accounts. The vulnerability affects the Federated Learning and Interoperability Platform, an open-source medical imaging AI training system where users are typically external to host organizations, amplifying the risk of credential reuse. While the CVSS score is low (2.7), the attack vector is network-based, requires no authentication or interaction, and directly enables unauthorized account access with potential integrity impact.
Stored cross-site scripting (XSS) in SourceCodester Online Quiz System up to version 1.0 allows authenticated remote attackers to inject malicious scripts via the quiz_question parameter in endpoint/add-question.php, affecting users who view the injected quiz content. The vulnerability has CVSS 5.1 (low-to-moderate severity), requires user interaction to trigger, and public exploit code is available. An attacker with quiz management privileges can compromise quiz participants through JavaScript execution in their browsers.
OpenBMB XAgent 1.0.0 exposes sensitive API credentials in log files through improper handling of the api_key argument in the FunctionHandler.handle_tool_call function, allowing remote authenticated attackers with high privileges to disclose confidential information. The vulnerability is classified as information disclosure (CWE-200) with a CVSS score of 5.1 and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
DNS name constraint validation bypass in cryptography library versions prior to 46.0.6 allows peer names to bypass X.509 name constraint checks during certificate validation. The vulnerability arises because name constraints were applied only to Subject Alternative Names (SANs) in child certificates but not to the peer name presented during validation, permitting a certificate for bar.example.com to validate against a wildcard leaf certificate (*.example.com) even when an excluded subtree constraint for bar.example.com existed in the parent certificate. Exploitation requires an uncommon X.509 topology not typically present in the Web PKI, and no public exploit code or active exploitation has been identified.
GlobaLeaks whistleblowing platform versions prior to 5.0.89 contain insufficient input validation in the /api/support endpoint, permitting attackers to inject arbitrary URLs into support request emails sent to administrators. This can facilitate phishing attacks, credential harvesting, or social engineering by making malicious links appear to originate from legitimate support communications. Remote attackers without authentication can exploit this vulnerability to craft convincing fraudulent messages to site administrators.