Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.
Symlink-based path traversal in ONNX Python library allows local attackers to read arbitrary files on the host system when loading maliciously crafted ONNX models with external data. Affected users who load untrusted ONNX models from compressed archives or external sources may inadvertently expose sensitive files (/etc/passwd, environment variables via /proc/1/environ, etc.). Publicly available exploit code exists with a detailed proof-of-concept demonstrating the vulnerability. No EPSS score or CISA KEV listing available at time of analysis, suggesting exploitation is not yet widespread.
Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).
Stored cross-site scripting in Dassault Systèmes DELMIA Factory Resource Manager (R2023x through R2025x) allows authenticated attackers to inject malicious scripts that execute in victims' browser sessions with changed scope impact. CVSS 8.7 severity reflects the scope change (S:C) enabling attacks beyond the vulnerable component's privileges. No public exploit code identified and not listed in CISA KEV at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once authenticated access is obtained.
Stored Cross-Site Scripting (XSS) in Dassault Systèmes ENOVIA Collaborative Industry Innovator's Document Management module enables authenticated attackers to inject malicious scripts that execute in other users' browser sessions across 3DEXPERIENCE releases R2023x through R2025x. With CVSS 8.7 (High severity) and scope change (S:C), successful exploitation allows session hijacking, credential theft, and persistent compromise of users accessing manipulated documents. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) makes exploitation straightforward once an attacker gains low-privilege access (PR:L).
Telegram bot token exposure in OpenClaw's media download error handling allows unauthenticated remote attackers to harvest sensitive API credentials through information disclosure. Versions prior to 2026.3.13 embed complete Telegram file URLs containing bot tokens in MediaFetchError exceptions, leaking credentials to application logs and error surfaces. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the vulnerability requires minimal technical sophistication to exploit given the network-accessible attack vector and low complexity (CVSS:3.1/AV:N/AC:L/PR:N).
Stored cross-site scripting (XSS) in SiYuan personal knowledge management system versions prior to 3.6.2 escalates to remote code execution in the Electron desktop client. Attackers craft malicious .sy.zip import files containing HTML entities mixed with raw special characters that bypass server-side attribute escaping, injecting event handlers into imported notes. When victims open the compromised note in the Electron client, injected JavaScript executes with full Node/Electron API access, enabling arbitrary code execution. CVSS 8.6 (High) with local attack vector requiring user interaction; no public exploit identified at time of analysis.
Remote code execution in OpenClaw (versions prior to 2026.3.12) enables attackers to execute arbitrary malicious code when users open compromised repositories. The vulnerability stems from automatic plugin loading from .OpenClaw/extensions/ directories without trust verification, allowing attackers to embed malicious workspace plugins in cloned Git repositories. CVSS 9.8 (Critical) reflects network-based exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack mechanism is straightforward for social engineering scenarios targeting developers.
Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta versions before 2.5.0b2 allows authenticated users with host or service creation permissions to inject malicious JavaScript that executes in the browsers of other users when they perform searches via the Unified Search feature, potentially enabling session hijacking, credential theft, or administrative account compromise.
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.
Arbitrary file overwrite in UXGROUP LLC Voice Recorder v10.0 allows remote attackers to overwrite critical internal files through the file import mechanism, enabling arbitrary code execution or sensitive information exposure. No CVSS score, EPSS data, or KEV status was available at analysis time; exploitation likelihood cannot be quantified from standard metrics, but the presence of publicly documented vulnerability research suggests active security scrutiny.
Privilege escalation in OpenText Operations Agent versions 12.29 and earlier on Windows allows local attackers to execute arbitrary code by placing malicious executables in specific writeable directories, which the agent subsequently executes with elevated privileges. The vulnerability requires local access and specific conditions to be present but does not require prior authentication to the agent itself. No public exploit code has been identified, and there is no confirmation of active exploitation at time of analysis.
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables unauthenticated remote attackers to approve node pairings with unauthorized elevated scopes, bypassing authorization controls through missing callerScopes validation in the node pairing approval mechanism. This vulnerability (CWE-863: Incorrect Authorization) allows attackers to extend privileges onto paired nodes beyond their intended authorization level. CVSS 9.8 Critical with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.
Stored cross-site scripting (XSS) in Checkmk 2.5.0 beta allows authenticated users with pending change permissions to inject malicious JavaScript into the Pending Changes sidebar, executing in the browsers of other users who view that sidebar. This vulnerability affects the beta release 2.5.0 before version 2.5.0b2 and requires existing user authentication with specific permissions to exploit.
Arbitrary file overwrite in My Location Travel Timeline v11.80 by Squareapps LLC permits attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information disclosure. Attack vector and complexity details are not confirmed from available CVSS data, and active exploitation status is unconfirmed.
Arbitrary file overwrite in PDF Reader App TA/UTAX Mobile Print v3.7.2.251001 allows remote attackers to overwrite critical internal files during the file import process, potentially leading to remote code execution or unauthorized information exposure. The vulnerability affects a mobile print utility with demonstrated proof-of-concept documentation available on GitHub, though CVSS scoring and formal vendor patch status remain unavailable at time of analysis.
Arbitrary file overwrite in InTouch Contacts & Caller ID APP v6.38.1 allows remote attackers to overwrite critical internal files through the file import process, enabling arbitrary code execution or sensitive information exposure. Affected versions are limited to 6.38.1; no CVSS score, EPSS, or active exploitation status (KEV) is available at this time, though the vulnerability chain to RCE presents material risk.
Command injection in Cato Networks Socket (versions prior to 25) enables authenticated administrators with web interface access to execute arbitrary commands as root on the underlying system. The vulnerability requires high-level privileges (CVSS PR:H) but offers complete system compromise once accessed, with network-based attack vector and low complexity. No public exploit identified at time of analysis, though the command injection class (CWE-78) is well-understood and straightforward to weaponize once administrative credentials are obtained.
Authorization bypass in scitokens-cpp library (all versions prior to 1.4.1) allows authenticated attackers to escape path-based scope restrictions via parent-directory traversal in token scope claims. The library incorrectly normalizes '..' components instead of rejecting them, enabling privilege escalation to access resources outside intended directories. EPSS data not provided, but the vulnerability is network-exploitable with low attack complexity (CVSS 8.3). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the fix commit is publicly documented.
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
FastMCP OAuthProxy allows authentication bypass through a Confused Deputy attack, enabling attackers to hijack victim OAuth sessions and gain unauthorized access to MCP servers. When victims who previously authorized a legitimate MCP client are tricked into opening a malicious authorization URL, the OAuthProxy fails to validate browser-bound consent, redirecting valid authorization codes to attacker-controlled clients. This affects the GitHubProvider integration and potentially all OAuth providers that skip consent prompts for previously authorized applications. No public exploit identified at time of analysis, though detailed reproduction steps are publicly documented in the GitHub security advisory.
GraphQL query complexity validator in Parse Server allows remote denial-of-service via crafted queries with binary fan-out fragment spreads, blocking the Node.js event loop for seconds with a single unauthenticated request. Parse Server versions prior to 8.6.68 and 9.7.0-alpha.12 are affected when requestComplexity.graphQLDepth or requestComplexity.graphQLFields options are enabled. EPSS data not provided; no public exploit identified at time of analysis. CVSS 8.2 (High) reflects network-accessible attack with low complexity requiring no privileges, causing high availability impact.
Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1 allow HTTP Range requests to bypass the afterFind trigger and its validators when downloading files from streaming-capable storage adapters like GridFS, enabling unauthorized access to protected files that should be restricted by authentication or authorization logic. This authentication bypass affects all deployments using affected versions with file protection policies enforced via afterFind triggers.
File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.
Path traversal in SciTokens library (all versions before 1.9.7) allows authenticated attackers to bypass directory access restrictions and access unauthorized files. Attackers can inject dot-dot-slash sequences (..) into JWT scope claims to escape intended authorization boundaries due to improper path normalization during enforcement checks. CVSS 8.1 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists via GitHub advisory and commit references.
Weak pseudo-random number generation in Cloudreve enables JWT forgery and complete account takeover on instances initialized before v4.10.0. Attackers can brute-force the PRNG seed (achievable in under 3 hours on consumer hardware) by obtaining administrator creation timestamps via public APIs and validating against known hashids, then forge valid JWTs for any user including administrators. No public exploit confirmed at time of analysis, though detailed attack methodology is disclosed. CVSS 8.1 (High) reflects network-accessible privilege escalation despite high attack complexity requiring cryptographic brute-forcing.
Authorization bypass in SciTokens C++ library (versions prior to 1.4.1) allows authenticated attackers to access unauthorized filesystem paths via flawed scope validation. The library's path-prefix matching does not enforce path-segment boundaries, enabling a token scoped to '/data/project1' to incorrectly authorize access to '/data/project10' or '/data/project1-backup'. CVSS 8.1 (High) reflects the significant confidentiality and integrity impact, though exploitation requires low-privilege authenticated access (PR:L). No public exploit identified at time of analysis, with EPSS data not available for recent CVE. Vendor-released patch available in version 1.4.1.
Authorization bypass in SciTokens library (versions prior to 1.9.6) allows authenticated users with valid tokens scoped to specific paths to access unintended sibling paths through flawed prefix-matching validation logic. An attacker with a token for '/john' can access '/johnathan' or '/johnny' due to incorrect string prefix validation in the Enforcer component, enabling unauthorized data access and modification (CVSS 8.1, High integrity/confidentiality impact). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit with valid credentials (EPSS data not provided, CVSS complexity rated Low).
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.
Cross-site request forgery in WWBN AVideo 26.0 and earlier enables remote attackers to reconfigure critical plugin settings through forged requests targeting admin/save.json.php. The endpoint lacks CSRF token validation while the application sets SameSite=None cookies, allowing attackers to manipulate payment processors, authentication providers, and cloud storage credentials by tricking authenticated administrators into visiting malicious pages. No vendor-released patch identified at time of analysis. EPSS data unavailable; not listed in CISA KEV; no public exploit identified at time of analysis, though exploitation requires only standard CSRF techniques.
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrary commands when models are served with enable_mlserver=True. Unsanitized model_uri parameters embedded in bash -c commands enable shell metacharacter exploitation (command substitution via $() or backticks). With CVSS 9.6 (Critical) and adjacent network attack vector, this poses significant risk in multi-tenant MLOps environments where lower-privileged users can control model URIs served by higher-privileged services. No public exploit code identified at time of analysis, with EPSS data not yet available for this recent CVE.
Local privilege escalation via hardcoded build path in vcpkg's OpenSSL binaries affects Windows users of the C/C++ package manager prior to version 3.6.1#3. The vulnerability allows authenticated local attackers with low privileges to achieve high confidentiality, integrity, and availability impact (CVSS 7.8) by exploiting the hardcoded openssldir path that references the original build machine. Upstream fix available (PR #50518, commit 5111afd); patched version 3.6.1#3 released. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.
Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.
InfCode's terminal auto-execution module fails to properly validate PowerShell commands due to an ineffective blacklist and lack of semantic parsing, allowing attackers to bypass command filtering through syntax obfuscation. When a user imports a specially crafted file into the IDE, the Agent executes arbitrary PowerShell commands without user confirmation, leading to remote code execution or sensitive data exfiltration. No public exploit code or active exploitation has been confirmed at time of analysis.
Heap overflow in MuPDF 1.27.0 PDF parser enables arbitrary code execution when victims open maliciously crafted PDF files. Integer overflow in pdf_load_image_imp function allows heap-based buffer overflow through crafted PDF image objects. Upstream fix committed (a26f0142e7) but packaged release version unconfirmed. EPSS probability low (0.02%, 4th percentile) indicates theoretical risk without active exploitation campaigns. Requires local file access and user interaction (opening malicious PDF), limiting remote attack scenarios but viable for phishing/watering hole attacks.
Nhost CLI MCP server before version 1.41.0 allows cross-origin requests without authentication when explicitly configured to listen on a network port, enabling malicious websites to invoke privileged tools using developer credentials. The vulnerability requires two explicit non-default configuration steps and does not affect the default configuration, significantly limiting real-world exposure.
Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. The vulnerability has CVSS 7.7 (High) with scope change indicating potential lateral movement to other system components. EPSS data not available; no confirmed active exploitation (not in CISA KEV). Public exploit code exists via GitHub security advisory GHSA-x9vj-5m4j-9mfv with technical details and proof-of-concept guidance.
Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.
Directory traversal in agentic-context-engine up to version 0.7.1 enables arbitrary file writes through the checkpoint_dir parameter in OfflineACE.run, exploiting inadequate path normalization in the save_to_file method. Unauthenticated attackers can overwrite arbitrary files within the application process's permissions scope, potentially achieving code execution, privilege escalation, or application compromise depending on deployment context and file system layout.
Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.
Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.
Server-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data via malicious HTML in estimate PDF generation. The vulnerability stems from unsanitized user input passed to the Dompdf rendering library, enabling arbitrary HTTP requests from the server. Exploitable through PDF preview and customer view endpoints without requiring email functionality. Patched in version 2.2.0. CVSS 7.6 reflects high confidentiality impact with scope change (C:H/S:C), requiring high privileges (PR:H) but low attack complexity over network vector. No confirmed active exploitation (not in CISA KEV), but the technical barrier is low for authenticated attackers with administrative access.
Server-Side Request Forgery in InvoiceShelf prior to version 2.2.0 allows authenticated high-privilege users to force the server to make arbitrary HTTP requests through the invoice PDF generation module. Attackers can inject malicious HTML into the invoice Notes field, which Dompdf processes without sanitization, fetching remote resources and potentially accessing internal network services or exfiltrating data via out-of-band channels. EPSS data not available; no public exploit identified at time of analysis. The CVSS score of 7.6 reflects high confidentiality impact with scope change, indicating potential for significant internal network reconnaissance.
Server-Side Request Forgery in InvoiceShelf's PDF payment receipt generation allows authenticated high-privilege users to make arbitrary HTTP requests from the server through unsanitized HTML injection in payment Notes fields. The vulnerability affects InvoiceShelf versions prior to 2.2.0, leveraging the Dompdf library's resource fetching behavior to pivot attacks against internal network resources or exfiltrate data via DNS/HTTP channels. CVSS 7.6 reflects network-accessible attack with low complexity but high privileges required and cross-scope impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 2.2.0 per GitHub security advisory.
Heap-based buffer overflow in gdk-pixbuf's JPEG image loader enables remote denial of service through malformed JPEG images without user interaction. The vulnerability triggers during automated image processing operations like thumbnail generation across Red Hat Enterprise Linux 6 through 10, allowing unauthenticated network attackers to crash applications that process JPEG images. EPSS score of 0.09% (25th percentile) suggests low observed exploitation activity, consistent with SSVC assessment showing no active exploitation despite the vulnerability being fully automatable.
Unauthenticated attackers can remotely terminate any active live stream in WWBN AVideo 26.0 and prior by sending crafted POST requests to the on_publish_done.php endpoint in the Live plugin. The vulnerability combines two weaknesses: an unauthenticated stats.json.php endpoint that exposes active stream keys, and the on_publish_done.php RTMP callback handler that processes stream termination requests without authentication or authorization checks. This enables complete denial-of-service against all platform live streaming functionality. CVSS 7.5 (High) with network attack vector, low complexity, and no privileges required. No vendor-released patch identified at time of analysis; EPSS data not available.
Unauthenticated remote access to restricted documents in Admidio 5.0.0-5.0.7 Docker deployments allows disclosure of role-protected files. The Docker image's Apache configuration disables .htaccess processing (AllowOverride None), bypassing intended access controls on uploaded documents. Attackers can directly retrieve files via HTTP without authentication using paths disclosed in upload response JSON. CVSS 7.5 (High) with network-based attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation is straightforward given the configuration flaw.
PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. No active exploitation has been confirmed, but the vulnerability affects all deployments on systems lacking /dev/urandom access.
JWT token forgery in appsup-dart/jose library (versions prior to 0.3.5+1) enables remote attackers to bypass authentication by embedding attacker-controlled public keys in JOSE headers. The library incorrectly accepts header-supplied 'jwk' parameters as trusted verification keys without validating they exist in the application's trusted keystore, allowing unauthenticated attackers to sign arbitrary tokens with their own key pairs. EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only standard JWT manipulation tools.