OpenClaw versions prior to commit 8aceaf5 allow authenticated remote attackers to bypass shell-bleed protection validation by crafting complex command forms such as piped execution, command substitution, or subshell invocation, enabling execution of arbitrary script content that should be blocked. The vulnerability affects the validateScriptFileForShellBleed() parser, which fails to recognize obfuscated command structures; no public exploit code has been identified at time of analysis, though a vendor patch is available.
Denial of service in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 allows unauthenticated remote attackers to consume disproportionate CPU, memory, I/O, and bandwidth by supplying many small overlapping byte ranges in HTTP Range headers, bypassing the existing CVE-2024-26141 fix that only validates total byte coverage. The vulnerability affects Rack's file-serving paths that process multipart byte range responses, enabling attackers to degrade service availability with minimal request complexity.
Denial of service in Rack::Utils.select_best_encoding allows unauthenticated remote attackers to consume disproportionate CPU resources via a crafted Accept-Encoding header containing multiple wildcard entries, affecting Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability exploits quadratic time complexity in the encoding selection algorithm used by Rack::Deflater middleware, enabling a single HTTP request to trigger sustained CPU exhaustion and application unavailability.
User enumeration in osTicket v1.18.2's password reset endpoint (/pwreset.php) enables remote attackers to discover valid usernames through response analysis, facilitating targeted account compromise attempts. No CVSS score, CISA KEV status, or confirmed patch information is available; exploitation likelihood depends on whether timing or behavioral differences between valid and invalid usernames can be reliably detected without authentication.
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Rack::Static fails to apply security-relevant response headers to URL-encoded variants of static file paths, allowing attackers to bypass header-based security controls by requesting percent-encoded forms of protected resources. This affects Rack versions prior to 2.2.23, 3.1.21, and 3.2.6, and is particularly dangerous in deployments relying on Rack::Static to enforce Content-Security-Policy, X-Frame-Options, or similar protective headers on static content. No public exploit code or active exploitation has been confirmed at time of analysis.
Unauthenticated remote attackers can access configuration files containing database credentials in MB Connect Line mbconnect24 and mymbconnect24 products, resulting in disclosure of sensitive authentication material. Although CVSS rates this as 5.3 (low severity confidentiality impact), the practical risk is limited because the disclosed credentials cannot be directly exploited to compromise additional systems-no exposed endpoint exists to leverage them. No public exploit code or active exploitation has been identified at the time of analysis.
Rack web server interface versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to properly escape regex metacharacters when constructing directory path filtering expressions, causing the Rack::Directory component to expose full filesystem paths in HTML directory listings. An unauthenticated remote attacker can retrieve sensitive path information by requesting directory listings when the configured root path contains regex special characters such as +, *, or ., achieving low-confidentiality impact with CVSS 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
SEPPmail Secure Email Gateway before version 15.0.3 allows unauthenticated attackers to inject arbitrary HTML into notification emails about new CA certificates, enabling stored cross-site scripting (XSS) attacks against email recipients. An attacker with the ability to trigger CA certificate notifications can craft malicious HTML payloads that execute when recipients view the notification email, potentially leading to credential theft, malware distribution, or further compromise of email infrastructure. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the VPN authentication user management interface (/manage/vpnauthentication/user/). The injected payload persists in the database and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or lateral privilege escalation within the firewall management console.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the /manage/password/web/ endpoint. The injected payload is persistently stored and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or lateral movement within the firewall management interface. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in the IPSec management interface (/manage/ipsec/), which persists and executes when other users access the affected page. This requires user interaction (page view) and only affects session integrity and information disclosure within the administrative interface. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in the DNS local domains management interface (/manage/dnsmasq/localdomains/). The injected payload persists in the application and executes when other authenticated users access the affected page, enabling session hijacking, credential theft, or malware distribution within the firewall management environment. No public exploit code or active exploitation has been reported.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the ADDRESS BCC parameter in /cgi-bin/smtprouting.cgi, with the payload executed when other users view the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting real-world impact to internal threat actors with valid credentials, though successful exploitation could compromise session integrity and user data within the firewall management interface.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the domain parameter in the /manage/smtpscan/domainrouting/ endpoint, with execution when other authenticated users view the page. The vulnerability requires user interaction (page view) and authenticated access, resulting in a CVSS score of 5.1 with scope change and integrity impact to other users' sessions. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in Endian Firewall versions 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the DOMAIN parameter in /cgi-bin/smtpdomains.cgi, which is executed when other users view the affected page. The vulnerability requires user interaction and authenticated access but can impact session security and administrative controls. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in Endian Firewall version 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the group parameter in /cgi-bin/proxygroup.cgi, with the malicious payload persisting and executing when other users access the affected page. CVSS score of 5.1 reflects moderate severity with limited scope of impact; exploitation requires prior authentication and user interaction but can affect confidentiality and integrity within the application context. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the user parameter in /cgi-bin/proxyuser.cgi, which is then executed when other users view the affected page. This requires user interaction (page view) but enables session hijacking, credential theft, or administrative action abuse within the firewall's web interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the mimetypes parameter in /cgi-bin/proxypolicy.cgi, which is executed when other users access the affected page. CVSS 5.1 reflects moderate impact; exploitation requires prior authentication and user interaction, limiting real-world severity despite the persistent nature of stored XSS. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in /cgi-bin/xtaccess.cgi, which is executed when other users view the affected page. The vulnerability requires valid user credentials and user interaction but can compromise session tokens and sensitive data of administrators and other firewall users. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in /cgi-bin/vpnfw.cgi, which persists and executes when other users access the affected page. CVSS 5.1 reflects low immediate confidentiality/integrity impact but user interaction requirement; the vulnerability requires authenticated access (PR:L), limiting blast radius compared to unauthenticated XSS.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/zonefw.cgi, which persists and executes when other administrators or users access the affected configuration page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting immediate risk but enabling account compromise and lateral movement within firewall administrative interfaces.
Endian Firewall 3.3.25 and earlier allows authenticated users to store arbitrary JavaScript in the remark parameter of /cgi-bin/outgoingfw.cgi, which executes when other users view the affected page. This stored cross-site scripting (XSS) vulnerability requires valid login credentials but can compromise session tokens, steal administrative actions, or perform lateral attacks within the firewall management interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript through the remark parameter in /cgi-bin/incoming.cgi, which is then executed when other users access the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with limited scope impact; no public exploit code or active exploitation has been confirmed.
Stored XSS in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/snat.cgi, which persists and executes when other administrators or users access the affected page. The vulnerability requires low-privilege authentication and user interaction (page view), limiting immediate impact but creating persistent data integrity and session hijacking risks within the appliance administrative interface.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated users to inject malicious JavaScript via the remark parameter in /cgi-bin/dnat.cgi, which persists and executes when other administrators or users access the affected page. This requires valid login credentials but can compromise the integrity and confidentiality of management sessions for other users.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the dscp parameter in the QoS rules management interface (/manage/qos/rules/). When other authenticated users view the affected configuration page, the injected script executes in their browser context, enabling session hijacking, credential theft, or lateral movement within the firewall management console. EPSS risk is elevated at moderate severity (CVSS 5.1), and no public exploit code or active exploitation has been confirmed.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the name parameter in the QoS classes management interface (/manage/qos/classes/), which is executed when other users access the affected page. The vulnerability requires user interaction and authentication, resulting in a CVSS 5.1 score with limited scope of impact; no public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in Endian Firewall version 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark user ham spam parameter in /cgi-bin/salearn.cgi. The injected payload is stored and executed in the browsers of other users who view the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; real-world risk is limited by the authentication requirement and user interaction dependency.
Endian Firewall 3.3.25 and earlier contains stored cross-site scripting (XSS) in the DHCP fixed leases management interface, where the remark parameter fails to sanitize user input. An authenticated attacker can inject malicious JavaScript into the remark field at /manage/dhcp/fixed_leases/ that persists in the application and executes in the browsers of other administrators viewing the same page, enabling session hijacking, credential theft, or unauthorized configuration changes. No public exploit code or active exploitation has been confirmed; however, the vulnerability requires only low-privilege authentication and normal user interaction to trigger.
Stored cross-site scripting in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the NAME parameter in /cgi-bin/uplinkeditor.cgi, which is executed when other users access the affected page. The vulnerability requires user interaction (UI:P) and low privileges (PR:L), limiting immediate automated exploitation but enabling account compromise and lateral privilege escalation within authenticated user populations. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject arbitrary JavaScript via the remark parameter in the /manage/dnsmasq/hosts/ endpoint. The injected payload is stored server-side and executed in the browsers of any user who subsequently views the affected page, enabling session hijacking, credential theft, or malware distribution. CVSS 5.1 reflects the moderate impact and requirement for user interaction; no public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Endian Firewall 3.3.25 and prior allows authenticated attackers to inject malicious JavaScript via the remark parameter in /cgi-bin/routing.cgi, which persists and executes when other users access the affected page. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its immediate blast radius, but enables session hijacking, credential theft, or administrative impersonation within the firewall management interface.
Szafir SDK Web browser addon allows unauthenticated attackers to launch the SzafirHost application with arbitrary arguments by crafting malicious websites that spoof the HTTP origin via the document_base_url parameter. When a victim visits an attacker's site and confirms application execution (or has previously selected 'remember' for a spoofed origin), the application runs in the attacker's context, potentially downloading malicious files and libraries without further user interaction. The vulnerability was resolved in version 0.0.17.4. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the new_cert_name parameter in the /manage/ca/certificate/ endpoint. The injected payload is stored and executed when other users access the affected page, enabling session hijacking, credential theft, or malware distribution within the firewall management interface. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Stored cross-site scripting in Endian Firewall 3.3.25 and earlier allows authenticated attackers to inject arbitrary JavaScript via the REMARK parameter in /cgi-bin/openvpnclient.cgi, with the payload persisted and executed when other users access the affected page. CVSS 5.1 reflects low immediate impact due to user interaction requirement and limited scope, but the stored nature increases attack persistence; no public exploit code or CISA KEV confirmation identified at time of analysis.
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to read encrypted email contents intended for other users by crafting specially malformed email addresses that exploit LDAP injection in the recipient validation process. This information disclosure vulnerability affects all versions prior to 15.0.3 and requires only network access to send a specially crafted email, making it a practical attack vector against organizations using vulnerable SEPPmail deployments.
Out-of-bounds read in NanoMQ MQTT Broker webhook processing allows remote attackers with high privileges to trigger denial of service by sending malformed JSON payloads. Prior to version 0.24.10, the hook_work_cb() function in webhook_inproc.c passes unsanitized binary message buffers directly to cJSON_Parse(), which reads past buffer boundaries when payloads lack null terminators. The vulnerability is reliably exploitable when JSON payload length is a power-of-two >=1024 bytes, bypassing nng's allocation padding protection. No public exploit code or active exploitation has been identified.
Host header validation bypass in Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5 allows unauthenticated remote attackers to poison Host headers by injecting RFC-noncompliant characters (/, ?, #, @) that pass the AUTHORITY regex but are accepted by req.host, req.url, and req.base_url. Applications relying on naive prefix or suffix matching for host validation, link generation, or origin checks can be bypassed, enabling host header poisoning attacks. No public exploit code or active exploitation has been confirmed at the time of analysis.
Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of
HTTP response desynchronization in Rack web server framework versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to cause Content-Length header mismatches by requesting non-existent paths with percent-encoded UTF-8 characters. The vulnerability stems from Rack::Files#fail using String#size instead of String#bytesize when setting Content-Length, causing declared header values to be smaller than actual bytes transmitted, potentially leading to response framing errors and information disclosure in deployments sensitive to Content-Length validation. No public exploit code or confirmed active exploitation identified at time of analysis.
Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.
HCL BigFix Platform allows local attackers to bypass authentication and access sensitive application areas without credentials, affecting confidentiality of data. The vulnerability requires local access but no privileges or user interaction, and is classified as a moderate-risk authentication bypass (CVSS 4.0) with limited technical complexity. Patches are available through HCL vendor advisories.