Unauthenticated remote code execution affects Progress ShareFile Storage Zones Controller versions up to 5.12.3 via unauthorized access to restricted configuration pages. Attackers can modify system configuration remotely without authentication, leading to complete system compromise. Publicly available exploit code exists (watchTowr Labs GitHub). EPSS score of 0.41% suggests relatively low observed exploitation despite critical CVSS 9.8 rating and POC availability. Vendor patch released per ShareFile security advisory.
Remote code execution in Progress ShareFile Storage Zones Controller versions up to 5.12.3 allows high-privileged authenticated users to upload and execute malicious files on the server. The CVSS 9.1 score reflects scope change and total system compromise. Publicly available exploit code exists (confirmed by Italian CERT), though EPSS probability remains low at 0.19% and no active exploitation is confirmed by CISA KEV. Real-world risk depends heavily on authentication controls and privileged account management in ShareFile deployments.
Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encry
Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient impleme
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via the =n operator. Affects all versions prior to 17.2.3. Attack complexity is low with no user interaction required, enabling authenticated users to escalate privileges, modify data integrity, and potentially compromise availability across scope boundaries. Vendor-released patch confirms fix in version 17.2.3. EPSS score of 0.04% (13th percentile) indicates low probability of mass exploitation, though the CVSS 9.9 critical rating reflects severe potential impact in targeted scenarios. No CISA KEV listing or public exploit code identified at time of analysis.
Percona PMM (Percona Monitoring and Management) versions prior to 3.7 allow authenticated users with pmm-admin privileges to execute arbitrary operating system commands by exploiting excessive database superuser privileges through the 'Add data source' feature. This privilege escalation vulnerability enables container/system breakout from database context to shell access. EPSS score is low (0.04%, 13th percentile) indicating minimal observed exploitation activity, and CISA SSVC assessment confirms no active exploitation with non-automatable attack characteristics, though technical impact is rated total.
JWT signature verification bypass in ConvoyPanel 3.9.0-beta through 4.5.0 allows unauthenticated remote attackers to forge authentication tokens and impersonate any user account. The JWTService::decode() method validates only time-based claims while ignoring cryptographic signatures, enabling complete authentication bypass in the SSO flow by crafting tokens with arbitrary user_uuid values. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward to exploit given the technical details in the GitHub advisory.
Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.
Supply chain compromise of @usebruno/cli (Bruno API testing tool) deployed a cross-platform Remote Access Trojan via malicious axios dependency versions 1.14.1 and 0.30.4 on npm during a 3-hour window (00:21-03:30 UTC, March 31, 2026). Unauthenticated remote attackers gained full system compromise including credential exfiltration and persistent RAT installation on affected developer workstations. No public exploit code required as the malicious payload executed automatically via npm postinstall
Unauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inject administrator roles via the /enableSecurity endpoint, granting full administrative control without credentials. Attackers can modify vessel routing data, alter server configurations, and access all restricted endpoints. No public exploit identified at time of analysis, but the critical CVSS 9.4 score reflects the trivial exploit complexity (AV:N/AC:L/PR:N) and high confidentiality/integrity impact to marine vessel control systems.
Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.
Hirschmann HiEOS devices contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by sending. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.
Unauthenticated remote code execution in OneUptime monitoring platform (versions < 10.0.42) allows attackers to trigger arbitrary workflow execution with controlled input data via exposed Worker service ManualAPI endpoints. The vulnerability enables JavaScript code execution, notification system abuse, and data manipulation without any authentication requirement. CVSS 9.2 (Critical) with network attack vector and low complexity; no public exploit identified at time of analysis, though the authentication bypass combined with RCE capability presents immediate risk to exposed instances.
Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory.
Remote denial-of-service in Belden Hirschmann HiOS Switch Platform allows unauthenticated attackers to reboot switches via crafted HTTP GET requests to the web interface. Affects versions 9.1.00-9.4.05 and 10.0.00-10.3.01. Exploitation requires no authentication (PR:N) and low complexity (AC:L), enabling trivial service disruption of network infrastructure. CVSS 9.2 (critical) reflects high availability impact on both vulnerable component and subsequent systems. No public exploit identified at time of analysis, though the attack vector is straightforward HTTP-based.
Arbitrary file write in Fireshare <1.5.3 allows unauthenticated remote attackers to upload malicious files to any writable server path via path traversal in the /api/uploadChunked/public endpoint's checkSum parameter. This represents an incomplete fix for CVE-2026-33645, where remediation was applied only to the authenticated endpoint while leaving the public variant exploitable. SSVC confirms publicly available exploit code exists and the vulnerability is automatable with partial technical impact. CVSS 9.1 (Critical) reflects network-accessible, low-complexity exploitation requiring no authentication or user interaction, enabling both integrity and availability compromise.
SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to execute arbitrary SQL commands via the setinfo endpoint, potentially destroying database integrity and causing complete service disruption. The vulnerability stems from insufficient input validation in SQL UPDATE operations. With CVSS 9.1 (Critical), CVSS vector PR:N confirms no authentication required, and attack complexity is low (AC:L), making this trivially exploitable. No public exploit identified at time of analysis, though the technical details disclosed in CERT@VDE advisory provide sufficient information for rapid weaponization.
Unauthenticated access to notification and phone management endpoints in OneUptime <10.0.42 allows remote attackers to abuse SMS, voice call, email, and WhatsApp messaging services and purchase phone numbers without authentication. The CVSS 9.1 (Critical) rating reflects network-accessible attack vector with no authentication required (PR:N) and low complexity (AC:L), enabling immediate abuse of platform communication services and potential financial fraud. Vendor-released patch available in version 10.0.42. No public exploit identified at time of analysis, though EPSS risk assessment would likely be elevated given the simplicity of exploitation and clear abuse potential.
JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace-a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid