Stack-based buffer overflow in Trendnet TEW-657BRM 1.00.1 wireless router allows authenticated remote attackers to achieve code execution via the update_pcdb function in /setup.cgi by manipulating the mac_pc_dba parameter. This vulnerability affects a product discontinued since June 2011 (14+ years end-of-life) with no vendor support or patches available. Publicly available exploit code exists, elevating immediate risk for organizations still operating legacy deployments. CVSS 7.4 with low attack complexity and proof-of-concept availability make this a practical exploitation target despite requiring low-privilege authentication.
Stack-based buffer overflow in Trendnet TEW-657BRM router firmware 1.00.1 allows authenticated remote attackers to achieve arbitrary code execution via the mac_pc_dba parameter in /setup.cgi's add_apcdb function. The product was discontinued in 2011 and receives no vendor support. A public exploit exists on GitHub, significantly lowering the barrier for exploitation against unpatched devices still deployed in production environments.
Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.
Arbitrary SQL execution in OpenSTAManager's database conflict resolution module allows authenticated attackers with access to the Aggiornamenti (Updates) feature to execute unrestricted SQL commands. Affecting versions prior to 2.10.2, attackers can submit JSON arrays of SQL statements that execute directly against the MySQL database with foreign key checks disabled, enabling complete database compromise including data exfiltration, modification, deletion, and schema manipulation. No public exploit identified at time of analysis, though EPSS data not available; authentication requirement (PR:L) and low attack complexity (AC:L) indicate straightforward exploitation for internal threats or compromised accounts.
Memory corruption in macOS Sequoia's image processing subsystem allows unauthenticated remote attackers to potentially execute arbitrary code when a user opens a specially crafted image file. Apple has patched this buffer overflow vulnerability in macOS 15.6. With a CVSS score of 8.8 and requiring only user interaction, this represents a significant attack surface for social engineering campaigns. EPSS data not available, but no public exploit or active exploitation confirmed at time of analysis. The SSVC framework rates this as total technical impact, reinforcing the criticality of applying the vendor patch.
Memory corruption in macOS Sequoia image processing allows remote attackers to achieve arbitrary code execution via maliciously crafted images requiring user interaction. Affects macOS Sequoia versions prior to 15.6, with CVSS 8.8 (High) severity due to potential for complete system compromise. EPSS data unavailable; no public exploit identified at time of analysis. Apple addressed the vulnerability through improved memory handling in macOS 15.6 (released June 2025). Attack requires victim to process a weaponized image file, making social engineering or malicious websites likely delivery vectors.
Memory corruption vulnerability in Apple iOS, iPadOS, and macOS allows local attackers to achieve denial of service or potentially arbitrary code execution through malicious file processing. The vulnerability affects iOS and iPadOS versions below 18.6 and macOS Sequoia below 15.6, and has been patched in iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6. No public exploit identified at time of analysis, and CVSS severity is not numerically specified by Apple, though the buffer overflow classification and file processing attack vector indicate moderate to high real-world risk for users who encounter malicious content.
Local privilege escalation in HCL BigFix Platform on Windows allows authenticated users with low privileges to access cryptographic private keys due to overly permissive file system permissions, potentially enabling complete system compromise with cross-scope impact. Authentication required (PR:L). No public exploit identified at time of analysis, though the attack is rated low complexity and fully automated. CVSS 8.8 severity driven by scope change and complete confidentiality/integrity/availability impact.
Remote command execution in Endian Firewall Community Edition 3.3.25 and earlier allows authenticated users to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_smtp.cgi. The vulnerability stems from incomplete regular expression validation enabling Perl open() injection. With CVSS 8.7 severity and a low attack complexity (AC:L), this represents a critical post-authentication compromise vector. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for exploit development by threat actors with valid credentials.
Remote code execution in Endian Firewall versions ≤3.3.25 allows authenticated users with low privileges to execute arbitrary operating system commands through command injection in the logs_openvpn.cgi DATE parameter. The vulnerability stems from inadequate input validation in a Perl open() call, enabling attackers to break out of intended file path operations. CVSS 8.7 reflects the severe impact (complete system compromise) despite requiring authentication. EPSS and KEV data not provided; no public exploit identified at time of analysis, though the technical details disclosed suggest exploitation development is straightforward for authenticated attackers.
Remote code execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers with low-level privileges to execute arbitrary OS commands via command injection in the DATE parameter of /cgi-bin/logs_log.cgi. The vulnerability stems from incomplete regular expression validation in Perl open() file path handling. No public exploit identified at time of analysis, though CVSS 8.7 severity reflects high potential impact across confidentiality, integrity, and availability. EPSS data not provided; exploitation requires network access with low-privilege authentication but no user interaction.
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated attackers to execute arbitrary OS commands with firewall appliance privileges via command injection in the DATE parameter of /cgi-bin/logs_ids.cgi. The vulnerability stems from incomplete regular expression validation before passing user input to Perl's open() function. CVSS score of 8.7 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No CISA KEV listing or public exploit code identified at time of analysis, though VulnCheck public disclosure increases weaponization risk for organizations using this legacy firewall appliance.
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_firewall.cgi. The vulnerability stems from inadequate regular expression validation that fails to prevent command injection in Perl open() calls. Authentication is required (PR:L), but once accessed, attackers gain high-impact control over confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide sufficient information for weaponization. EPSS data not available for this recent CVE.
Remote command execution in Endian Firewall 3.3.25 and earlier allows authenticated users with low privileges to inject arbitrary OS commands through the DATE parameter in /cgi-bin/logs_clamav.cgi. The vulnerability stems from incomplete input validation before passing user-controlled data to Perl's open() function, enabling command injection. With CVSS 8.7 (High severity) and network-based exploitation requiring only low-privilege authentication, this represents a significant post-authentication attack surface. No public exploit identified at time of analysis, though the technical details provided enable reproduction.
Remote command execution in Endian Firewall Community ≤3.3.25 allows authenticated users to inject OS commands through the DATE parameter in /cgi-bin/logs_proxy.cgi due to incomplete input validation in Perl open() calls. Attack requires only low-privilege authentication (CVSS PR:L) with network access and no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by VulnCheck provide a clear exploitation path for threat actors.
TP-Link Tapo C520WS v2.6 contains an authentication bypass in its HTTP-based DS configuration service that allows unauthenticated attackers to execute privileged device configuration actions by appending authentication-exempt parameters to requests. The vulnerability stems from inconsistent JSON request parsing and authorization logic, enabling unauthorized modification of device state without requiring valid credentials. No public exploit code has been identified at time of analysis, and a vendor-released patch is available.
Unauthenticated authentication bypass in Bulwark Webmail versions prior to 1.4.10 allows remote attackers to access and modify user settings without credentials. The vulnerability stems from flawed verifyIdentity() logic that returns true when session cookies are absent, enabling unauthorized manipulation of the /api/settings endpoint through arbitrary header injection. CVSS 8.7 (High) with attack vector network, low complexity, and no privileges required. No public exploit identified at time of analysis, though the authentication bypass mechanism is technically straightforward. Vendor-released patch: version 1.4.10.
Remote code execution in Hytale Modding Wiki version 1.2.0 and earlier allows authenticated users to upload malicious PHP files through a MIME type validation bypass. The quickUpload() endpoint performs independent validation of file content (via MIME type) and filename extension, enabling attackers to craft files with benign content signatures but executable .php extensions. Uploaded files are stored in a publicly accessible location, allowing direct URL access for server-side code execution. EPSS data unavailable; publicly available exploit code exists per SSVC assessment. No vendor-released patch identified at time of analysis.
Denial of service in gleam-wisp wisp 0.2.0 through 2.2.1 allows unauthenticated remote attackers to exhaust server memory or disk by sending arbitrarily large multipart form submissions that bypass configured size limits. The multipart_body and multipart_headers parsing functions fail to properly decrement resource quotas for chunks lacking multipart boundaries, enabling attackers to accumulate unbounded data in a single HTTP request. Patch available as of version 2.2.2.
Progress Flowmon versions prior to 12.5.8 allow authenticated low-privileged users to execute arbitrary commands on the server by crafting malicious requests during the report generation process. The vulnerability stems from improper input validation in the report generation functionality, enabling command injection attacks. While no CVSS score or public exploit code has been disclosed at time of analysis, the direct path to remote code execution via an authenticated user represents a significant risk to Flowmon deployments.
Bulwark Webmail prior to version 1.4.10 exposes user plaintext passwords through its session API endpoint, allowing network-positioned attackers to harvest credentials from browser logs, local caches, and network proxies. The /api/auth/session endpoint returns authentication credentials in JSON responses without encryption, creating an information disclosure vulnerability (CWE-312: Cleartext Storage of Sensitive Information). No public exploit identified at time of analysis, though exploitation requires only network access with no authentication (CVSS vector AV:N/AC:L/PR:N), making this a straightforward attack for adversaries monitoring network traffic or accessing browser storage.
Cryptographic verification bypass in SzafirHost (e-signature client software) allows remote attackers to deliver and execute malicious native libraries (DLL/SO/JNILIB/DYLIB) without authentication. While JAR files are hash- and signature-verified during auto-update, native libraries downloaded into the user's /temp folder skip all integrity checks, enabling code execution in the context of the web page initiating the download. Fixed in version 1.1.0. No public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) and requires no user interaction (UI:N), suggesting straightforward exploitation against users running vulnerable versions.
Sandbox escape in macOS Sequoia prior to 15.6 allows local applications with low privileges to break containment via symlink manipulation, potentially accessing restricted system resources and user data. Apple resolved this via improved symlink handling in macOS 15.6. CVSS score of 8.7 reflects high confidentiality and integrity impact with scope change. No public exploit identified at time of analysis, though SSVC framework indicates partial technical impact with no current exploitation evidence.
Hirschmann EagleSDV contains a denial-of-service vulnerability that causes the device to crash during session establishment when using TLS 1.0 or TLS 1.1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Hirschmann Industrial IT products contain a heap overflow vulnerability in the HiLCOS web interface that allows unauthenticated remote attackers to trigger a denial-of-service condition by sending. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Server-side request forgery in Postiz AI social media scheduling tool (versions < 2.21.3) allows unauthenticated remote attackers to read internal network resources and cloud metadata endpoints through the /public/stream proxy endpoint. The vulnerability bypasses trivial .mp4 validation via query parameters or URL fragments, enabling unauthorized access to internal services without authentication. No public exploit identified at time of analysis, but CVSS 8.6 reflects high confidentiality impact with network-level attack vector and low complexity. EPSS data not available, but the combination of no authentication requirement and cloud metadata access risk makes this a priority for organizations running Postiz in cloud environments.
Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary JavaScript in victim browsers without authentication, potentially escalating to cross-site request forgery (CSRF) attacks against authenticated users. CVSS 8.5 (High) reflects network accessibility with low complexity but user interaction required. No public exploit identified at time of analysis, though the attack surface is well-understood for stored XSS vectors in API development tools where malicious payloads persist in shared workspaces or collections.
Progress Flowmon 12.x and 13.0.x contain a cross-site scripting (XSS) vulnerability allowing authenticated attackers to execute malicious JavaScript in administrator sessions via crafted links. Affected versions: Flowmon 12.x prior to 12.5.8 and 13.x prior to 13.0.6. CVSS 8.5 (High) reflects network-based delivery with low complexity requiring privileged access and user interaction. EPSS score of 0.05% (15th percentile) indicates minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV); SSVC designates exploitation status as 'none' with non-automatable attack requiring user interaction for total technical impact. Vendor Progress Software released patches addressing the XSS flaw.
Open redirect in Hoppscotch API development platform prior to version 2026.3.0 enables token exfiltration leading to complete account takeover. Attackers can craft malicious URLs that redirect authenticated users to attacker-controlled domains, stealing authentication tokens in transit. The vulnerability requires no authentication and minimal attack complexity (CVSS:4.0 AV:N/AC:L/PR:N), though user interaction is required (UI:A). No public exploit code or active exploitation confirmed at time of analysis, though the attack pattern is well-understood for CWE-601 vulnerabilities.
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Server-side request forgery (SSRF) in Postiz social media scheduling tool versions prior to 2.21.3 allows authenticated API users to fetch arbitrary URLs by exploiting the POST /public/v1/upload-from-url endpoint, which performs server-side URL fetching via axios without SSRF protections and relies solely on a bypassable file extension check. Attackers can retrieve internal network resources, cloud metadata, and internal service data, with responses captured and returned to the attacker. Vendor-released patch available in version 2.21.3.
A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Arbitrary file movement in MW WP Form plugin for WordPress (all versions ≤5.1.0) allows unauthenticated remote attackers to relocate server files and achieve remote code execution by moving critical files like wp-config.php. Exploitation requires a form with file upload capability and database inquiry storage enabled. CVSS 8.1 with network attack vector and high attack complexity. EPSS data not provided; no public exploit or CISA KEV status identified at time of analysis, though Wordfence threat intelligence has documented the vulnerability with source code references.
Authentication bypass in OneUptime SAML SSO implementation allows authenticated attackers to impersonate arbitrary users by exploiting XML signature verification logic flaws. Affected versions prior to 10.0.42 decouple signature validation from identity extraction, enabling XML injection attacks where an unsigned assertion with attacker-controlled identity precedes a legitimately signed assertion. EPSS and exploitation signals indicate publicly available exploit code exists with moderate technical complexity (CVSS AC:L, PR:L). No confirmed active exploitation (not in CISA KEV).
Privilege-escalation exposure in OpenSSH before 10.3 (fixed in 10.3p1) where scp, when run by root using the legacy SCP protocol flag -O and without -p (preserve mode), may write a downloaded file with setuid or setgid bits set, contrary to user expectation. A malicious or compromised SSH server (or a man-in-the-middle on the transfer) could thereby cause an attacker-controlled binary to land on disk as a setuid/setgid-root executable, enabling local privilege escalation when it is later run. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and CISA SSVC rates exploitation as 'none' though technical impact as 'total'.
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gain unauthorized access to victim-owned resources. The vulnerability (confirmed actively exploited - CISA KEV) enables attackers to inject arbitrary resource identifiers during policy creation, obtaining Requesting Party Tokens for resources they do not own. With CVSS 8.1 (High), network-accessible attack vector, and low complexity, this represents a significant access control bypass in enterprise identity management deployments. EPSS data and public exploit status not confirmed from available data.
Argument/command injection in OpenSSH before 10.3 lets shell metacharacters embedded in an untrusted username trigger command execution on the SSH-client host. It affects deployments that both feed an attacker-influenced username to the ssh command line and use a non-default ssh_config where %-token expansion (e.g. in ProxyCommand/LocalCommand) is enabled. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV; a fixed release (10.3/10.3p1) is available.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to bypass subject sanitization and forge security tags by exploiting Unicode lookalike characters, enabling email spoofing and phishing attacks that evade gateway security controls. This vulnerability affects all versions prior to 15.0.3, impacts organizations relying on SEPPmail for email security, and requires immediate patching. No public exploit code has been identified at the time of analysis.
SEPPmail Secure Email Gateway before version 15.0.3 fails to properly authenticate inner messages within S/MIME-encrypted MIME entities, permitting attackers to manipulate trusted email headers and potentially forge message authenticity. This vulnerability affects the cryptographic validation layer of the gateway, enabling header injection attacks that could deceive users about message origin or content integrity. No CVSS score, EPSS data, or active exploitation confirmation is available in current intelligence.
Account takeover in SEPPmail Secure Email Gateway versions before 15.0.3 allows unauthenticated attackers to reset victim account passwords by abusing GINA account initialization functionality, enabling full mailbox compromise without requiring legitimate credentials or administrative access.
Use-after-free in Linux kernel clsact qdisc initialization and destruction rollback allows local denial of service or potential information disclosure when qdisc replacement fails midway during tcf_block_get_ext() operations. The vulnerability stems from asymmetric initialization and cleanup paths where egress_entry references from a previous clsact instance remain valid during failure scenarios, leading to double-free or use-after-free conditions. Affected Linux kernel versions across all distributions that include the clsact traffic control qdisc require patching.
Use-after-free in Linux kernel netfilter BPF hook memory management allows local attackers to read sensitive kernel memory via concurrent nfnetlink_hooks dumping operations. The vulnerability arises from premature memory release in hook structures before RCU readers complete their access, enabling information disclosure through netlink interface. No active exploitation confirmed, but the KASAN report demonstrates reliable reproducer availability.
Use-after-free vulnerability in Linux kernel futex handling allows local attackers to read freed memory via race condition between futex_key_to_node_opt() and vma_replace_policy(). When mbind() concurrently replaces virtual memory area policies, __futex_key_to_node() may dereference a freed mempolicy structure, enabling information disclosure of kernel memory. The vulnerability requires local access and precise timing but poses memory safety risk in multi-threaded applications using futex operations alongside memory policy changes.
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to bypass subject line sanitization controls and forge authentication tags such as [signed OK], enabling email spoofing attacks that could deceive recipients into trusting fraudulent or malicious messages. The vulnerability affects all versions prior to 15.0.3 and has been publicly disclosed by NCSC.ch; no public exploit code or active exploitation has been independently confirmed at time of analysis.
SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME signatures, enabling them to substitute attacker-controlled certificates for future encryption communications with victims. An attacker can exploit this by crafting a specially-formed signed email that embeds unauthorized certificates, which the gateway may then use for subsequent encrypted messages to the targeted recipient, resulting in compromise of encryption confidentiality. No public exploit code or active CISA KEV listing is currently confirmed, but the vulnerability was reported by Swiss national security authority NCSC.ch.
This issue was addressed through improved state management. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A permissions issue was addressed with additional restrictions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The issue was addressed with improved checks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.