Stack-based buffer overflow in Cesanta Mongoose mDNS Record Handler (versions up to 7.20) allows remote attackers to trigger memory corruption via malformed mDNS record data in the handle_mdns_record function. The vulnerability requires high attack complexity and network-level access but results in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; vendor released patched version 7.21 with immediate availability.
Information disclosure in Newgen OmniDocs up to version 12.0.00 allows remote attackers without authentication to extract sensitive data by manipulating the connectionDetails parameter in the /omnidocs/GetWebApiConfiguration endpoint. The vulnerability has a CVSS score of 6.3 with high attack complexity, and publicly available exploit code exists; however, no confirmed active exploitation has been reported. The vendor did not respond to early disclosure notification.
Command injection in efforthye fast-filesystem-mcp up to version 3.5.1 allows authenticated remote attackers to execute arbitrary system commands via the handleGetDiskUsage function in src/index.ts. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code and no vendor patch released despite early notification through issue tracking. Exploitation requires valid authentication credentials but carries low attack complexity.
Remote authenticated command injection in TrendNet TEW-657BRM 1.00.1 allows manipulation of the policy_name parameter in /setup.cgi vpn_connect function to achieve operating system command execution with limited impact. The affected router has been end-of-life since June 2011 and is no longer supported by the vendor; however, publicly available exploit code exists and the vulnerability demonstrates real command injection capability despite the legacy product status.
OS command injection in Trendnet TEW-657BRM 1.00.1 ping_test function allows authenticated remote attackers to execute arbitrary commands via manipulation of the c4_IPAddr parameter in /setup.cgi. Publicly available exploit code exists. The device has been end-of-life since June 2011 and is no longer supported by the vendor, making patching infeasible for affected users.
Remote code execution via OS command injection in TrendNet TEW-657BRM 1.00.1 allows authenticated attackers to execute arbitrary commands through the pcdb_list parameter in /setup.cgi. The affected device has been end-of-life since June 2011 with no vendor support; publicly available exploit code exists but real-world impact is limited to legacy, unsupported hardware.
OS command injection in TrendNet TEW-657BRM 1.00.1 router allows authenticated remote attackers to execute arbitrary commands via manipulation of the wl_enrolee_pin parameter in the /setup.cgi add_wps_client function. The vendor discontinued this product in June 2011 and provides no support; publicly available exploit code exists but real-world risk is minimal given the product's 14+ year obsolescence and the authentication requirement.
SQL injection in shsuishang modulithshop allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the sidx/sort parameter in the ProductItemDao Interface listItem function, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability affects the rolling-release product across an unspecified version range; publicly available exploit code exists. CVSS 6.3 with exploitation probability noted (E:P), and a patch is available via upstream commit 42bcb9463425d1be906c3b290cf29885eb5a2324.
Out-of-bounds write in Nothings stb library up to version 1.22 allows remote attackers to corrupt memory and potentially execute code by crafting malicious Vorbis audio files that trigger improper bounds checking in the start_decoder function. Publicly available exploit code exists for this vulnerability, which affects all applications statically linking vulnerable stb_vorbis.c code. The vendor has not responded to disclosure attempts, leaving deployed instances without an official patch.
Resource exhaustion in Nothings stb library versions up to 1.22 allows unauthenticated remote attackers to cause denial of service through the setup_free function in stb_vorbis.c when processing malformed audio data. The vulnerability has publicly available exploit code and a low CVSS score of 4.3 reflecting limited impact, but represents a real availability risk in applications embedding this widely-used header-only graphics and audio library.
Out-of-bounds write in LibRaw's JPEG DHT parser (HuffTable::initval function) allows unauthenticated remote attackers to trigger a denial of service via malformed JPEG image files. LibRaw versions up to 0.22.0 are affected; publicly available exploit code exists. CVSS 4.3 (low severity) reflects denial-of-service impact only, with low attack complexity and no authentication required. Vendor-released patch available in version 0.22.1.
Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System up to version 1.0 allows remote attackers to inject malicious scripts via the 'page' parameter in /navbar.php. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 4.3 due to limited confidentiality impact. Publicly available exploit code exists, increasing real-world risk despite the moderate base score.
Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.
Command injection in Tenda G103 1.0.0.5 setting handler allows high-privilege remote attackers to execute arbitrary commands via manipulation of multiple GPON authentication parameters (authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, usVlanPriority) in the gpon.lua component. Publicly available exploit code exists, though the CVSS:3.1/AV:N/AC:L/PR:H vector indicates attacks require high administrative privileges and deliver limited impact (confidentiality, integrity, availability each L). This is a realistic but constrained threat: exploitation requires authenticated admin-level access to a device already on the network.
Path traversal in OpenCart 4.1.0.3 Extension Installer Page allows high-privileged remote attackers to manipulate the installer.php file and traverse the filesystem, potentially accessing or modifying sensitive files outside the intended directory. The vulnerability has publicly available exploit code and affects the extension installation mechanism; vendor has not responded to early disclosure attempts, leaving installations unpatched.
Server-side request forgery (SSRF) in Dataease SQLBot up to version 1.6.0 allows high-privileged remote attackers to manipulate the 'address' argument in the Elasticsearch Handler component (get_es_data_by_http function), enabling unauthorized HTTP requests to internal or external systems. The vulnerability has publicly available exploit code and vendor-released patch version 1.7.0 addresses the issue.
Stored cross-site scripting (XSS) in Krayin Laravel-CRM up to version 2.2 allows authenticated users with low privileges to inject malicious scripts via the composeMail function in the Activities/Notes Module, which are then executed when other users view the content. The vulnerability requires user interaction (UI:P) but has confirmed publicly available exploit code and a vendor-released patch (commit 73ed28d466bf14787fdb86a120c656a4af270153), making it a moderate priority for deployments where multiple users interact with notes and mail features.
Stored cross-site scripting (XSS) in SourceCodester Simple Customer Relationship Management System 1.0 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the /create-ticket.php Create Ticket component. The vulnerability requires user interaction (UI:R) to trigger payload execution and has limited impact (integrity only, no confidentiality or availability loss), but publicly available exploit code exists and the issue has been publicly disclosed.
Stored cross-site scripting (XSS) in Xiaopi Panel 1.0.0 via the param argument in /demo.php allows authenticated remote attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects the WAF Firewall component, has publicly available exploit code, and carries a low CVSS score (3.5) due to requirement for user interaction and limited impact scope, though the vendor has not responded to disclosure.
Server-side request forgery (SSRF) in priyankark a11y-mcp up to version 1.0.5 allows local authenticated attackers to perform arbitrary outbound requests via the A11yServer function in src/index.js, potentially enabling access to internal services or exfiltration of sensitive data. The vulnerability requires local access and user approval (as the tool operates as a local stdio MCP server with no network exposure), and publicly available exploit code exists. Vendor has released patched version 1.0.6 with commit e3e11c9e8482bd06b82fd9fced67be4856f0dffc.
Hard-coded cryptographic keys in Shinrays Games Goods Triple App up to version 1.200 allow local authenticated users to decrypt sensitive data by manipulating AES_IV and AES_PASSWORD parameters in the jRwTX.java component. The vulnerability requires local access and elevated privileges but has low complexity once exploited; publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. Affected versions are Rack prior to 2.2.23, 3.1.21, and 3.2.6; patches are available for all three release branches.
Type confusion in macOS memory handling allows local attackers to cause unexpected app termination through crafted user interaction, affecting macOS Sequoia before 15.6, Sonoma before 14.7.7, and Ventura before 13.7.7. With a CVSS score of 3.3 and SSVC exploitation status of 'none', this represents a low-severity local denial-of-service condition requiring user interaction; no public exploit code or active exploitation has been identified.
OpenSSH before 10.3 incorrectly interprets ECDSA algorithm specifications in PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms configuration options, allowing authenticated users to authenticate using unintended ECDSA variants. The vulnerability requires authenticated network access and high attack complexity, resulting in a low CVSS score of 3.1 with integrity impact but no confidentiality or availability loss. No public exploit code or active exploitation has been documented.
Type confusion in Free5GC 4.2.0's aper component allows remote attackers to trigger memory corruption and information disclosure with high attack complexity and without authentication. The vulnerability stems from improper type handling in ASN.1 parsing and has publicly available exploit code, though active exploitation at scale has not been confirmed. CVSS 6.3 with availability impact and exploit proof-of-concept disclosure warrant timely patching.
Authorization bypass in Cesanta Mongoose up to version 7.20 allows remote, unauthenticated attackers to bypass TLS certificate signature verification in the P-384 public key handler (mg_tls_verify_cert_signature function in mongoose.c), potentially enabling man-in-the-middle attacks or unauthorized access. The attack is highly complex (CVSS AC:H) but publicly disclosed exploit code exists, with vendor-released patch available in version 7.21.
OpenSSH before 10.3 fails to confirm connection multiplexing in proxy-mode sessions, allowing local attackers with user interaction to bypass intended access controls and potentially manipulate multiplexed connections. The vulnerability affects OpenSSH versions prior to 10.3p1 and requires local access with user interaction (UI:R) on the affected system; while the CVSS score is low (2.5) and integrity impact is limited, the omission of confirmation mechanisms in proxy-mode multiplexing creates a logic flaw that could enable unauthorized session hijacking or redirection in multi-user environments.
Remote authenticated OS command injection in TrendNet TEW-657BRM 1.00.1 router via the vpn_drop function in /setup.cgi allows low-privileged attackers to execute arbitrary commands with limited impact on system confidentiality, integrity, and availability. The vendor confirmed the product reached end-of-life on June 23, 2011, and will not provide support or patches. Public exploit code exists, but this vulnerability affects only discontinued hardware no longer receiving vendor maintenance.
Signal K Server prior to version 2.24.0 permits low-privileged authenticated users to bypass prototype boundary filtering via a malformed `from` field, enabling arbitrary read access to internal functions and properties in the global prototype object. This confidentiality breach violates data isolation within the Signal K application and allows attackers to extract sensitive internal state they should not access. The vulnerability requires prior authentication and has been patched in version 2.24.0.
Command injection in Tenda G103 1.0.0.5 allows high-privileged remote attackers to execute arbitrary commands via the lanIp parameter in the action_set_system_settings function of system.lua. The vulnerability requires administrative credentials (PR:H) but has publicly available exploit code and impacts system confidentiality, integrity, and availability. CVSS score 5.1 reflects the elevated privilege requirement despite network-based attack vector.
Out-of-bounds read in Nothings stb library (stb_truetype.h) up to version 1.26 allows remote attackers to trigger memory access violations via malformed TTF font files, resulting in information disclosure. The vulnerability affects the stbtt__buf_get8 function in the TTF file handler and requires user interaction to exploit. Publicly available exploit code exists, though the vendor has not responded to disclosure notifications. CVSS 5.3 with EPSS probability of exploitation (E:P) indicates moderate real-world risk.
Path traversal in Textpattern XML-RPC handler allows authenticated remote attackers to write arbitrary files via the file.name parameter in mt_uploadImage function, enabling potential code execution or sensitive file overwrite. Affects Textpattern up to version 4.9.1, with publicly available exploit code and vendor confirmation of the issue pending fix in an upcoming release.
Buffer overflow in XZ Utils lzma_index_decoder() allows memory corruption when processing Index records with no data entries prior to version 5.8.3. Unauthenticated remote attackers can trigger a heap overflow via crafted compressed data, potentially causing denial of service or memory corruption. The vulnerability has a low CVSS score (1.7) due to attack time requirement and limited impact scope, with no confirmed active exploitation at time of analysis.