Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV).
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wikipedia 12.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft VPN Browser+ 1.1.0.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting oversized input through the search. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft 7 Tik 1.0.1.0 contains a denial of service vulnerability that allows attackers to crash the application by submitting excessively long input strings to the search functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike LANState 8.8 contains a local buffer overflow vulnerability in structured exception handling that allows local attackers to execute arbitrary code by crafting malicious LSM map files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snes9K 0.0.9z contains a buffer overflow vulnerability in the Netplay Socket Port Number field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Netgate AMITI Antivirus build 23.0.305 contains an unquoted service path vulnerability in the AmitiAvSrv and AmitiAntivirusHealth services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
NETGATE Registry Cleaner build 16.0.205 contains an unquoted service path vulnerability in the NGRegClnSrv service that allows local attackers to escalate privileges by exploiting the service binary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
sheed AntiVirus 2.3 contains an unquoted service path vulnerability in the ShavProt service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Hotspot Shield 6.0.3 contains an unquoted service path vulnerability in the hshld service binary that allows local attackers to escalate privileges by injecting malicious executables. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
IObit Malware Fighter 4.3.1 contains an unquoted service path vulnerability in the IMFservice and LiveUpdateSvc services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Spy Emergency build 23.0.205 contains an unquoted service path vulnerability in the SpyEmrgHealth and SpyEmrgSrv services that allows local attackers to escalate privileges by inserting malicious. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
IObit Advanced SystemCare 10.0.2 contains an unquoted service path vulnerability in the AdvancedSystemCareService10 service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public.
Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NetSchedScan 1.0 contains a buffer overflow vulnerability in the scan Hostname/IP field that allows local attackers to crash the application by supplying an oversized input string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Termite 3.4 contains a buffer overflow vulnerability in the User interface language settings field that allows local attackers to cause a denial of service by supplying an excessively long string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Eco Search 1.0.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft FastTube 1.0.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft One Search 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting excessively long input strings to the search functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Watchr 1.1.0.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string to the search functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Microsoft VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Server-Side Request Forgery (SSRF) in pyload-ng allows authenticated users with ADD permission to access internal network resources and cloud metadata endpoints by exploiting unchecked HTTP redirect handling. The vulnerability bypasses CVE-2026-33992 mitigations through redirect chains-pycurl follows up to 10 redirects automatically without validating destination IPs against the SSRF filter. Attackers can retrieve AWS/GCP/Azure instance metadata (including IAM credentials) and probe internal services. While exploitation requires authentication (reducing severity from the Critical unauthenticated CVE-2026-33992), a public proof-of-concept demonstrates the attack and no vendor-released patch has been identified at time of analysis.
Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Last User's Threads in Profile Plugin 1.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by crafting thread subjects with script tags. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MyBB My Arcade Plugin 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through arcade game score comments. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.
Arbitrary file deletion in wpForo Forum WordPress plugin versions ≤2.4.16 allows authenticated attackers with subscriber-level privileges to delete any file on the server by embedding path traversal sequences in forum post content and subsequently deleting the post. CVSS 8.8 (High) with network-based attack vector requiring low-complexity exploitation. No public exploit identified at time of analysis, though EPSS data unavailable. Patched in version 2.4.17 per WordPress plugin repository changeset.
Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.
Path traversal in Coder code-marketplace ≤ v2.4.1 allows authenticated users to write arbitrary files outside the extension directory during VSIX extraction. The ExtractZip function passes unsanitized zip entry names containing '..' sequences to filepath.Join, which resolves parent directory references without confining output to the intended base path. Attackers can inject malicious cron jobs, SSH keys, or overwrite binaries depending on process privileges. Fixed in v2.4.2. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists.
OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).
Memory exhaustion in libp2p-rendezvous allows unauthenticated attackers to cause denial-of-service via unbounded pagination cookie storage. Remote attackers can repeatedly send protocol-compliant DISCOVER requests to force unlimited HashMap growth without authentication or rate limiting. No public exploit identified at time of analysis, though proof-of-concept exists in maintainer-controlled fork. EPSS data not available for this newly-assigned CVE; CVSS 8.2 reflects high availability impact with low attack complexity.
Directus CMS aggregate query functions bypass field-level concealment controls, exposing static API tokens and TOTP secrets from the directus_users table to any authenticated user with read access. Attackers can extract credentials for all accounts via min/max operations combined with groupBy clauses, enabling account takeover and two-factor authentication bypass. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication. No public exploit code or CISA KEV listing identified at time of analysis, though the attack vector is clearly documented in the GitHub security advisory.
Server-Side Request Forgery (SSRF) in Directus headless CMS allows authenticated attackers (or unauthenticated users with public file-import permissions) to bypass IP address deny-list protections and access internal network resources. Attackers exploit IPv4-Mapped IPv6 address notation (e.g., ::ffff:127.0.0.1) to circumvent validation logic, enabling unauthorized requests to localhost services, internal databases, caches, APIs, and cloud instance metadata endpoints (AWS/GCP/Azure IMDS). With CVSS 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicating low attack complexity, network accessibility, and scope change with high confidentiality impact, this represents a significant risk for data exfiltration from cloud environments and internal infrastructure. No public exploit identified at time of analysis, though the technical details in the advisory provide clear exploitation guidance.
Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.
Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.
Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. EPSS data not provided, but the unauthenticated network vector (CVSS:3.1/AV:N/AC:L/PR:N) and public disclosure via Wordfence ind
Unbounded namespace registration in libp2p-rendezvous allows remote unauthenticated attackers to trigger out-of-memory conditions on rendezvous servers. The Rust implementation accepts unlimited unique namespace registrations per peer with 72-hour TTLs, enabling resource exhaustion via repeated REGISTER messages. Confirmed publicly available exploit code exists. CVSS 7.5 (High) reflects network accessibility and lack of authentication barriers, while the straightforward attack vector (simple loop of registration requests) presents immediate risk to public rendezvous nodes critical for peer discovery in libp2p networks.
Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No active exploitation confirmed (not in CISA KEV), but public proof-of-concept exists in the GitHub advisory demonstrating admin privilege escalation.
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
Stored cross-site scripting (XSS) in the Widgets for Social Photo Feed WordPress plugin (versions ≤1.7.9) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'feed_data' parameter keys, achieving persistent code execution in victim browsers with scope change impact. The vulnerability stems from insufficient input validation on widget configuration data. CVSS 7.2 reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, w
Stored Cross-Site Scripting in Visitor Traffic Real Time Statistics WordPress plugin (≤8.4) allows unauthenticated remote attackers to inject malicious JavaScript via the 'page_title' parameter that executes when administrators view the Traffic by Title section. No public exploit identified at time of analysis, though CVSS 7.2 (High) severity reflects the unauthenticated attack vector and cross-site scripting scope. Upstream fix available (PR/commit); released patched version not independently confirmed based on provided Trac changeset reference.