Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code within the browser's sandbox through a crafted HTML page exploiting an inappropriate implementation in the V8 JavaScript engine. User interaction is required (visiting a malicious webpage). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.04% (11th percentile), indicating low observed attacker interest despite high CVSS severity.
Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 147.0.7727.55) allows unauthenticated remote attackers to execute arbitrary code within the sandbox by exploiting a use-after-free memory corruption vulnerability through a malicious HTML page. User interaction (visiting a crafted website) is required. No public exploit identified at time of analysis, with EPSS probability at 4% (11th percentile), indicating relatively low immediate exploitation risk despite high CVSS severity.
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebRTC component. The attack requires user interaction (visiting a malicious page). EPSS probability is low (0.03%, 10th percentile), and no public exploit or active exploitation (KEV) has been identified at time of analysis. Vendor-released patch available in Chrome 147.0.7727.55.
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Integer overflow in Google Chrome's WebML component (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption via malicious HTML pages, requiring only user interaction to visit a crafted website. The vendor-assigned severity is Critical, though EPSS indicates only 0.03% probability of exploitation in the wild (9th percentile), and no public exploit identified at time of analysis. Patch available in Chrome 147.0.7727.55 and later.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.
Cross-Site Request Forgery (CSRF) in Product Feed PRO for WooCommerce by AdTribes versions 13.4.6 through 13.5.2.1 allows unauthenticated attackers to manipulate critical feed management functions by tricking authenticated WordPress administrators into executing malicious requests. Exploitation enables attackers to trigger feed migrations, clear custom-attribute caches, modify feed file URLs, alter legacy filter settings, and delete feed posts without proper authorization. EPSS exploitation probability data not available; no confirmed active exploitation (not in CISA KEV) identified at time of analysis. Wordfence reported this vulnerability with patches available via WordPress plugin repository.
Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.
Heap corruption via malicious Chrome extension exploits use-after-free flaw in V8 JavaScript engine, affecting Chrome versions prior to 147.0.7727.55. Attacker must convince user to install a crafted extension to achieve potential remote code execution with high confidentiality, integrity, and availability impact. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity; no CISA KEV listing or public exploit code identified at time of analysis. Despite high CVSS 8.8
CSRF vulnerability in SpicePress WordPress theme versions ≤2.3.2.5 enables unauthenticated attackers to upload web shells via arbitrary plugin installation, achieving remote code execution. Successful exploitation requires user interaction (victim must click malicious link while authenticated). No public exploit identified at time of analysis. CVSS 8.8 score reflects network-accessible, low-complexity attack with high impact to confidentiality, integrity, and availability.
Build-time remote code execution in Go toolchain (cmd/go) versions before 1.25.9 and 1.26.0-1.26.1 allows network attackers to execute arbitrary code during compilation by supplying malicious SWIG files with specially crafted filenames containing 'cgo'. User interaction required (developer must build the malicious package). No public exploit identified at time of analysis. EPSS score of 0.01% (1st percentile) indicates very low observed exploitation probability despite high CVSS 8.8 rating.
Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers to access sensitive internal entity data through exposed getting started endpoint. The vulnerability bypasses authentication controls, enabling unauthorized access to confidential system information post-setup. Attack vector is network-based with low complexity requiring no user interaction. No public exploit identified at time of analysis. CVSS 8.7 reflects high confidentiality impact.
Unbounded zlib decompression in dfir-unfurl versions through 20250810 enables unauthenticated remote attackers to exhaust server memory via crafted compressed payloads submitted to the /json/visjs endpoint. Attackers can submit highly compressed data that expands to gigabytes when decompressed, crashing the service through resource exhaustion. The vulnerability affects the parse_compressed.py module and requires no authentication. No public exploit identified at time of analysis.
Reflected cross-site scripting in Gravity Forms plugin for WordPress versions up to 2.9.30 allows unauthenticated attackers to inject arbitrary web scripts via the form_ids parameter in the gform_get_config AJAX action. The vulnerability exploits improper JSON encoding combined with HTML content-type headers and publicly reusable nonces; attackers can craft malicious links that, when clicked by users, execute injected scripts on vulnerable pages. No active exploitation confirmed; CVSS 4.7 reflects moderate risk constrained by required user interaction and limited scope.
Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious server-side templates through AI Agent configuration parameters, leading to arbitrary code execution on the helpdesk server. Exploitation requires administrative access to control type_enrichment_data settings and user interaction. Vendor-released patch version 7.0.1 is available. EPSS score of 0.04% indicates low exploitation probability in the wild; no public exploit identified at time of analysis.
SQL injection in MATCHA INVOICE 2.6.6 and earlier allows authenticated users with low-level privileges to extract or modify database contents via network access. With CVSS 8.8 (High severity), low attack complexity, and no user interaction required, authenticated attackers can achieve full confidentiality, integrity, and availability impact on the application database. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.
Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.
Privilege escalation in XWiki Platform 17.x allows users with script rights to execute arbitrary Python code via an improperly protected scripting API, bypassing Velocity sandbox protections and gaining full system access. This affects XWiki Platform oldcore and legacy-oldcore components prior to versions 17.4.8 and 17.10.1. While requiring existing script-level privileges, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Vendor-released patch available; no public exploit identified at time of analysis.
OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis.
OS command injection in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to execute arbitrary system commands through maliciously crafted configuration files. Exploitation requires high-privilege adjacency access but enables complete device compromise including configuration modification, credential disclosure, and persistent backdoor installation. Affects AX53 v1.0 firmware prior to 1.7.1 Build 20260213. No public exploit identified at time of analysis.
Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.
Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.
OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.
Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.
DLL and shared-library hijacking in ufrisk MemProcFS versions prior to 5.17 enables local arbitrary code execution through six distinct attack surfaces. Unsafe library-loading patterns-including unqualified LoadLibraryU and dlopen calls for vmmpyc, libMSCompression, and plugin DLLs-allow attackers to plant malicious libraries in the working directory or manipulate LD_LIBRARY_PATH. Exploitation requires user interaction (CVSS UI:P) but no authentication (PR:N), achieving high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.
OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.
Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.
Sensitive information disclosure in IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 allows local attackers with no authentication required to extract credentials and configuration secrets from application log files. With CVSS 8.4 and High impact to confidentiality, integrity, and availability, the CWE-532 flaw enables privilege escalation through exposed secrets. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) suggests straightforward exploitation once local access is obtained.
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
Server-side request forgery in Zammad webhook implementation allows authenticated administrators to retrieve confidential cloud provider metadata by exploiting insufficient validation of loopback and link-local addresses. Affects versions before 7.0.1 and 6.5.4. Attackers with privileged access can configure malicious webhook URLs targeting internal infrastructure endpoints, bypassing intended URL scheme restrictions. No public exploit identified at time of analysis. CVSS 8.3 reflects high confidentiality and availability impacts on vulnerable and subsequent systems.
Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privi
Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access.
Command injection in CoolerControl daemon (coolercontrold) versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by embedding malicious bash commands in alert configuration names. The vulnerability enables authenticated administrators to execute arbitrary system commands with root privileges through the alert management interface. EPSS score of 0.05% (17th percentile) indicates low current exploitation probability, with no active exploitation confirmed and CISA SSVC assessment marking exploitation status as 'none' and automatable as 'no'.
Certificate validation bypass in Go's crypto/x509 library (versions 1.26.0-1.26.1) allows remote attackers to circumvent DNS name constraints through case-sensitivity mismatches in wildcard Subject Alternative Names. Attackers with certificates from trusted CAs can bypass intended domain restrictions and impersonate constrained subdomains, achieving unauthorized confidentiality access with limited integrity impact. Vendor-released patch available (Go 1.26.2). EPSS score is 0.01% (percentile 0%), indicating very low observed exploitation probability. No public exploit code or CISA KEV listing identified at time of analysis.
Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.
Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.
Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).
Out-of-bounds read in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows remote attackers to disclose sensitive memory contents and trigger denial-of-service via malicious HTML pages. Despite an 8.1 CVSS score, this is rated Chromium security severity 'Low', requires user interaction (visiting a crafted page), has minimal real-world exploitation probability (EPSS 0.03%, 10th percentile), and is not actively exploited (no KEV listing). Vendor-released patch available in Chrome 147.0.7727.55.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).