OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'mode' parameter in the setWiFiAclRules function (/cgi-bin/cstecgi.cgi). Publicly available exploit code exists. Attackers can achieve complete device compromise with high impact to confidentiality, integrity, and availability of the router. No authentication required for exploitation (CVSS PR:N).
Remote OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary system commands via the wifiOff parameter in the setWiFiBasicCfg function of /cgi-bin/cstecgi.cgi. This vulnerability enables complete device compromise with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists. No CISA KEV listing identified at time of analysis.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted sambaEnabled parameter in setStorageCfg function of /cgi-bin/cstecgi.cgi CGI handler. Publicly available exploit code exists. Network-reachable attack vector requires no user interaction, enabling full system compromise of affected routers.
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the wanIdx parameter in the setDmzCfg function within /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with attack complexity low, no privileges required, and no user interaction. Publicly available exploit code exists. Exploitation enables complete compromise of device confidentiality, integrity, and availability with total technical impact.
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 enables unauthenticated remote attackers to execute arbitrary system commands via crafted addrPrefixLen parameter in setIpv6LanCfg function of /cgi-bin/cstecgi.cgi CGI handler. CVSS 9.8 critical severity reflects network-accessible attack vector requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. Publicly available exploit code exists.
Unauthenticated remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables complete system compromise via the setIptvCfg function in /cgi-bin/cstecgi.cgi. Attackers inject malicious commands through the igmpVer parameter without authentication, achieving arbitrary code execution with router privileges. CVSS 9.8 (Critical). Publicly available exploit code exists. No authentication, network-accessible attack vector with low complexity allows immediate weaponization for botnet recruitment, credential theft, or lateral network movement.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in setUPnPCfg function within /cgi-bin/cstecgi.cgi. Publicly available exploit code exists. No vendor-released patch identified at time of analysis. CVSS 8.9 (Critical) reflects network-accessible attack requiring no user interaction.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the pptpPassThru parameter in setVpnPassCfg function of /cgi-bin/cstecgi.cgi. Exploitation requires no user interaction and achieves full system compromise (confidentiality, integrity, availability). Publicly available exploit code exists. Attack vector is network-accessible without authentication (CVSS 8.9 Critical).
OS command injection in Totolink A7100RU router 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'merge' parameter in setWiFiEasyCfg function within /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity. Publicly available exploit code exists. Attack requires no authentication or user interaction, enabling complete system compromise including data exfiltration, configuration tampering, and denial of service.
WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). CWE-209 (information exposure through error messages) enables cryptographic side-channel extraction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent the EncryptInterceptor component, exposing sensitive data in cleartext. The vulnerability stems from an incomplete fix for CVE-2026-29146, enabling network-accessible adversaries to access confidential information without authentication. CVSS 7.5 (High severity) reflects network-based exploitation with low complexity and high confidentiality impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 allows authenticated remote attackers to execute arbitrary code via crafted page parameter to fromRouteStatic function in /goform/RouteStatic endpoint. Attack requires low-privilege authenticated access to web management interface with no user interaction. Publicly available exploit code exists. Exploitation yields complete compromise of router confidentiality, integrity, and availability.
Stack-based buffer overflow in Tenda AC15 router firmware 15.03.05.18 websGetVar function allows authenticated remote attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability resides in /goform/SysToolChangePwd endpoint where manipulation of oldPwd, newPwd, or cfmPwd parameters triggers memory corruption. Publicly available exploit code exists. Exploitation requires low-privilege authenticated access but no user interaction, making it readily exploitable once credentials are obtained.
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to achieve arbitrary code execution via crafted POST requests to /goform/formAdvNetwork endpoint. Exploitation manipulates the curTime parameter in the formAdvNetwork function, triggering memory corruption. This end-of-life device receives no vendor support; publicly available exploit code exists. Affected hardware presents elevated risk in legacy network environments where administrative credentials may be compromised.
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to execute arbitrary code via the formAdvFirewall function in POST request handler. Exploitation occurs through manipulation of the curTime parameter in /goform/formAdvFirewall endpoint. Publicly available exploit code exists. This end-of-life product receives no vendor security support, requiring immediate device replacement for affected deployments.
Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated remote attackers to achieve code execution through malicious curTime parameter in formVirtualServ function via POST request to /goform/formVirtualServ endpoint. Affects end-of-life product with no vendor support. Publicly available exploit code exists. Attack requires low-privilege authentication but no user interaction, enabling remote compromise of device confidentiality and integrity.
OS command injection in D-Link DIR-882 router (firmware 1.01B02) allows authenticated remote attackers to execute arbitrary system commands via malicious IPAddress parameter to prog.cgi HNAP1 SetNetworkSettings handler. Requires high privileges (PR:H) but achieves full system compromise (CVSS 7.3). Publicly available exploit code exists. Product discontinued; vendor no longer provides security updates.
Unauthenticated remote attackers can manipulate Modbus register inputs in GPL Odorizers GPL750 industrial control systems (XL4, XL4 Prime, XL7, XL7 Prime variants across versions 1.0-20.0), causing incorrect odorant injection volumes into natural gas distribution pipelines. Authentication bypass (CWE-306) via network-accessible Modbus interface permits direct register value tampering without credential validation, enabling safety-critical process manipulation. No public exploit identified at time of analysis.
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Unauthorized access to directories in Hydrosystem Control System versions prior to 9.8.5 allows unauthenticated remote attackers to read arbitrary files and execute PHP scripts directly against the connected database. Missing authorization enforcement on specific directories enables direct file access and code execution without authentication, creating critical exposure for database manipulation and data exfiltration. No public exploit identified at time of analysis.
CSRF vulnerability in phpBB 3.3.15 allows remote attackers to execute arbitrary code by exploiting the login function and authentication mechanism. Despite a CVSS score of 8.8, the EPSS probability is very low (0.04%, 12th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV). A proof-of-concept is publicly available via GitHub Gist. The CVE description contains conflicting data: it states 'local attacker' while CVSS vector shows AV:N (network attack vector) and requires user interaction (UI:R), suggesting social engineering rather than local access.
Arbitrary PHP code execution in Kiamo customer engagement platform (pre-8.4) allows authenticated administrative users to run commands on the underlying server. The vulnerability exploits a code injection weakness (CWE-94) via network-accessible interfaces with low complexity. No public exploit identified at time of analysis, with EPSS indicating 2% (5th percentile) exploitation probability. Detailed technical write-up published by security researcher at Hackvens confirms exploitability through administrative access.
DLL injection in GatewayGeo MapServer for Windows version 5 enables authenticated local attackers to escalate privileges to SYSTEM level through crafted executable placement. The vulnerability exploits insecure library loading paths, allowing low-privileged users to inject malicious DLLs that execute with elevated permissions. Publicly available exploit code exists. Affects Windows deployments only; CVSS 8.8 reflects local attack vector requiring low privileges but achieving full system compromise across security boundaries.
Privilege escalation in OpenClaw before 2026.3.22 enables authenticated attackers with operator.pairing approver role to escalate privileges to operator.admin through insufficient scope validation in the device.pair.approve method. Exploitation allows approval of device requests with broader operator scopes than the approver legitimately holds, ultimately enabling remote code execution on Node infrastructure. Affects OpenClaw deployments where role-based access control enforces operator privilege hierarchies. No public exploit identified at time of analysis.
Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxed JavaScript evaluation in the Custom Logic policy block worker, enabling credential theft and privilege escalation. The vulnerability allows importing native Node.js modules to read container filesystem contents, extract RSA private keys and JWT signing secrets from environment variables, and forge administrator authentication tokens. Despite low EPSS (0.12%) indicating minimal widespread exploitation probability, the authenticated RCE path to total system compromise warrants immediate patching for deployments using Custom Logic policy features.
Remote denial-of-service in Juniper Networks Junos OS (SRX/MX Series) allows unauthenticated attackers to crash IPsec daemons via malformed ISAKMP packets. Exploiting the improper input validation (CWE-1286) in kmd/iked IPsec library causes process restart, preventing new VPN security association establishment. Repeated attacks create sustained inability to establish VPN connections, severely degrading network connectivity for affected enterprise firewalls and routing platforms. No public exploit identified at time of analysis.
NTLM credential theft in SiYuan personal knowledge management system (prior to 3.6.4) allows remote attackers to capture Windows user password hashes without authentication or user interaction. Misconfigured Mermaid.js rendering with securityLevel:loose permits unsanitized <img> tags within SVG foreignObject blocks. Protocol-relative URLs in malicious Mermaid diagrams trigger automatic SMB authentication on Windows, transmitting NTLMv2 hashes to attacker-controlled servers when victims open compromised notes. Electron client processes the SVG via innerHTML without secondary sanitization, enabling SSRF to UNC paths.
Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. Affects OpenClaw versions prior to 2026.3.22. Attackers with low-privilege access can escalate to high-impact confidentiality and integrity compromise. No public exploit identified at time of analysis.
Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.
Authorization bypass in OpenPLC_V3 REST API allows authenticated low-privilege users to delete administrator accounts or create new admin-level accounts. The API validates JWT token presence but fails to enforce role-based access control, enabling any user with basic authentication to escalate privileges to full administrator access or remove existing administrators by manipulating user ID parameters. This affects all versions of OpenPLC_V3. No public exploit identified at time of analysis.
Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.
SQL injection in Hydrosystem Control System versions before 9.8.5 allows authenticated attackers to execute arbitrary SQL commands via unprotected input parameters across multiple scripts. Exploitation requires low-privilege authentication but no user interaction, enabling attackers to compromise database confidentiality and integrity with potential for full database control. No public exploit identified at time of analysis.
Remote code execution in Rapid7 Velociraptor server (primarily Linux) allows authenticated clients to write malicious messages to privileged internal queues via improper queue name validation. Affected versions prior to 0.76.2 (including 0.75.6, 0.74.6, and 0.76.1) are vulnerable to queue injection attacks from rogue authenticated clients. EPSS score of 0.20% (42nd percentile) suggests low broad exploitation probability, though SSVC framework indicates total technical impact despite no confirmed active exploitation. Vendor patch released as version 0.76.2.
Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.
Authenticated file overwrite vulnerability in Directus < 11.17.0 allows low-privileged users to corrupt arbitrary files by manipulating the filename_disk parameter in PATCH /files/{id} requests. Attackers can overwrite other users' file content and forge metadata fields (e.g., uploaded_by) to hide evidence of tampering. Requires authenticated access (PR:L). Scope change (S:C) indicates potential cross-tenant impact. No public exploit identified at time of analysis.
Local privilege escalation in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated users with low privileges to gain high-privileged direct access to Flexible PIC Concentrators (FPCs), enabling potential full compromise of affected line cards. Impacts PTX10004, PTX10008, PTX10016 with JNP10K-LC1201 or JNP10K-LC1202 line cards across multiple firmware branches. Missing authentication on critical FPC management functions permits unauthorized privilege elevation. No public exploit identified at time of analysis.
Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.
Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.
Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.
Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.
Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when signature verification is explicitly required, allowing local attackers to deliver malicious plugins that execute with Helm's privileges during installation. The flaw (CWE-636: Not Failing Securely) enables supply chain attacks where unsigned or tampered plugins bypass security controls intended to validate plugin integrity. Fixed in Helm 4.1.4. EPSS score is 2nd percentile (0.01% exploitation probability), no active exploitation confirmed, SSVC assessment indicates total technical impact but non-automatable exploitation requiring user interaction.
Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update by embedding '/../' sequences in the plugin.yaml version field, achieving high integrity impact across system and vulnerable component scopes. EPSS score is 2nd percentile (0.01%) with no active exploitation or public POC identified, suggesting low immediate risk despite 8.4 CVSS score. Vendor patch released in version 4.1.4.
Heap buffer overflow in wolfSSL DTLS 1.3 ACK message handler allows unauthenticated remote attackers to achieve integrity and availability impacts via crafted network packets. The vulnerability triggers memory corruption during ACK message processing in DTLS 1.3 sessions, enabling potential arbitrary code execution or denial of service. No public exploit identified at time of analysis, though low observed exploitation activity noted.
OpenClaw's Plivo V2 signature verification implementation allows remote attackers to bypass replay protection and forge authenticated requests by manipulating URL query parameters. The flaw affects OpenClaw versions before 2026.3.23 and stems from deriving replay protection keys from the full URL including query strings rather than the canonical base URL, enabling attackers to create new valid request signatures by modifying only query parameters on previously signed requests. With 8% EPSS percentile and high attack complexity (AC:H), this represents moderate real-world risk despite the 8.3 CVSS score. Public proof-of-concept commits demonstrate the vulnerability, though no active exploitation is confirmed.
Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).
LDAP filter injection in OPNsense firewall allows unauthenticated attackers to enumerate valid LDAP usernames and bypass group membership restrictions via the WebGUI login page. Affects OPNsense versions prior to 26.1.6. The vulnerability stems from failure to escape user-supplied input before insertion into LDAP search filters, enabling metacharacter injection. Attackers can authenticate as any LDAP user with known credentials, circumventing Extended Query group membership controls. No public exploit identified at time of analysis.
Timestamp manipulation in Nimiq Core Rust implementation (nimiq-blockchain 1.3.0 and earlier) allows authenticated block-producing validators to set arbitrarily future block timestamps, bypassing validation constraints and directly inflating the blockchain's monetary supply beyond the intended emission schedule through compromised Policy::supply_at() and batch_delay() reward calculations. The vulnerability exploits absent upper-bound wall-clock validation in non-skip and skip block timestamp verification logic, enabling integrity compromise of the blockchain's economic model. No public exploit identified at time of analysis.
Signature verification bypass in BSV Ruby SDK versions 0.3.1 through 0.8.1 allows authenticated attackers to forge blockchain identity certificates. The WalletClient#acquire_certificate method persists certificates without validating certifier signatures in both 'direct' acquisition (where attackers supply all fields including forged signatures) and 'issuance' protocols (where malicious certifier endpoints inject invalid signatures). Forged certificates appear authentic to list_certificates and prove_certificate operations, enabling impersonation attacks. CVSS 8.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible exploitation requiring low-privilege authentication. No public exploit identified at time of analysis.