OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the User parameter in setVpnAccountCfg function at /cgi-bin/cstecgi.cgi endpoint. CVSS 9.8 critical severity with publicly available exploit code documented on GitHub. No authentication, low complexity, network-accessible attack vector enables full system compromise with high confidentiality, integrity, and availability impact.
Remote unauthenticated OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables complete system compromise. Attackers exploit the setPptpServerCfg function in /cgi-bin/cstecgi.cgi CGI handler by injecting malicious commands through the 'enable' parameter. CVSS 9.8 critical severity reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists, significantly lowering exploitation barrier for remote attackers seeking router takeover, data exfiltration, or network pivoting.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setUrlFilterRules function of /cgi-bin/cstecgi.cgi. Exploitation requires no user interaction, granting complete device compromise with potential for lateral network movement. Publicly available exploit code exists (GitHub POC). CVSS 9.8 severity reflects network-accessible attack vector with no privilege requirements.
Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability resides in the setPortalConfWeChat function within /cgi-bin/cstecgi.cgi, exploitable by manipulating the 'enable' parameter. CVSS 9.8 severity reflects network-accessible attack vector requiring no authentication or user interaction, with full system compromise potential. Publicly available exploit code exists, significantly lowering exploitation barrier for remote attackers targeting vulnerable router deployments.
Remote unauthenticated OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows arbitrary command execution via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Attackers exploit the 'enable' parameter without authentication to achieve full system compromise. CVSS 9.8 critical severity reflects network accessibility, no complexity barriers, and complete confidentiality/integrity/availability impact. Publicly available exploit code exists, significantly lowering attack barrier for opportunistic scanning campaigns targeting consumer routers.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the admpass parameter in setLoginPasswordCfg function of /cgi-bin/cstecgi.cgi. Network-accessible with no user interaction required. Publicly available exploit code exists. CVSS 9.8 critical severity reflects complete system compromise potential.
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the tty_server parameter in the setAdvancedInfoShow function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity reflects network-accessible exploitation requiring no authentication or user interaction. Publicly available exploit code exists. Attackers can achieve full system compromise including data exfiltration, configuration tampering, and denial of service against affected routers.
OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via malicious lan_info parameter to setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. Publicly available exploit code exists. Complete compromise of confidentiality, integrity, and availability achievable through CGI handler manipulation.
Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 via unauthenticated manipulation of telnet_enabled parameter in setTelnetCfg function. Critical CVSS 9.8 score reflects network-accessible attack requiring no authentication or user interaction, enabling full system compromise. Publicly available exploit code exists. Impacts router confidentiality, integrity, and availability with potential for complete device takeover and lateral network movement.
Unauthenticated OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows remote attackers to execute arbitrary system commands via the wifiOff parameter in the setWiFiGuestCfg function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network-accessible attack vector requiring no authentication or user interaction. Publicly available exploit code exists. Successful exploitation enables complete device compromise with high impact to confidentiality, integrity, and availability.
Remote code execution in BerriAI LiteLLM (all versions through 2026-04-08) enables authenticated attackers to execute arbitrary code by exploiting bytecode rewriting functionality at the /guardrails/test_custom_code endpoint. The vulnerability requires low-privilege authentication (PR:L) but permits complete system compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Privilege escalation in CouchCMS allows authenticated Admin-level users to create SuperAdmin accounts by manipulating the f_k_levels_list parameter during user creation requests. Attackers modify the parameter value from 4 to 10 in HTTP POST bodies to bypass authorization controls and gain unrestricted application access. This authenticated attack (PR:H) enables lateral privilege movement from Admin to SuperAdmin, circumventing intended role hierarchy enforcement. Publicly available exploit code exists, lowering exploitation barrier for actors with existing Admin credentials.
Stack-based buffer overflow in Tenda AC9 router firmware 15.03.02.13 enables authenticated remote attackers to execute arbitrary code or crash the device. The vulnerability resides in the decodePwd function within /goform/WizardHandle POST request handler, triggered by manipulating the WANS parameter. Attack requires low-privilege authentication but no user interaction. CVSS 8.8 (High) reflects potential for complete system compromise. Publicly available exploit code exists; no confirmed active exploitation (CISA KEV).
Stack-based buffer overflow in Tenda AC9 router firmware 15.03.02.13 allows authenticated remote attackers to execute arbitrary code via crafted PPPOEPassword parameter to formQuickIndex endpoint. Attack requires low-privilege credentials but no user interaction, enabling complete device compromise. Publicly available exploit code exists. CVSS 8.8 reflects network-accessible attack path with high impact to confidentiality, integrity, and availability.
Buffer overflow in D-Link DIR-513 firmware 1.10 formAdvanceSetup function enables authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in POST request handling at /goform/formAdvanceSetup endpoint, where insufficient input validation of the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists. This router model is end-of-life with no vendor support.
Buffer overflow in D-Link DIR-513 1.10 POST request handler allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The formSetRoute function improperly validates the curTime parameter, enabling memory corruption attacks. Publicly available exploit code exists. This vulnerability affects end-of-life hardware no longer supported by D-Link, leaving no vendor remediation pathway.
Buffer overflow in D-Link DIR-513 1.10 formSetPassword function allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. Exploitation occurs through POST request manipulation of the curTime parameter in /goform/formSetPassword endpoint. This end-of-life product receives no vendor support, and publicly available exploit code exists. Attack requires low-privilege authentication (CVSS PR:L) but no user interaction, enabling straightforward remote exploitation once credentials are obtained.
Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. This enables reconnaissance of internal network resources, access to cloud metadata endpoints, and potential interaction with internal services from the server's network context. No public exploit identified at time of analysis.
Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis.
Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.
Kubernetes Service Account token disclosure in the odh-dashboard component of Red Hat OpenShift AI (RHOAI) lets an authenticated low-privileged user retrieve SA tokens via an exposed NodeJS endpoint, then reuse them to reach Kubernetes resources beyond the dashboard's intended scope. Rated CVSS 9.9 with a changed scope, the flaw effectively converts limited dashboard access into broad cluster access. There is no public exploit identified at time of analysis and EPSS is very low (0.06%), but a vendor patch is already available via Red Hat errata.
Authorization bypass in Canonical Juju Controller facade allows authenticated users to extract bootstrap cloud credentials via CloudSpec API. Affects Juju 2.9.0-2.9.56 and 3.6.0-3.6.20. Low-privileged authenticated attackers can escalate privileges by accessing sensitive cloud provider credentials, enabling lateral movement to infrastructure resources. Network-accessible with low complexity (CVSS 9.9 Critical). No public exploit identified at time of analysis. Patch available in versions 2.9.57 and 3.6.21.
Unauthenticated path traversal in FalkorDB Browser 1.9.3 file upload API enables remote attackers to write arbitrary files to the server filesystem and execute code without authentication. Attack vector is network-accessible with low complexity, requiring no user interaction. CVSS 9.8 critical severity reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.09%, 25th percentile).
Prototype pollution in the LangSmith JavaScript/TypeScript SDK (npm 'langsmith', versions <= 0.5.17) lets an attacker who controls object keys passed to the createAnonymizer() API pollute Object.prototype for the entire Node.js process. The internally vendored lodash set() utility guards only the __proto__ key and misses the constructor.prototype traversal path, so a crafted key like 'constructor.prototype.polluted' bypasses the fix. Publicly available exploit code exists (SSVC 'poc' plus regression tests in the fix PR), but EPSS is only 0.04% with no evidence of active exploitation; notably the vendor GHSA rates this Medium (~CVSS 5.6), conflicting sharply with the NVD 9.8.
Hardcoded debug credentials in BMC Control-M/MFT 9.0.20-9.0.22 enable unauthenticated remote attackers to access the MFT API debug interface with full system privileges. The vulnerability (CWE-798) stems from cleartext default credentials embedded in the application package, providing complete confidentiality, integrity, and availability compromise (CVSS 9.8). No public exploit identified at time of analysis, with EPSS score of 0.02% indicating low observed exploitation activity despite critical severity rating.
Buffer overflow in owntone-server commit 2ca10d9 allows unauthenticated remote attackers to achieve code execution or denial of service with critical CVSS 9.8 severity. The vulnerability stems from inadequate recursive input validation (CWE-120), enabling network-accessible exploitation without user interaction. No public exploit identified at time of analysis, though proof-of-concept details exist in GitHub issue #1873. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability despite maximum theoretical severity.
SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'coursename' parameter in newCourse.php, potentially enabling complete database compromise, authentication bypass, and server-side code execution. Despite a critical 9.8 CVSS score, EPSS indicates only 0.01% exploitation probability (2nd percentile), suggesting minimal observed attacker interest. Publicly available exploit code exists (GitHub POC), but no CISA KEV listing confirms active exploitation.
SQL injection in SourceCodester Engineers Online Portal v1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands through the new_password parameter in update_password.php, enabling complete database compromise, authentication bypass, and potential server takeover. Despite a critical CVSS score of 9.8, EPSS indicates only 0.01% exploitation probability (2nd percentile), and no public exploit identified at time of analysis beyond technical documentation. The vulnerable PHP application lacks input validation on password update functionality, a common weakness in legacy web portals.
SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the 'subjcode' parameter in assignInstructorSubjects.php, potentially enabling complete database compromise, authentication bypass, and data exfiltration. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no privileges or user interaction. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity, though publicly available exploit code exists via GitHub repository documentation. No vendor-released patch identified at time of analysis.
SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'subjcode' parameter in scheduleSubList.php, achieving full database compromise with potential for complete system control. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no privileges or user interaction. EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity, and no CISA KEV listing exists, suggesting limited real-world targeting despite the theoretical severity. Public proof-of-concept documentation exists on GitHub, lowering the technical barrier for exploitation.
SQL injection in PHP-MYSQL-User-Login-System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the username parameter at login.php, potentially enabling complete database compromise, authentication bypass, and unauthorized administrative access. Publicly available exploit code exists (GitHub POC). Despite a critical CVSS score of 9.8, EPSS exploitation probability is extremely low (0.01%, 2nd percentile), and no confirmed active exploitation (not in CISA KEV). The low real-world exploitation signal suggests limited deployment or attacker interest in this specific application.
SQL injection in itsourcecode Online Student Enrollment System v1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via unsanitized classId parameter in instructorClasses.php. Despite critical CVSS 9.8 rating, EPSS score of 0.01% (2nd percentile) indicates minimal observed exploitation activity. Public proof-of-concept documentation exists on GitHub, lowering exploitation barrier for opportunistic attackers targeting educational institutions using this enrollment platform.
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.
Path traversal in Tenda i6 router firmware 1.0.0.7(2204) allows unauthenticated remote attackers to read, write, or delete arbitrary files via malicious HTTP requests to the R7WebsSecurityHandlerfunction component. CVSS 7.3 (High) reflects network-accessible exploitation without authentication. Publicly available exploit code exists, documented in a GitHub repository demonstrating attack vectors. Affects Tenda i6 wireless router deployments running vulnerable firmware version.
Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.
SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.
A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.
SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite through malicious .praison archive bundles. The cmd_unpack function in recipe CLI performs unvalidated tar extraction, allowing attackers to embed ../ path sequences that escape the intended extraction directory. Unauthenticated attackers can distribute weaponized bundles that, when unpacked by victims via 'praisonai recipe unpack' command, overwrite critical system files with attacker-controlled content. No public exploit identified at time of analysis.
Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.
Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.
Authentication bypass in Ajenti admin panel versions prior to 0.112 allows unauthenticated remote attackers to completely circumvent password authentication when two-factor authentication (2FA) is enabled. Attackers can gain full administrative access to the Ajenti server management interface without valid credentials, compromising confidentiality and integrity of managed systems. No public exploit identified at time of analysis.
Arbitrary file write vulnerability in Chamilo LMS versions before 1.11.38 allows unauthenticated remote attackers to modify existing files or create new files with system-level permissions through a chained attack exploiting the main/install/ directory. Attackers can bypass PHP execution restrictions when the installation directory remains accessible post-deployment, enabling complete system compromise where filesystem permissions permit. This vulnerability affects portals that have not removed the main/install/ directory after initial setup. No public exploit identified at time of analysis.
GeoNode 4.0 before 4.4.5 and 5.0 before 5.0.2 contains a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to probe internal networks, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by submitting a crafted WMS service URL during form validation. The vulnerability exploits insufficient URL validation without private IP filtering or allowlist enforcement. No public exploit code has been identified at the time of analysis.
OS command injection in Chamilo LMS 1.x (prior to 1.11.38) and 2.0.0-RC.x (prior to RC.3) allows authenticated teacher-role users to execute arbitrary system commands via unsanitized file path parameters. The move() function in fileManage.lib.php concatenates user-controlled move_to POST values directly into exec() shell commands without proper escaping. Any authenticated user can exploit this by creating a course (enabled by default), uploading a directory with shell metacharacters via Course Backup Import, then moving a document to trigger command execution as www-data. No public exploit identified at time of analysis.
Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.
Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.