SQL injection in BMC Control-M/MFT 9.0.20-9.0.22 debug API enables authenticated attackers to execute arbitrary SQL queries, leading to file system access and potential remote code execution. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring low-privilege authentication. EPSS score of 0.04% (13th percentile) indicates minimal current exploitation probability, and no public exploit identified at time of analysis. Patch PAAFP-9-0-22-025 addresses the vulnerability.
Man-in-the-middle attackers can truncate AES-GCM authentication tags in wolfSSL's PKCS7 AuthEnvelopedData processing from 16 bytes to 1 byte, degrading cryptographic integrity verification from 2⁻¹²⁸ to 2⁻⁸ probability. Affects wolfSSL versions through 5.9.0 due to missing lower bounds validation in wc_PKCS7_DecodeAuthEnvelopedData(). Unauthenticated network-based attack enables high-severity integrity bypass without user interaction. No public exploit identified at time of analysis.
Privilege escalation in OpenClaw gateway-authenticated plugin HTTP routes allows authenticated attackers to bypass scope restrictions and gain operator.admin privileges. The vulnerability affects OpenClaw versions prior to 2026.3.25, enabling low-privileged authenticated users to perform unauthorized administrative actions through improperly minted runtime scopes. Exploitation requires network access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Privilege escalation in OpenClaw versions prior to 2026.3.25 allows authenticated low-privilege operators to bypass pairing requirements during backend reconnection, self-requesting elevated scopes to gain operator.admin privileges. Attackers with existing operator credentials exploit improper scope validation (CWE-648) to escalate from limited operator access to full administrative control over the OpenClaw system. Exploitation requires network access and low-privilege authentication (CVSS:3.1 PR:L), enabling high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated root access in Egate Atom 3x Projector enables complete device compromise via exposed Android Debug Bridge service on local network. Attacker on same network segment can execute arbitrary commands with full system privileges without credentials due to missing authentication controls and network exposure of ADB service. No public exploit identified at time of analysis. Critical impact includes data exfiltration, malware installation, and persistent backdoor deployment.
Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.
Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows authenticated network attackers to forge arbitrary certificates. Attackers possessing any legitimate leaf certificate from a trusted CA can craft fraudulent certificates for any subject name with arbitrary keys, bypassing signature verification when an untrusted CA:FALSE intermediate is inserted. Affects nginx and haproxy integrations using wolfSSL's OpenSSL compatibility API; native wolfSSL TLS handshake (ProcessPeerCerts) not vulnerable. No public exploit identified at time of analysis.
DLL hijacking in JPCERT's Emocheck malware detection tool allows local code execution when malicious DLL placed in application directory. Unauthenticated attacker with local access can achieve arbitrary code execution at user privilege level by exploiting insecure library loading (CWE-427). User must invoke Emocheck executable with crafted DLL present. No public exploit identified at time of analysis. CVSS 7.8 indicates high severity requiring user interaction and local access.
Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.
Path traversal in Chamilo LMS main/exercise/savescores.php enables authenticated attackers to delete arbitrary files on the server. Vulnerable versions prior to 1.11.38 fail to sanitize the 'test' parameter from $_REQUEST, allowing directory traversal sequences to escape intended paths and target critical system or application files. Attackers with low-level authenticated access can exploit this remotely without user interaction, resulting in high integrity and availability impact through targeted file deletion.
Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.
Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. Publicly available exploit code exists (SSVC: POC status), with EPSS probability of 0.08% (23rd percentile) indicating low widespread exploitation likelihood despite the critical impact. The vulnerability enables direct filesystem manipulation without authentication, though confidentiality impact is rated low (CVSS C:L) as only JSON files and directory listings are readable.
Integer overflow in wolfSSL CMAC implementation (versions ≤5.9.0) enables zero-effort cryptographic forgery. The wc_CmacUpdate function uses a 32-bit counter (totalSz) that wraps to zero after processing 4 GiB of data, erroneously discarding live CBC-MAC chain state. Attackers can forge CMAC authentication tags by crafting messages with identical suffixes beyond the 4 GiB boundary, undermining message authentication integrity in unauthenticated network contexts. No public exploit identified at time of analysis.
Server-side request forgery in Postiz (gitroomhq postiz-app) versions prior to 2.21.5 allows unauthenticated remote attackers to access internal network resources and exfiltrate sensitive data via the /api/public/stream endpoint. The vulnerability exploits inadequate redirect validation: attackers supply public HTTPS URLs that pass initial validation but redirect server requests to private internal hosts, bypassing security controls. High confidentiality impact with potential service disruption. No public exploit identified at time of analysis.
Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. Exploitation requires specific timing conditions (CVSS AT:P). Platform-level and WAF body size limits remain effective. No public exploit identified at time of analysis. Vulnerability exploits CWE-770 resource allocation flaw where BODY_SIZE_LIMIT enforcement fails under race conditions or specific request patterns.
Local file inclusion in CactusThemes VideoPro WordPress theme through version 2.3.8.1 allows unauthenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Exploitation requires high attack complexity but no user interaction. EPSS score indicates low observed exploitation activity; no public exploit identified at time of analysis.
Unauthorized deletion of attribute view definitions in SiYuan note-taking application allows authenticated publish-service readers to permanently destroy arbitrary workspace data. Attackers with low-privilege publish credentials can extract attribute view IDs from published content markup (exposed as data-av-id attributes) and invoke the /api/av/removeUnusedAttributeView endpoint to delete corresponding JSON definition files. The endpoint lacks proper authorization controls, accepting RoleReader tokens despite performing destructive write operations. Successful exploitation corrupts database views, breaks local workspace rendering, and causes operational disruption requiring manual restoration.
Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.
A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Stack-based buffer overflow in musl libc 0.7.10 through 1.2.6 allows local attackers with high complexity requirements to corrupt memory during qsort operations on exceptionally large arrays (exceeding ~7 million elements on 32-bit systems, corresponding to the 32nd Leonardo number). Exploitation requires sorting arrays approaching billion-element scale on 64-bit platforms. Vulnerability stems from incorrect double-word primitive implementation in smoothsort algorithm. Successful exploitation enables arbitrary code execution with scope change, impacting confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connections with arbitrary URLs, enabling attacks against internal networks and cloud metadata endpoints. The vulnerability stems from unvalidated URL fetching via request-promise library, permitting attackers to probe internal infrastructure, access cloud instance metadata (AWS, Azure, GCP), and potentially retrieve sensitive credentials or configuration data. No public exploit identified at time of analysis. CVSS 7.8 with network attack vector and no authentication requirement in subsequent chain exploitation.
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
Local privilege escalation in Acronis True Image for macOS enables authenticated low-privileged users to gain elevated system privileges through improper environment variable handling. Affects Acronis True Image OEM (macOS) versions prior to build 42571 and Acronis True Image (macOS) prior to build 42902. Attackers with existing local access can achieve complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis. Exploitation requires low attack complexity with no user interaction.
Local privilege escalation in Samsung MagicINFO 9 Server versions prior to 21.1091.1 enables authenticated low-privileged users to escalate to high privileges through incorrect default file/directory permissions. Attackers with local access can obtain complete system control, compromising confidentiality, integrity, and availability. Attack requires local access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Remote code execution in OpenClaw versions prior to 2026.3.22 allows authenticated attackers to bypass shared host environment policy via inconsistent environment variable sanitization. Attackers exploit validation inconsistencies by supplying malformed or blocked override keys that evade filtering mechanisms, enabling arbitrary code execution with unauthorized environment variable configurations. Vulnerability requires low-privilege authentication and high attack complexity. No public exploit identified at time of analysis.
Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.
Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.
Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.
Path traversal in patrickhener goshs SFTP rename operation enables authenticated attackers to write files outside the configured root directory. Versions 1.0.7 through 2.0.0-beta.3 fail to sanitize destination paths in SFTP rename commands, allowing low-privileged users to overwrite arbitrary filesystem locations with network access. High integrity impact with scope change indicates potential host compromise. No public exploit identified at time of analysis.
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sensitive project data from other tenants. The vulnerability exists in the template generation endpoint (GET /team/:team_id/template/generate/:project_id), where unawaited promise execution and missing tenant validation enable attackers with valid template-generation permissions in their own team to access chart configurations, database connection details, and query structures from victim teams' projects. No public exploit identified at time of analysis. CVSS 7.7 reflects high confidentiality impact with scope change due to cross-tenant boundary violation.
Signature verification bypass in wolfSSL's ECCSI implementation allows adjacent network attackers to forge cryptographic signatures for any message and identity without authentication. The wc_VerifyEccsiHash function fails to validate that signature scalars r and s fall within the required mathematical range [1, q-1], enabling attackers with knowledge of public constants to craft universally-valid forged signatures. This defeats the cryptographic integrity guarantees of ECCSI-signed data, particularly affecting JWT authentication systems and identity-based cryptographic protocols. No public exploit identified at time of analysis.
ChaCha20-Poly1305 AEAD decryption in wolfSSL's EVP layer bypasses authentication tag verification, allowing unauthenticated adjacent attackers to inject arbitrary ciphertext that is decrypted and returned as plaintext without cryptographic validation. Affects wolfSSL versions prior to 5.9.1. Applications using EVP API for ChaCha20-Poly1305 decryption receive potentially malicious plaintext, enabling man-in-the-middle attacks that compromise confidentiality and integrity of encrypted communications. No public exploit identified at time of analysis, low observed exploitation activity (EPSS <1%).
Remote code execution in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows authenticated teachers to upload PHP webshells through the exercise sound upload function by spoofing Content-Type headers to audio/mpeg. Uploaded malicious files retain their .php extensions and execute in web-accessible directories with web server privileges (www-data). Attack requires low-privilege teacher account but no user interaction. No public exploit identified at time of analysis.
Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.
Local file inclusion in Case Themes Case Theme User WordPress plugin (versions prior to 1.0.4) enables unauthenticated remote attackers to include arbitrary local files via PHP require/include statements. Successful exploitation requires high attack complexity and user interaction, but grants full compromise of confidentiality, integrity, and availability. Attackers may read sensitive configuration files, execute malicious code if file upload exists, or escalate to remote code execution through log poisoning techniques. No public exploit identified at time of analysis.
Stack-based buffer overflow in NASM's disasm() function enables unauthenticated denial-of-service when processing malicious assembly input. Attacker-controlled disassembly formatting triggers out-of-bounds write when string length exceeds buffer capacity, causing application crash. Affects NASM assembler version 3.02rc5. Publicly available exploit code exists. CVSS 7.5 (High) reflects network-accessible attack vector requiring no privileges or user interaction, with availability impact only.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
SSL bundle configuration bypass in VMware Spring Cloud Gateway 4.2.0 allows unaneticated remote attackers to compromise integrity through forced fallback to default SSL settings. When administrators configure custom SSL bundles via spring.ssl.bundle property, the framework silently ignores this configuration and applies insecure defaults instead, enabling man-in-the-middle attacks against intended encrypted communications. Affects Spring Cloud Gateway 4.2.0 with no public exploit identified at time of analysis.
IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP access control lists without authentication. The _pack_ipv6() function fails to validate that uncompressed IPv6 addresses contain exactly 8 hexadecimal groups, accepting malformed inputs like 'abcd' or '1:2:3' and producing incorrect packed representations. This causes find() and bin_find() methods to incorrectly match addresses against CIDR ranges, enabling ACL bypass. Exploitati
Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). Attackers with knowledge of target usernames and approximate key creation timestamps can enumerate valid API keys through offline computation, enabling unauthorized access to REST API endpoints and confidential data exposure. No public exploit identified at time of analysis.
BMC Control-M/MFT 9.0.20-9.0.22 exposes API identifiers and secret values to unauthenticated remote attackers via an API management endpoint, enabling unauthorized invocation of privileged API operations. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible, low-complexity exploitation requiring no authentication. Despite a 7.5 CVSS score, EPSS probability is minimal (0.03%, 8th percentile), and no public exploit or active exploitation (non-KEV) is identified at time of analysis.
Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.
Stack-based buffer overflow in Tenda F451 router (version 1.0.0.7) enables authenticated remote attackers to execute arbitrary code via malformed 'page' parameter in fromP2pListFilter function at /goform/P2pListFilter endpoint. Publicly available exploit code exists. Attack requires low-privilege authentication (PR:L) but no user interaction, yielding high confidentiality, integrity, and availability impact on vulnerable device.
Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted GO parameter to the formWrlExtraSet function in /goform/WrlExtraSet endpoint. The vulnerability permits complete compromise of device confidentiality and integrity. Publicly available exploit code exists. Attack requires low-privilege authenticated access to the web management interface.
Stack-based buffer overflow in Tenda F451 router firmware version 1.0.0.7 allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted 'page' parameter in the fromSafeEmailFilter function at /goform/SafeEmailFilter endpoint. Publicly available exploit code exists. Attack requires low-privilege authentication but no user interaction, enabling complete compromise of device confidentiality, integrity, and availability.
Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor authentication when OIDC email-based user matching is enabled. The OIDC callback handler issues complete JWT tokens without validating TOTP enrollment status, enabling full account access to users with configured TOTP protection when matched through OIDC email fallback. Affects versions prior to 2.3.0. No public exploit identified at time of analysis.
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
Incorrect authorization in OpenClaw pre-2026.3.24 allows authenticated users with operator.write access to browser.request capability to invoke POST /reset-profile endpoint, bypassing privilege restrictions to terminate running browsers, sever Playwright connections, and relocate profile directories to system Trash. Exploitation requires low-privilege authentication (CVSS PR:L) but achieves high integrity and availability impact through unauthorized state mutation and service disruption across intended security boundaries. No public exploit identified at time of analysis.
Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. The vulnerability enables authenticated attackers to achieve full server compromise through unrestricted arbitrary file write capabilities. No public exploit identified at time of analysis.