Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. Vendor-released patch version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505) resolves the issue.
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to bypass access controls in the SysAnnouncementController component, potentially leading to unauthorized data modification and disclosure. The vulnerability has a CVSS score of 6.3 (medium severity) and carries an EPSS severity rating reflecting real-world exploitability; publicly available exploit code exists and the vendor has confirmed the issue with a patch expected in an upcoming release.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ServiceAndSalesReport.php. The vulnerability requires user interaction (UI:P) but no authentication, with publicly available exploit code disclosed. CVSS 5.3 reflects moderate severity with integrity impact limited to confidentiality of user sessions rather than data modification.
Reflected cross-site scripting (XSS) in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the BRANCH_ID parameter in /BranchManagement/ProfitAndLossReport.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and while the CVSS score of 5.3 is moderate, the low integrity impact combined with user interaction requirement limits practical risk, though XSS vulnerabilities remain routinely exploitable in real-world scenarios.
Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript via the serviceId parameter in /checkcheckout.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, and the low CVSS score of 4.3 reflects the need for user click-through and limited scope (integrity impact only), though the attack vector is network-accessible and requires no special privileges or authentication.
Information disclosure in code-projects Online Library Management System 1.0 allows unauthenticated remote attackers to access sensitive data from SQL database backup files via the /sql/library.sql component, requiring user interaction (clicking a link or similar action). The vulnerability has a publicly available exploit and carries a CVSS score of 4.3 with an exploit proof-of-concept (E:P) rating, making it a low-to-moderate priority issue with confirmed public discoverability but limited real-world attack surface due to interaction requirements.
SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to manipulate the fname parameter in /updatedetailsfromstudent.php to execute arbitrary SQL queries, achieving limited confidentiality and integrity impact. The vulnerability has publicly available exploit code and a CVSS score of 5.3, representing a moderate risk requiring authentication to exploit.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the toolname parameter in /del1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, and the vulnerability has been assigned CVSS 6.3 with confirmed exploitability indicators (E:P rating).
SQL injection in CodeAstro Online Classroom allows authenticated remote attackers to execute arbitrary SQL queries via the Q1 parameter in /OnlineClassroom/takeassessment2.php, enabling data exfiltration and modification with CVSS 6.3 severity; publicly available exploit code exists and the vulnerability affects all versions of the product.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the equipname parameter in /del.php, enabling data exfiltration, modification, and potential denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.3 with confirmed exploitation potential (E:P rating).
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /edit_hpatient.php, leading to unauthorized data access, modification, and potential denial of service. Publicly available exploit code exists (CVSS 6.3, attack vector network, low complexity, requires valid credentials). This is not confirmed as actively exploited by CISA but poses immediate risk given public POC availability and low exploitation complexity.
SQL injection in code-projects Patient Record Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the hem_id parameter in /hematology_print.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (medium) with publicly available exploit code, though no CISA KEV confirmation indicates active widespread exploitation at time of analysis.
Stored cross-site scripting (XSS) in code-projects Simple IT Discussion Forum 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the fname parameter in /admin/user.php, affecting user interactions through reflected XSS. The vulnerability has a CVSS score of 2.4 but carries a public exploit, though the low CVSS reflects the requirement for high-privilege authentication and user interaction to trigger the payload.
TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.
Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.
phpseclib's SSH2 packet authentication uses PHP's non-constant-time != operator to compare HMACs, enabling timing-based information disclosure attacks on SSH sessions. The vulnerability affects phpseclib versions prior to 1.0.28, 2.0.53, and 3.0.51. An unauthenticated remote attacker can exploit variable-time comparison behavior to infer valid HMAC values through precise timing measurements, potentially compromising the confidentiality of SSH communications. No public exploit code or active exploitation has been confirmed, but this is a cryptographic timing vulnerability with proven scalability via benchmarking.
OpenStack Keystone 14 through 29.x allows authenticated users with restricted application credentials to create EC2 credentials that inherit the parent user's full S3 permissions, bypassing role restrictions. This privilege escalation affects only deployments combining restricted application credentials with the EC2/S3 compatibility API (swift3/s3api), and requires valid authentication credentials and moderate attack complexity to exploit.
systemd-journald in systemd 259 allows local attackers to send ANSI escape sequences to terminals of arbitrary users via the logger utility when ForwardToWall=yes is enabled, enabling terminal manipulation and information disclosure attacks with low CVSS impact but realistic local access requirements.
Integer underflow in wolfSSL's ASN.1 certificate parser allows remote attackers to trigger information disclosure and potential memory access violations when processing malformed X.509 certificates with oversized Subject Alternative Name extensions. The vulnerability affects wolfSSL versions up to 5.9.0 but only impacts systems using the non-default original ASN.1 parsing implementation; no public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.