Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis.
Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.
Path traversal in Tenda i6 router firmware 1.0.0.7(2204) allows unauthenticated remote attackers to read, write, or delete arbitrary files via malicious HTTP requests to the R7WebsSecurityHandlerfunction component. CVSS 7.3 (High) reflects network-accessible exploitation without authentication. Publicly available exploit code exists, documented in a GitHub repository demonstrating attack vectors. Affects Tenda i6 wireless router deployments running vulnerable firmware version.
Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.
SQL injection in code-projects Vehicle Showroom Management System 1.0 via the BRANCH_ID parameter in /util/RegisterCustomerFunction.php allows unauthenticated remote attackers to manipulate database queries with low complexity, affecting data confidentiality and integrity. Publicly available exploit code exists, increasing real-world exploitation risk despite the moderate CVSS 6.9 score.
A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
SQL injection in code-projects Simple IT Discussion Forum 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the Category parameter in /add-category-function.php. Attackers can read, modify, or delete database contents without authentication. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack vector with low complexity and no user interaction required. Impacts confidentiality, integrity, and availability at low levels.
SQL injection in Simple IT Discussion Forum 1.0 by code-projects allows unauthenticated remote attackers to execute arbitrary SQL commands via the cat_id parameter in /delete-category.php, enabling unauthorized data access, modification, or deletion. Publicly available exploit code exists. CVSS 7.3 (High) reflects network-accessible attack surface with low complexity and no authentication requirement, permitting compromise of confidentiality, integrity, and availability.
GeoNode 4.0 before 4.4.5 and 5.0 before 5.0.2 contains a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to probe internal networks, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by submitting a crafted WMS service URL during form validation. The vulnerability exploits insufficient URL validation without private IP filtering or allowlist enforcement. No public exploit code has been identified at the time of analysis.
Apache Log4j Core 2.21.0 through 2.25.3 allows remote log injection via CRLF sequences in Rfc5424Layout due to undocumented renaming of security-relevant configuration attributes (newLineEscape and useTlsMessageFormat). Attackers can inject malicious log entries or downgrade TLS-framed syslog to unframed TCP, compromising log integrity for stream-based syslog services. SyslogAppender users are not affected. CVSS 6.9 indicates medium-to-high severity; EPSS and exploitation signals not available at time of analysis.
Apache Log4j Core's XmlLayout in versions up to 2.25.3 fails to sanitize XML-forbidden characters, producing malformed XML output when log messages or MDC values contain such characters. The impact varies by StAX implementation: JRE's built-in StAX silently writes invalid XML that conforming parsers reject, potentially causing downstream log-processing systems to drop records; alternative StAX implementations like Woodstox throw exceptions during logging calls, preventing event delivery to the intended appender. No public exploit code or active exploitation has been identified; this is a data integrity and log availability issue rather than a confidentiality or authentication bypass. Patch version 2.25.4 is available from Apache.
Log4j1XmlLayout in Apache Log4j 1-to-Log4j 2 bridge fails to escape XML 1.0-forbidden characters, causing malformed XML output that conforming XML parsers reject with fatal errors. This impacts downstream log processing systems that may drop or fail to index affected log records, affecting organizations using either Log4j1XmlLayout directly in Log4j Core 2 configurations or the deprecated Log4j 1 compatibility layer with XMLLayout. While no active exploitation has been confirmed, the vulnerability has a notable EPSS score and affects information disclosure integrity. Vendor-released patch version 2.25.4 is available.
Remote authentication bypass in Ajenti prior to version 0.112 allows unauthenticated network attackers to circumvent two-factor authentication during a brief post-authentication window with high attack complexity. The vulnerability affects the core authentication mechanism in ajenti.plugin.core and permits attackers to gain high-confidence access to protected resources; the vendor released patched version 0.112 to resolve this issue.
OpenClaw before version 2026.3.25 contains an authentication bypass vulnerability in the raw card send surface that allows unauthenticated remote attackers to send malformed card commands, bypassing DM pairing restrictions and reaching callback handlers without proper authorization. This enables unpaired recipients to mint legacy callback payloads, resulting in integrity compromise of the messaging protocol. No public exploit code or active exploitation has been confirmed, but the low attack complexity and network accessibility make this a practical vulnerability.
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. No active exploitation confirmed, but the attack requires only a crafted PDF file and no special privileges.
OpenClaw before version 2026.3.24 allows unauthenticated remote denial of service via the Feishu webhook handler, which accepts request bodies up to 1MB with a 30-second timeout before verifying the request signature. An attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests, blocking legitimate webhook deliveries and degrading service availability. This is an incomplete remediation of the earlier CVE-2026-32011.
OpenClaw before 2026.3.25 allows remote attackers to bypass Telegram direct message pairing requirements and mutate session state through weaker callback-only authorization mechanisms. An unauthenticated attacker can craft malicious Telegram callback queries in direct messages to modify session state without satisfying the normal DM pairing security controls, resulting in unauthorized state modification with CVSS 5.3 (medium severity).
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
OpenClaw before version 2026.3.22 allows authenticated remote attackers to spoof tool identities through rawInput parameters, bypassing ACP permission resolution and suppressing dangerous-tool prompting via identity hint conflicts between rawInput and metadata. This authentication bypass with high integrity impact affects all versions prior to the fixed release, enabling attackers to circumvent security restrictions intended to prevent execution of dangerous operations.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass sender allowlist checks in Microsoft Teams feedback invoke endpoints, enabling unauthorized recording of session feedback. The vulnerability exploits improper authorization logic in feedback processing, granting attackers the ability to trigger feedback recording or reflection operations that should be restricted to authorized senders. No public exploit code has been identified at the time of analysis.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass direct message policy controls by sending verification notices to users outside configured allowed peer lists. The vulnerability stems from insufficient access validation checks applied to verification notice transmission, enabling attackers to contact users who have restricted direct messaging policies in place. CVSS score of 5.3 reflects moderate integrity impact with low attack complexity and no authentication requirements.
OpenClaw before version 2026.3.24 permits authenticated local attackers to trigger improper process termination via the !stop chat command, which uses an unpatched killProcessTree function that sends SIGKILL without graceful SIGTERM shutdown. This incomplete fix for CVE-2026-27486 enables attackers to corrupt data, leak resources, and skip security-sensitive cleanup operations, resulting in integrity compromise and denial of service.
Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. Critical severity (CVSS 10.0) with scope change indicates containment boundary violation. No public exploit identified at time of analysis.
ClearanceKit for macOS prior to version 5.0.4-beta-1f46165 fails to validate destination paths in dual-path file operations (rename, link, copyfile, exchangedata, clone), allowing authenticated local processes to bypass file-access protection and place or replace files in protected directories. The vulnerability affects all versions before 5.0.4-beta-1f46165 and has been patched; no public exploit code or active exploitation has been identified at the time of analysis.
Improperly restricted file permissions on Rapid7 Insight Agent installer certificate files on Windows systems allow locally authenticated standard users to read the agent's private key (client.key), enabling identity material disclosure and potential lateral movement or agent impersonation. CVSS 6.8 (CVSS:4.0 LOCAL/LOW complexity, PR:L) reflects local authentication requirement; CISA KEV status not confirmed. Rapid7 released patched version 4.1.0.2 addressing this permission misconfiguration.
Local privilege escalation in systemd 259 before 260 allows authenticated local users to gain root-level access via varlink communication to systemd-machined, exploiting improper namespace isolation. The vulnerability requires low privileges, high attack complexity, and user interaction, affecting the systemd init system across Linux distributions. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in Vikunja via algorithmic complexity attack in the addRepeatIntervalToTime function allows authenticated users to exhaust server CPU and database connections by creating repeating tasks with 1-second intervals and dates far in the past (e.g., 1900), triggering billions of loop iterations that hang requests for 60+ seconds and exhaust the default 100-connection pool. CVSS 6.5 with authenticated attack vector; confirmed patched in v2.3.0.
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication, allowing attackers with revoked or downgraded JWT tokens to maintain the original access level for up to 72 hours. This affects self-hosted task management deployments where link shares are used for collaboration, enabling unauthorized information disclosure and modification of shared projects even after a project owner explicitly revokes or restricts access.
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Net::CIDR::Lite before version 0.23 for Perl incorrectly handles RFC 4291 IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) by including an extra sentinel byte during packing, resulting in 18-byte instead of 17-byte representations. This misalignment causes the find() and bin_find() functions to return incorrect matching results during IP address lookup operations, enabling attackers to bypass IP-based access control lists by crafting addresses that fall outside intended CIDR ranges. No active exploitation has been identified, but the low EPSS score (0.02%) masks the authentication bypass tag, suggesting limited real-world triggering conditions despite the 6.5 CVSS score.
Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
Local root code execution in systemd's udev subsystem before version 260 allows attackers with physical access to craft malicious hardware devices that exploit unsanitized kernel output, achieving privilege escalation from local user context to root. The attack requires physical device insertion but no user interaction; CVSS 6.4 reflects the physical attack vector constraint, though successful exploitation grants complete system compromise. No public exploit code or active exploitation has been confirmed at time of analysis.
Escape-to-host vulnerability in systemd nspawn (versions 233-259) allows local privileged users to break container isolation via a crafted optional config file, enabling arbitrary code execution on the host system. CVSS 6.4 reflects high integrity and confidentiality impact but requires high privilege and difficult attack conditions. No public exploit code or active exploitation has been confirmed at the time of analysis.
Apache Log4cxx XMLLayout before version 1.7.0 fails to sanitize XML-forbidden characters in log messages, NDC (Nested Diagnostic Context), and MDC (Mapped Diagnostic Context) properties, producing malformed XML that conforming parsers reject with fatal errors. Attackers who can influence logged data can exploit this to suppress individual log records, degrading audit trails and impairing detection of malicious activity. The vulnerability affects all versions prior to 1.7.0 across multiple distri
Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.
Apache Log4j JsonTemplateLayout versions up to 2.25.3 generate invalid JSON when logging non-finite floating-point values (NaN, Infinity, -Infinity), violating RFC 8259 and causing downstream log processing systems to fail indexing or reject records. An unauthenticated remote attacker can trigger this by controlling floating-point values in MapMessages logged by vulnerable applications, resulting in data loss or processing failures in log aggregation pipelines. Vendor-released patch: version 2.25.4.
Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.
OpenClaw before version 2026.3.22 contains an authentication bypass vulnerability in X-Forwarded-For header processing when trustedProxies is configured, allowing unauthenticated remote attackers to spoof loopback client addresses and bypass canvas authentication and rate-limiting protections. The vulnerability exploits improper validation of forwarding headers to masquerade as local loopback connections, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact but no direct availability impact.
Temporal's frontend gRPC server fails to enforce authentication and authorization on the StreamWorkflowReplicationMessages endpoint, allowing unauthenticated network attackers to establish replication streams and potentially exfiltrate workflow data when replication targets are configured. The vulnerability affects Temporal versions prior to 1.28.4, 1.29.6, and 1.30.4; Temporal Cloud deployments are unaffected. While exploitation requires knowledge of cluster configuration and correctly configured replication targets, the authentication bypass on a network-accessible service combined with a moderate CVSS score (6.3) reflects the practical risk of unauthorized data access in multi-tenant or sensitive workflow environments.
Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
Denial of service in systemd 260 allows local unprivileged users to crash the systemd daemon by triggering an assert via IPC API calls containing arrays or maps with null elements. The vulnerability affects systemd versions 260 through 260, with no public exploit code identified at time of analysis. EPSS score of 6.2 reflects moderate real-world risk due to local-only attack vector and non-privileged requirements.
Reflected cross-site scripting (XSS) in Altenar Sportsbook Software Platform (SB2) v.2.0 allows remote attackers to inject malicious scripts via URL parameters, enabling information disclosure and potential arbitrary code execution when users interact with crafted links. The vulnerability requires user interaction (click a malicious link) but affects all users regardless of authentication status, with EPSS score of 0.06% indicating very low real-world exploitation probability despite the moderate CVSS rating of 6.1. No confirmed active exploitation or public proof-of-concept code availability has been documented.