Remote code execution in Google Agent Development Kit (ADK) versions 1.7.0-1.28.0 and 2.0.0a1 allows unauthenticated remote attackers to execute arbitrary code on ADK server instances via combined code injection and missing authentication flaws. Affects Python OSS deployments, Cloud Run, and GKE environments. CVSS 9.3 critical severity with proof-of-concept code available (CVSS:4.0 E:P). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though the authentication bypass combined with RCE presents extreme risk for exposed instances.
Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary operating system commands via the admpass parameter in the setPasswordCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS 8.9, EPSS 0.89% / 76th percentile, SSVC: POC/automatable/total impact). Not listed in CISA KEV; real-world exploitation status unconfirmed beyond POC publication.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the Comment parameter in the setIpQosRules function exposed through /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector, low complexity, and no privileges required. Publicly available exploit code exists (GitHub POC published), significantly lowering the exploitation barrier for opportunistic attackers targeting vulnerable devices.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute arbitrary system commands via the pppoeServiceName parameter in the setWanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC), enabling trivial remote compromise with high impact on confidentiality, integrity, and availability. CVSS 8.9 (Critical) with network attack vector, low complexity, and no authentication required. SOHO router vulnerabilities like this are commonly targeted for botnet recruitment and lateral network movement.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via crafted wizard parameters to the setWizardCfg CGI function. Publicly available exploit code exists (GitHub POC), significantly lowering the barrier to exploitation. The CVSS 4.0 score of 8.9 reflects network-accessible attack vector with no authentication or user interaction required, enabling full compromise of router confidentiality, integrity, and availability.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted FileName parameter to the UploadFirmwareFile function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with network attack vector, no privileges required, and complete system compromise possible. Publicly available exploit code exists (GitHub POC). No vendor-released patch identified at time of analysis. EPSS data not provided, but combination of critical CVSS, unauthenticated remote vector, and public exploit indicates high real-world exploitation risk.
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC on GitHub), enabling trivial exploitation with no authentication required. CVSS 9.8 (Critical) reflects network-based attack vector with low complexity and no privileges needed. No vendor-released patch identified at time of analysis.
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with publicly available exploit code on GitHub. No authentication, low complexity, network-exploitable. EPSS and KEV data not available, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed router management interfaces.
Unbounded GZIP decompression in Pillow's FITS image parser enables remote denial-of-service via crafted image files. Pillow versions 10.3.0 through 12.1.x process FITS images without limiting decompression output, allowing attackers to trigger out-of-memory crashes or severe performance degradation through maliciously compressed images. Vendor-released patch available in Pillow 12.2.0. No active exploitation confirmed (not in CISA KEV), but the attack vector is trivial for any application accept
SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.
Remote code execution in LibreNMS network monitoring platform (versions prior to 26.3.0) allows authenticated administrators to execute arbitrary commands on the underlying web server by manipulating Binary Locations configuration settings combined with the Netcommand feature. This authenticated attack requires administrative privileges but has publicly available exploit code, enabling straightforward weaponization. CVSS 8.5 severity reflects high confidentiality and integrity impact with network-based attack vector and low complexity.
Stack-based buffer overflow in Totolink A3002MU router firmware B20211125.1046 allows authenticated remote attackers to execute arbitrary code via crafted 'wan-url' parameter in /boafrm/formWlanSetup endpoint. Publicly available exploit code exists (PoC on GitHub). EPSS score of 0.08% (23rd percentile) indicates low observed exploitation probability despite public exploit, likely due to authentication requirement (PR:L) and narrow attack surface of legacy consumer router product.
Stack-based buffer overflow in TOTOLINK A7000R router (firmware ≤9.1.0u.6115) allows authenticated remote attackers to achieve complete system compromise via the setWiFiEasyGuestCfg CGI function. The vulnerability exists in /cgi-bin/cstecgi.cgi where unsanitized input to the ssid5g parameter triggers memory corruption, enabling arbitrary code execution with device privileges. Publicly available exploit code exists, significantly lowering the barrier to exploitation for authenticated attackers on the network.
Buffer overflow in Totolink A800R router firmware 4.1.2cu.5137_B20200730 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the setAppEasyWizardConfig function within /lib/cste_modules/app.so, triggered by malicious input to the apcliSsid parameter. Public exploit code is available on GitHub (CVSS 7.4, CVSS:4.0). Authentication is required (PR:L), but attack complexity is low (AC:L)
Stack-based buffer overflow in Tenda F456 1.0.0.5 router's formwebtypelibrary function allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in /goform/webtypelibrary endpoint via manipulation of the 'menufacturer' or 'Go' parameters. Public exploit code exists on GitHub (EPSS 0.05%, 14th percentile), indicating low likelihood of mass exploitation but confirmed weaponization capability. No vendor patch identified at time of analysis.
Stack-based buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve complete device compromise via crafted input to the 'page' parameter in the fromqossetting QoS configuration handler. Publicly available exploit code exists (GitHub POC), CVSS 7.4 (High), EPSS 0.05% (low exploitation probability). Not actively exploited per CISA KEV. This is a classic IoT router vulnerability affecting the web management interface at /goform/qossetting, requiring valid authentication credentials but enabling full device takeover once authenticated.
Stack-based buffer overflow in Tenda F456 router firmware v1.0.0.5 allows authenticated remote attackers to achieve code execution with high integrity and availability impact via crafted 'page' parameter to the /goform/NatStaticSetting endpoint's fromNatStaticSetting function. Public exploit code exists (EPSS 0.05%, 14th percentile), indicating low observed exploitation probability despite proof-of-concept availability. No active exploitation confirmed via CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda F456 router firmware version 1.0.0.5 allows authenticated remote attackers to achieve complete system compromise via crafted input to the wireless security settings handler. Public exploit code is available, but EPSS exploitation probability remains very low (0.05%, 14th percentile), and no active exploitation has been reported. The vulnerability requires authenticated access to the router's administrative interface, limiting opportunistic exploitation.
Stack-based buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to execute arbitrary code via the /goform/exeCommand endpoint. The vulnerability has a publicly available proof-of-concept exploit and affects the fromexeCommand function through manipulation of the cmdinput parameter. EPSS probability is low (0.05%, 14th percentile), indicating minimal observed exploitation activity despite POC availability. Not listed in CISA KEV, confirming no widespread active exploitation detected.
Buffer overflow in UTT HiPER 1200GW router versions up to 2.5.3-170306 enables remote authenticated attackers to execute arbitrary code with high privileges via malformed NatBind parameters to the /goform/formNatStaticMap endpoint. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barrier. EPSS data not available, but combination of network attack vector, low complexity (CVSS AC:L), and public POC indicates elevated real-world exploitation risk for internet-facing devices with weak credential protection.
SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.
The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.
Out-of-bounds heap write in Huawei HarmonyOS WEB module allows unauthenticated remote attackers to execute arbitrary code and exfiltrate sensitive data with no user interaction required. CVSS v4.0 score of 10.0 (Critical) reflects network-based exploitation with low complexity requiring no privileges or user interaction. No public exploit identified at time of analysis. The vulnerability achieves complete compromise of confidentiality, integrity, and availability across both vulnerable and subsequent system scopes.
Remote code execution in Totolink N300RH firmware 6.1c.1353_B20190305 allows unauthenticated network attackers to execute arbitrary OS commands via command injection in the FileName parameter of the setUpgradeUboot function in upgrade.so. Publicly available exploit code exists for this vulnerability, which carries a CVSS 6.9 score reflecting network-accessible attack vector with low complexity and no authentication requirements.
Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai
Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av
Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Missing login rate-limiting in HCL DevOps Velocity (all versions before 5.1.7) lets remote attackers submit unlimited authentication attempts past the intended failed-login threshold, enabling automated brute-force and credential-stuffing against user accounts. Reported by HCL and fixed in 5.1.7, with no public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC records exploitation as none and technical impact as only partial, contrasting sharply with the vendor's 9.8 CVSS.
Use-after-free or race condition in Linux kernel netfilter connection tracking can lead to remote code execution, privilege escalation, or memory corruption. The vulnerability affects the nf_conntrack_expect module where unsafe access to helper names occurs without holding a reference to the master conntrack structure. Despite a critical CVSS score of 9.8 (network-accessible, no authentication required), EPSS exploitation probability is very low (0.02%, 7th percentile), and no active exploitation or public POC has been identified. Vendor patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0.
Brute-force authentication bypass in Totara LMS versions 19.1.5 and earlier allows unauthenticated remote attackers to compromise user accounts via credential stuffing. The vulnerability chains login page manipulation with missing rate-limiting controls, enabling automated password guessing attacks. With CVSS 9.8 (critical) severity but only 0.02% EPSS probability (5th percentile), this represents a high-severity design flaw with currently low observed exploitation activity. A proof-of-concept exploit exists on GitHub (saykino/CVE-2026-31282), lowering the barrier for attack automation, though no confirmed active exploitation (CISA KEV) has been reported.
Totara LMS versions up to 19.1.5 allow unauthenticated remote attackers to conduct email bombing attacks by abusing the forgot password API endpoint, which lacks rate limiting on target email addresses. With a CVSS score of 9.8, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Despite the critical score, EPSS estimates only 0.02% exploitation probability (5th percentile), and no active exploitation is confirmed (not in CISA KEV). A public proof-of-concept exists on GitHub, demonstrating the abuse technique.
An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.
Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating.
A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Remote file and directory information exposure in code-projects Simple ChatBox 1.0 allows unauthenticated attackers to disclose sensitive file paths and directory structures via manipulation of the SimpleChatbox_PHP endpoint. The vulnerability affects the chatbox.sql component and has publicly available exploit code; attackers can enumerate filesystem information without authentication or user interaction, creating risk for reconnaissance and secondary attack planning.
A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Username parameter in /ajax.php?action=login. The vulnerability enables low-complexity attacks requiring no user interaction, with publicly available exploit code (EPSS probability data not provided, not listed in CISA KEV). Attackers can compromise confidentiality, integrity, and availability of the pharmacy inventory database without authentication.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=delete_sales, with publicly available exploit code and evidence of active proof-of-concept publication.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /ajax.php?action=chk_prod_availability, enabling unauthorized data access and modification. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed proof-of-concept code available on GitHub.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /web/index.php and execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score reflecting moderate confidentiality, integrity, and availability impact across the network-accessible endpoint.
SQL injection in code-projects Simple Content Management System 1.0 allows unauthenticated remote attackers to manipulate the User parameter in /web/admin/login.php, enabling database query manipulation with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, increasing real-world attack likelihood despite the moderate CVSS score of 6.9.
SQL injection in code-projects Faculty Management System 1.0 via the ID parameter in /subject-print.php allows unauthenticated remote attackers to execute arbitrary SQL queries and exfiltrate or modify database contents with low confidentiality and integrity impact. Publicly available exploit code exists, creating immediate operational risk for organizations running this system.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the VEHICLE_ID parameter in /util/UpdateVehicleFunction.php, achieving confidentiality and integrity compromise. Publicly available exploit code exists and the vulnerability carries a CVSS 6.9 score with confirmed exploitability (E:P rating).
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter in /util/Login_check.php, leading to unauthorized data access or modification. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk despite its low-to-moderate CVSS score of 6.9.
SQL injection in Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the cata parameter in /addcat.php. The vulnerability has CVSS 6.9 (network-accessible, low complexity) and publicly available exploit code exists, making it a practical attack vector for data exfiltration and manipulation in this PHP-based application.
SQL injection in code-projects Lost and Found Thing Management 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the cat parameter in /catageory.php, enabling data exfiltration and potential database manipulation. The vulnerability has a publicly available exploit and carries a CVSS score of 6.9 with confirmed low impact to confidentiality, integrity, and availability. Active exploitation status has not been confirmed at time of analysis, but the accessible nature of the vulnerability and public exploit availability elevate operational risk.
SQL injection in code-projects Simple ChatBox up to version 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via manipulation of the msg parameter in the /chatbox/insert.php endpoint, leading to confidentiality and integrity compromise. The vulnerability has a CVSS score of 6.9 and publicly available exploit code exists, increasing real-world risk despite the moderate base score.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL queries via the STAFF_ID parameter in /util/StaffDetailsFunction.php, enabling unauthorized database access with limited confidentiality and integrity impact. Public exploit code is available, and the vulnerability has a CVSS score of 6.9 with confirmed exploitability.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to read, modify, or delete database contents via the STAFF_ID parameter in /util/StaffAddingFunction.php. CVSS score of 7.3 (High) reflects network-accessible attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier, though no active exploitation confirmed via CISA KEV at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the CUSTOMER_ID parameter in /util/PaymentStatusFunction.php. CVSS 7.3 (High) with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), significantly lowering the barrier to exploitation. No vendor-released patch identified at time of analysis, creating an urgent risk for exposed deployments.