Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary operating system commands via the admpass parameter in the setPasswordCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS 8.9, EPSS 0.89% / 76th percentile, SSVC: POC/automatable/total impact). Not listed in CISA KEV; real-world exploitation status unconfirmed beyond POC publication.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the Comment parameter in the setIpQosRules function exposed through /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector, low complexity, and no privileges required. Publicly available exploit code exists (GitHub POC published), significantly lowering the exploitation barrier for opportunistic attackers targeting vulnerable devices.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute arbitrary system commands via the pppoeServiceName parameter in the setWanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC), enabling trivial remote compromise with high impact on confidentiality, integrity, and availability. CVSS 8.9 (Critical) with network attack vector, low complexity, and no authentication required. SOHO router vulnerabilities like this are commonly targeted for botnet recruitment and lateral network movement.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via crafted wizard parameters to the setWizardCfg CGI function. Publicly available exploit code exists (GitHub POC), significantly lowering the barrier to exploitation. The CVSS 4.0 score of 8.9 reflects network-accessible attack vector with no authentication or user interaction required, enabling full compromise of router confidentiality, integrity, and availability.
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted FileName parameter to the UploadFirmwareFile function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with network attack vector, no privileges required, and complete system compromise possible. Publicly available exploit code exists (GitHub POC). No vendor-released patch identified at time of analysis. EPSS data not provided, but combination of critical CVSS, unauthenticated remote vector, and public exploit indicates high real-world exploitation risk.
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC on GitHub), enabling trivial exploitation with no authentication required. CVSS 9.8 (Critical) reflects network-based attack vector with low complexity and no privileges needed. No vendor-released patch identified at time of analysis.
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with publicly available exploit code on GitHub. No authentication, low complexity, network-exploitable. EPSS and KEV data not available, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed router management interfaces.
Unbounded GZIP decompression in Pillow's FITS image parser enables remote denial-of-service via crafted image files. Pillow versions 10.3.0 through 12.1.x process FITS images without limiting decompression output, allowing attackers to trigger out-of-memory crashes or severe performance degradation through maliciously compressed images. Vendor-released patch available in Pillow 12.2.0. No active exploitation confirmed (not in CISA KEV), but the attack vector is trivial for any application accept
SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.
Remote code execution in LibreNMS network monitoring platform (versions prior to 26.3.0) allows authenticated administrators to execute arbitrary commands on the underlying web server by manipulating Binary Locations configuration settings combined with the Netcommand feature. This authenticated attack requires administrative privileges but has publicly available exploit code, enabling straightforward weaponization. CVSS 8.5 severity reflects high confidentiality and integrity impact with network-based attack vector and low complexity.
Stack-based buffer overflow in Totolink A3002MU router firmware B20211125.1046 allows authenticated remote attackers to execute arbitrary code via crafted 'wan-url' parameter in /boafrm/formWlanSetup endpoint. Publicly available exploit code exists (PoC on GitHub). EPSS score of 0.08% (23rd percentile) indicates low observed exploitation probability despite public exploit, likely due to authentication requirement (PR:L) and narrow attack surface of legacy consumer router product.
Stack-based buffer overflow in TOTOLINK A7000R router (firmware ≤9.1.0u.6115) allows authenticated remote attackers to achieve complete system compromise via the setWiFiEasyGuestCfg CGI function. The vulnerability exists in /cgi-bin/cstecgi.cgi where unsanitized input to the ssid5g parameter triggers memory corruption, enabling arbitrary code execution with device privileges. Publicly available exploit code exists, significantly lowering the barrier to exploitation for authenticated attackers on the network.
Buffer overflow in Totolink A800R router firmware 4.1.2cu.5137_B20200730 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the setAppEasyWizardConfig function within /lib/cste_modules/app.so, triggered by malicious input to the apcliSsid parameter. Public exploit code is available on GitHub (CVSS 7.4, CVSS:4.0). Authentication is required (PR:L), but attack complexity is low (AC:L)
Stack-based buffer overflow in Tenda F456 1.0.0.5 router's formwebtypelibrary function allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in /goform/webtypelibrary endpoint via manipulation of the 'menufacturer' or 'Go' parameters. Public exploit code exists on GitHub (EPSS 0.05%, 14th percentile), indicating low likelihood of mass exploitation but confirmed weaponization capability. No vendor patch identified at time of analysis.
Stack-based buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve complete device compromise via crafted input to the 'page' parameter in the fromqossetting QoS configuration handler. Publicly available exploit code exists (GitHub POC), CVSS 7.4 (High), EPSS 0.05% (low exploitation probability). Not actively exploited per CISA KEV. This is a classic IoT router vulnerability affecting the web management interface at /goform/qossetting, requiring valid authentication credentials but enabling full device takeover once authenticated.
Stack-based buffer overflow in Tenda F456 router firmware v1.0.0.5 allows authenticated remote attackers to achieve code execution with high integrity and availability impact via crafted 'page' parameter to the /goform/NatStaticSetting endpoint's fromNatStaticSetting function. Public exploit code exists (EPSS 0.05%, 14th percentile), indicating low observed exploitation probability despite proof-of-concept availability. No active exploitation confirmed via CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda F456 router firmware version 1.0.0.5 allows authenticated remote attackers to achieve complete system compromise via crafted input to the wireless security settings handler. Public exploit code is available, but EPSS exploitation probability remains very low (0.05%, 14th percentile), and no active exploitation has been reported. The vulnerability requires authenticated access to the router's administrative interface, limiting opportunistic exploitation.
Stack-based buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to execute arbitrary code via the /goform/exeCommand endpoint. The vulnerability has a publicly available proof-of-concept exploit and affects the fromexeCommand function through manipulation of the cmdinput parameter. EPSS probability is low (0.05%, 14th percentile), indicating minimal observed exploitation activity despite POC availability. Not listed in CISA KEV, confirming no widespread active exploitation detected.
Buffer overflow in UTT HiPER 1200GW router versions up to 2.5.3-170306 enables remote authenticated attackers to execute arbitrary code with high privileges via malformed NatBind parameters to the /goform/formNatStaticMap endpoint. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barrier. EPSS data not available, but combination of network attack vector, low complexity (CVSS AC:L), and public POC indicates elevated real-world exploitation risk for internet-facing devices with weak credential protection.
Denial-of-service in ABB industrial control system products (AC800M, Symphony Plus SD/MR, S+ Operations) allows attackers on adjacent IEC 61850 networks to crash communication modules via malformed protocol packets. The vulnerability affects critical infrastructure PLCs and SCADA systems widely deployed in power substations and industrial automation. CVSS 7.1 (High) but low EPSS (0.02%) indicates limited attacker interest to date. No public exploit identified at time of analysis, and CISA SSVC a
Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.
OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the Network Report functionality. The vulnerability stems from improper input sanitization of special elements used in OS commands. With CVSS 8.7 (HIGH) severity and network-accessible attack vector requiring only low privileges, this poses significant risk to monitoring infrastructure despite no confirmed active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Remote code execution in Apache Airflow 3.1.x allows authenticated DAG Authors to execute arbitrary code in the webserver context through crafted XCom payloads exploiting insecure deserialization (CWE-502). Affects Apache Airflow versions 3.1.8 through <3.2.0. Despite CVSS 8.8, vendor rates severity as Low due to DAG Authors being highly trusted roles. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.07% (21st percentile), indicating minimal real-world risk. Vendor-released patch: Apache Airflow 3.2.0.
Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.
The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the WebServerModuleDebug component. With low attack complexity and no user interaction required, attackers with low-level privileges can achieve high confidentiality and integrity impact on the vulnerable system, plus limited impact on connected systems (CVSS 8.7). No public exploit identified at time of analysis, though the vulnerability has medium remediation effort according to CVSS 4.0 metadata.
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.
Stored cross-site scripting in Note Mark note-taking application allows authenticated users to execute arbitrary JavaScript in victims' browsers by uploading HTML/SVG files as note assets. The vulnerability affects the Go backend's asset delivery mechanism (github.com/enchant97/note-mark), which serves uploaded files inline without setting Content-Type headers or X-Content-Type-Options: nosniff, enabling browser MIME-sniffing attacks. Attackers with low-privilege accounts can create malicious asset URLs that, when opened by victims, execute scripts with full access to authenticated API endpoints, private notes, and user data. CVSS 8.7 (High) reflects the changed scope impact where one user's malicious upload affects other users' security context. Vendor-released patch available in v0.19.2.
SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.
SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.
Remote code execution in Pandora FMS versions 777 through 800 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from inadequate file type validation during upload operations, allowing attackers with high-privilege credentials to bypass security controls. With a CVSS 4.0 score of 8.6 and attack complexity rated as low, this represents a significant risk for organizations using affected versions, though exploitation requires prior administrative access to the monitoring platform.
Unauthorized access to configuration endpoints in Pandora FMS versions 777 through 800 exposes sensitive system information to low-privileged authenticated users. The missing authorization control (CWE-276) allows privilege escalation where authenticated users can access configuration data they should not have permissions to view, potentially revealing credentials, internal architecture details, and security settings. With CVSS 8.4 (High) and low attack complexity, this vulnerability poses significant risk in multi-tenant or role-separated Pandora FMS deployments. No public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, requires only basic authentication) makes exploitation highly feasible.
Stack-based buffer overflow in Dynabook Bluetooth ACPI drivers (tosrfec.sys, drfec.sys) allows local administrators to execute arbitrary code by manipulating specific registry values. This CVSS 8.4 vulnerability requires high privileges (administrative access) but enables complete system compromise with low attack complexity. No public exploit identified at time of analysis, though the attack surface is limited to users who already possess elevated credentials.
Heap use-after-free in Nitro PDF Pro 14.41.1.4 for Windows allows local code execution via malicious PDF containing crafted JavaScript calling this.mailDoc(). The vulnerability stems from premature deallocation of an XID object whose freed pointer is passed to wcscmp() and other functions, where attacker-controlled strings in the freed heap region can manipulate program flow. CVSS 8.4 (AV:L/PR:N) indicates local attack vector requiring no privileges or user interaction. EPSS 0.01% suggests low immediate exploitation probability; no public exploit identified at time of analysis.
LDAP injection in maddy mail server versions before 0.9.3 allows remote unauthenticated attackers to extract sensitive directory attributes and spoof user identities. The auth.ldap module fails to escape user-supplied usernames before interpolating them into LDAP search filters and DN strings, despite having the ldap.EscapeFilter() function available. Attackers can exploit this via SMTP AUTH PLAIN or IMAP LOGIN interfaces to perform boolean-based blind injection attacks that extract password hashes, email addresses, group memberships, and other LDAP attributes character-by-character. While CVSS rates this 8.2 (High) for network-accessible unauthenticated exploitation with high confidentiality impact, no active exploitation (KEV) or weaponized POC has been identified at time of analysis. EPSS data not available for this recent CVE.
Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attackers to crash processes or potentially achieve code execution via crafted queries producing strings exceeding 2^31 bytes. Integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() functions causes undersized buffer allocation followed by heap corruption. Publicly available exploit code exists (SSVC: POC). EPSS score of 0.04% (12th percentile) suggests low observe
Command injection in simple-git npm package versions ≤3.28.0 enables arbitrary code execution via crafted Git options. Attackers who control Git command options can bypass the allowUnsafePack safety restriction using malformed variations of the -u flag (e.g., -vu, -4u, --u) to execute shell commands on Linux systems. This vulnerability stems from an incomplete fix for CVE-2022-25860, with proof-of-concept code publicly available demonstrating file creation via touch command. EPSS data not provid
Integer overflow in Samsung Escargot JavaScript engine allows remote attackers to trigger buffer overflows without authentication via network-delivered crafted JavaScript code. Affects commit 97e8115ab and prior versions. No public exploit identified at time of analysis, though upstream fix available (PR/commit); released patched version not independently confirmed. With CVSS 8.1 (High) and network attack vector requiring high complexity, this represents significant risk for devices and applications embedding the Escargot engine, particularly Samsung smart TV and appliance platforms.
HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.
Arbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied TensorFlow SavedModels while deserializing a .keras model, even with safe_mode=True engaged. Any user who loads a malicious model triggers attacker-controlled code at inference time under their own privileges, defeating the protection safe_mode is supposed to provide. The flaw (CWE-502) has publicly available exploit code via huntr but is not in CISA KEV; EPSS is very low at 0.06% (19th percentile), consistent with the local, user-interaction-dependent attack path.
Use-after-free in Linux kernel bonding driver allows local authenticated attackers with low privileges to trigger memory corruption via race condition during concurrent slave device operations. The vulnerability (CVSS 7.8, EPSS 0.02%) affects the bond_xmit_broadcast() function where concurrent slave enslave/release operations can mutate the slave list during RCU-protected iteration, causing the original skb to be double-consumed and double-freed. Vendor patches are available for kernel versions 6.18.22, 6.19.12, and 7.0. No public exploit or active exploitation confirmed at time of analysis.
Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati
Permission bypass in Huawei HarmonyOS and EMUI LBS (Location-Based Services) module enables highly-privileged local attackers with user interaction to achieve full compromise across security contexts (confidentiality, integrity, availability impact). CVSS 7.7 HIGH severity. No public exploit identified at time of analysis. Attack requires local access, high privileges (administrator/root), user interaction, but succeeds with low complexity once prerequisites met. Scope change (S:C) indicates container escape or privilege boundary violation beyond the vulnerable component.
OS command injection in Pandora FMS versions 777 through 800 enables high-privileged remote attackers to execute arbitrary operating system commands through the Event Response execution functionality. While requiring administrative credentials (PR:H), successful exploitation grants extensive system access with high confidentiality and integrity impact. No public exploit identified at time of analysis, though the specific attack vector through Event Response features provides a clear exploitation pathway for authenticated administrators or compromised admin accounts.
Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An unauthenticated network attacker exploits an off-by-one bounds check error (using > instead of >=) to trigger an out-of-bounds index panic before signature verification occurs. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a straightforward denial-of-service vector against Proof-of-Stake validators in the Nimiq blockchain network, though no public exploit
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Stack exhaustion in ImageMagick's XML tree parser allows remote unauthenticated attackers to trigger denial-of-service conditions by submitting specially crafted XML files with deeply nested structures. Affects all versions below 6.9.13-44 and 7.1.2-19 across multiple platforms including the Magick.NET wrapper. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, though the network-accessible attack vector (AV:N) and lack of authentication requirements (PR:N) present theoretical risk for internet-facing deployments processing untrusted XML input.
Heap buffer overflow in FFmpeg 8.0.1's av_bprint_finalize() function enables remote denial-of-service attacks through maliciously crafted media files. Exploitation requires no authentication (CVSS AV:N/AC:L/PR:N/UI:N), making this accessible to any network-based attacker who can deliver manipulated input to vulnerable FFmpeg instances. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. While CVSS rates this 7.5 HIGH due to availability impact, real-world risk is primarily limited to public-facing media processing services.