Remote code execution in Google Agent Development Kit (ADK) versions 1.7.0-1.28.0 and 2.0.0a1 allows unauthenticated remote attackers to execute arbitrary code on ADK server instances via combined code injection and missing authentication flaws. Affects Python OSS deployments, Cloud Run, and GKE environments. CVSS 9.3 critical severity with proof-of-concept code available (CVSS:4.0 E:P). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though the authentication bypass combined with RCE presents extreme risk for exposed instances.
Out-of-bounds heap write in Huawei HarmonyOS WEB module allows unauthenticated remote attackers to execute arbitrary code and exfiltrate sensitive data with no user interaction required. CVSS v4.0 score of 10.0 (Critical) reflects network-based exploitation with low complexity requiring no privileges or user interaction. No public exploit identified at time of analysis. The vulnerability achieves complete compromise of confidentiality, integrity, and availability across both vulnerable and subsequent system scopes.
Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai
Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av
Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Missing login rate-limiting in HCL DevOps Velocity (all versions before 5.1.7) lets remote attackers submit unlimited authentication attempts past the intended failed-login threshold, enabling automated brute-force and credential-stuffing against user accounts. Reported by HCL and fixed in 5.1.7, with no public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC records exploitation as none and technical impact as only partial, contrasting sharply with the vendor's 9.8 CVSS.
Use-after-free or race condition in Linux kernel netfilter connection tracking can lead to remote code execution, privilege escalation, or memory corruption. The vulnerability affects the nf_conntrack_expect module where unsafe access to helper names occurs without holding a reference to the master conntrack structure. Despite a critical CVSS score of 9.8 (network-accessible, no authentication required), EPSS exploitation probability is very low (0.02%, 7th percentile), and no active exploitation or public POC has been identified. Vendor patches are available for kernel versions 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0.
Totara LMS versions up to 19.1.5 allow unauthenticated remote attackers to conduct email bombing attacks by abusing the forgot password API endpoint, which lacks rate limiting on target email addresses. With a CVSS score of 9.8, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Despite the critical score, EPSS estimates only 0.02% exploitation probability (5th percentile), and no active exploitation is confirmed (not in CISA KEV). A public proof-of-concept exists on GitHub, demonstrating the abuse technique.
Brute-force authentication bypass in Totara LMS versions 19.1.5 and earlier allows unauthenticated remote attackers to compromise user accounts via credential stuffing. The vulnerability chains login page manipulation with missing rate-limiting controls, enabling automated password guessing attacks. With CVSS 9.8 (critical) severity but only 0.02% EPSS probability (5th percentile), this represents a high-severity design flaw with currently low observed exploitation activity. A proof-of-concept exploit exists on GitHub (saykino/CVE-2026-31282), lowering the barrier for attack automation, though no confirmed active exploitation (CISA KEV) has been reported.
An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.
Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating.
Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.
Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. Patches are available in versions 0.30.5 and 0.31.1. No public exploit identified at time of analysis, though the attack vector is relatively straightforward for authenticated users.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances are reused after MemoryError exceptions under memory pressure. Affects all CPython versions before 3.15.0. Exploitation requires network-accessible Python service that decompresses attacker-controlled data, operates under memory constraints, and reuses decompressor objects across multiple operations-a narrow but realistic scenario in containerized environments or resource-limited systems. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV). Patch available via CPython 3.15.0.
Weak session ID generation in Solstice::Session for Perl (all versions through 1440) enables session prediction and hijacking attacks by unauthenticated remote attackers. The vulnerability stems from cryptographically weak entropy sources (MD5 with predictable epoch time, stringified hash references, 16-bit rand() seeding, and limited process IDs), allowing attackers to forge valid session tokens and impersonate legitimate users. EPSS score of 0.02% (4th percentile) indicates low observed exploi