Remote code execution in openITCOCKPIT Community Edition (versions prior to 5.5.2) allows authenticated users with host management permissions to execute arbitrary OS commands on the monitoring backend via command injection in host address fields. The vulnerability stems from unsanitized user input being expanded into Nagios/Icinga monitoring command templates and executed via shell, enabling full system compromise. CVSS score of 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed CVE.
Integer size truncation in Windows Advanced Rasterization Platform (WARP) enables unauthenticated remote attackers to achieve code execution with elevated privileges across Windows 10, 11, and Server editions by persuading users to interact with malicious content. Microsoft has released security updates addressing this vulnerability across all supported Windows versions. No public exploit identified at time of analysis, though the unauthenticated remote attack vector (CVSS AV:N/PR:N) combined wi
Remote code execution in Microsoft Remote Desktop Client for Windows allows unauthenticated network attackers to execute arbitrary code by delivering a malicious connection file or server response, requiring user interaction. This use-after-free vulnerability (CWE-416) affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), Windows Server (2012-2025), and standalone Remote Desktop client versions below 2.0.1070.0. With CVSS 8.8 (network-accessible, no authentication required, low comple
OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. CVSS 8.8 (High) with network attack vector and low complexity. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub advisory. EPSS data not available for this recent CVE.
Authentication bypass in Microsoft PowerShell 7.4 (versions prior to 7.4.14) and 7.5 (versions prior to 7.5.5) allows local attackers to bypass security features through improper input validation. The vulnerability requires user interaction but no authentication (PR:N), enabling attackers to achieve high impact across confidentiality, integrity, and availability. Microsoft has released patches addressing this security feature bypass. EPSS data not available; no confirmed active exploitation (CISA KEV) identified at time of analysis.
Local code execution in Microsoft Office Word via use-after-free memory corruption affects Microsoft 365 Apps for Enterprise and Office LTSC 2024. Unauthenticated attackers can achieve full system compromise (confidentiality, integrity, availability) by inducing users to open specially crafted Word documents, triggering memory reuse vulnerabilities during document parsing. Vendor patch available via Microsoft Security Response Center. No public exploit identified at time of analysis, though CVSS 7.8 indicates high severity when user interaction occurs.
Windows Shell security feature bypass enables unauthenticated remote attackers to defeat protection mechanisms across all supported Windows client and server versions (Windows 10 1607 through Windows 11 26H1, Server 2012 through Server 2025) via network-based attack requiring user interaction. The CVSS 8.8 rating reflects complete compromise potential (high confidentiality, integrity, and availability impact) despite low attack complexity. Microsoft has released patches addressing this authentic
SQL injection in Fortinet FortiDDoS-F 7.2.1-7.2.2 allows authenticated remote attackers to execute unauthorized code or commands with high impact to confidentiality, integrity, and availability. The vulnerability resides in the web management interface and requires low attack complexity with no user interaction. No public exploit identified at time of analysis, with EPSS data not yet available for this recently disclosed CVE.
Local privilege escalation in Azure Monitor Agent versions prior to 1.35.9 enables authenticated users to gain elevated system privileges through improper input validation flaws. The vulnerability requires low attack complexity and no user interaction, allowing low-privileged attackers with local access to achieve complete system compromise (high confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis; SSVC framework indicates total technical impact but no active exploitation and non-automatable exploitation vector.
Windows Kernel double free vulnerability enables local privilege escalation across Windows 10, 11, and Server editions when exploited by authenticated users with low-level privileges. The CWE-415 flaw affects all currently supported Windows versions from legacy Windows Server 2012 R2 through the latest Windows 11 26H1 and Windows Server 2025 builds. With CVSS 7.8 (AV:L/AC:L/PR:L), the vulnerability requires only local access and low-privilege authentication, making it valuable for second-stage a
Heap-based buffer overflow in the Windows Kernel enables local privilege escalation to SYSTEM on Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server (2012 through 2025). Authenticated local attackers with low privileges can exploit this memory corruption vulnerability to gain complete system control. Microsoft has released patches addressing 21 affected product versions. No public exploit identified at time of analysis, though the local attack vec
Local privilege escalation in the Windows Kernel via double free vulnerability enables low-privileged authenticated users to gain SYSTEM-level access across Windows 11 (versions 22H3 through 26H1) and Windows Server 2022/2025. The vulnerability requires local access and low privileges (PR:L) but presents low attack complexity (AC:L) with no user interaction required. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the straightforward attack complexity and severe impact make this a priority for patching in enterprise environments.
Use-after-free memory corruption in Microsoft PowerPoint (versions 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise) enables local code execution when users open malicious files. An attacker with no privileges can achieve full system compromise (high confidentiality, integrity, and availability impact) by convincing a user to open a crafted PowerPoint document. Vendor patch available via Microsoft Security Response Center. No public exploit code or confirmed active exploitation (CISA KEV) identified at time of analysis, though CVSS 7.8 rating reflects high severity for local attack scenarios.
Microsoft Excel use-after-free vulnerability (CWE-416) enables arbitrary code execution when a user opens a specially crafted Excel file. Affects Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and Office Online Server. CVSS 7.8 (High) requires local access and user interaction but no authentication. No public exploit identified at time of analysis. Microsoft released patches addressing all affected product lines per MSRC update guide.
Use-after-free vulnerability in Microsoft Office Excel enables local code execution when users open maliciously crafted Excel files. Affects all major Office versions including Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and Office Online Server. Attack requires no authentication (PR:N) but demands user interaction (opening a weaponized document). CVSS 7.8 (High) reflects significant impact potential (code execution with high confidentiali
Use-after-free memory corruption in Microsoft Excel across Office 2016-2024 and Microsoft 365 enables local code execution when a user opens a malicious spreadsheet. Attackers must craft a weaponized Excel file and trick users into opening it, after which arbitrary code runs with the victim's privileges. No authentication is required, though user interaction is necessary. Exploitation probability remains moderate (CVSS 7.8) with no confirmed active exploitation (no CISA KEV listing) and no publi
Use-after-free memory corruption in Microsoft Office Word enables local code execution with high privileges when victims open malicious documents. Affects Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac (versions below 16.108.26041219 for Mac; click-to-run editions require latest security updates). CVSS 7.8 reflects local attack vector requiring user interaction, but exploitation grants complete system compromise (confidentiality, integrity, availability all rated High). No public exploit identified at time of analysis, though use-after-free vulnerabilities are well-understood exploitation primitives. Vendor-released patch available through Microsoft security updates.
Microsoft Excel memory corruption via use-after-free enables arbitrary code execution when victims open malicious spreadsheet files. This vulnerability affects all major Office deployments including Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, and Office LTSC 2021/2024 for both Windows and macOS, as well as Office Online Server. Attackers require user interaction to open a crafted file, but no authentication is needed (CVSS PR:N), making this exploitable through phishing or file-sharing attacks. Vendor patches are available through Microsoft Security Response Center. No public exploit or active exploitation confirmed at time of analysis, though the straightforward attack vector (local file + user click) and high impact (code execution with full system privileges) warrant prompt patching.
Microsoft Management Console privilege escalation affects all supported Windows versions (10, 11, Server 2012-2025) via improper access control, allowing authenticated local users to gain SYSTEM-level privileges. CVSS 7.8 (High) reflects significant impact with low attack complexity requiring only low-level user credentials. Vendor-released patches available across all affected platforms through Microsoft's May 2025 update cycle. No public exploit identified at time of analysis, though the authe
Local privilege escalation in Windows Push Notifications service affects Windows 10 21H2/22H2, Windows 11 22H3-26H1, and Windows Server 2022/2025 via race condition vulnerability. Authenticated low-privilege attackers can gain SYSTEM-level privileges through improper synchronization during concurrent operations (CWE-362). CVSS 7.8 (High) with high attack complexity (AC:H) and scope change (S:C). No public exploit identified at time of analysis. Microsoft released patches in January 2026 security
Command injection in Composer's Perforce integration allows remote code execution when installing packages from malicious repositories. The vulnerability exists in versions before 2.2.27 and 2.9.6, affecting all users who install dependencies from source (--prefer-source or dev versions) regardless of whether Perforce is installed. Attackers can inject shell commands through crafted source references or connection parameters in package metadata served by compromised Composer repositories. CVSS 8.8 (High) with network attack vector, low complexity, and no authentication required (though user interaction is needed). No confirmed active exploitation (CISA KEV), but publicly available exploit code exists per GitHub advisory disclosure.
Windows Installer privilege escalation via improper permission handling enables authenticated local users to gain SYSTEM-level access across all supported Windows 10, 11, and Server platforms (2012-2025). The vulnerability (CWE-280: Improper Handling of Insufficient Privileges) requires low-privilege local access but offers complete system compromise with low attack complexity. CVSS 7.8 High severity reflects full confidentiality, integrity, and availability impact. Vendor-released patches are a
{id} endpoint to assign themselves ROLE_ADMIN privileges, bypassing intended access controls. The vulnerability stems from inadequate authorization checks that verify only record ownership without restricting modification of security-critical fields. With CVSS 8.8 (High) and low attack complexity requiring only basic authentication, this represents a critical access control failure in educational platforms. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the straightforward attack vector makes exploitation trivial for malicious insiders.
Local privilege escalation in Windows Push Notifications service affects Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server 2019-2025 via race condition in shared resource synchronization. Low-privileged authenticated users can exploit timing vulnerabilities in notification handling to elevate to SYSTEM-level privileges with high confidentiality, integrity, and availability impact (scope change to other security contexts). CVSS 7.8 (high complexity, local vector). Vendor-released
Privilege escalation in Windows Push Notifications service affects all supported Windows 10, 11, and Server versions through a race condition that allows low-privileged authenticated users to gain SYSTEM-level access. The vulnerability (CWE-362) stems from improper synchronization when multiple threads access shared resources in the notification subsystem. Attack complexity is high (AC:H), requiring precise timing to win the race, but successful exploitation grants complete system compromise wit
Privilege escalation in Windows Push Notifications service across Windows 10, 11, and Server versions (1809 through 26H1) allows low-privileged local attackers to gain SYSTEM-level access via race condition exploitation. The vulnerability stems from improper synchronization when multiple threads access shared resources in the notification framework, enabling scope escape from user context to elevated privileges. Vendor-released patches are available for all affected versions. No public exploit i
Authenticated attackers can reset arbitrary user passwords in Webkul Krayin CRM v2.2.x through a Broken Object-Level Authorization (BOLA) vulnerability in the /Settings/UserController.php endpoint, enabling full account takeover of any user account. The attack requires low-privilege authentication (PR:L) and is exploitable remotely with low complexity (AV:N/AC:L), presenting an 8.8 CVSS severity with high impact to confidentiality, integrity, and availability. EPSS data not available; no CISA KEV listing identified; publicly available exploit code exists per researcher disclosure.
Windows Hello authentication bypass on Server 2016-2025 allows unauthenticated remote attackers to circumvent biometric/PIN security mechanisms over a network despite high attack complexity. CVSS 8.7 (Critical) with scope change indicates potential lateral movement from compromised Hello authentication into broader Windows security context. Vendor-released patches available for all affected versions (builds 10.0.14393.9060, 10.0.17763.8644, 10.0.20348.5020, 10.0.25398.2274, 10.0.26100.32690). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though VulDB tracking suggests security community awareness.
Unauthenticated attackers with network access to the free5GC UDR service's 5G Service Based Interface can create or overwrite Traffic Influence Subscriptions due to missing return statement after path validation. The vulnerability affects free5GC UDR versions prior to the patch (commit in GHSA-jgq2-qv8v-5cmj), allowing arbitrary subscription injection with attacker-controlled notification URIs and SUPI values while receiving misleading 404 responses. Public exploit code exists in the form of a d
Unauthenticated information disclosure in free5GC UDR service allows remote attackers to retrieve sensitive Traffic Influence Subscription data through improper path validation. Due to a missing return statement after sending HTTP 404 responses, attackers can read subscription records containing subscriber IMSIs, network slice identifiers, and callback URIs without authentication by supplying arbitrary path values. EPSS score of 0.06% suggests low widespread exploitation probability, though the vulnerability requires only network access to the 5G Service Based Interface with no authentication or user interaction (CVSS:4.0 AV:N/AC:L/PR:N/UI:N). Publicly available exploit code exists in the original disclosure.
Unauthenticated deletion of Traffic Influence Subscriptions in free5GC UDR service (GitHub package free5gc/udr) allows remote attackers to disrupt 5G policy notification workflows by exploiting a missing return statement after path validation. The vulnerability affects any free5GC deployment where the 5G Service Based Interface (SBI) is network-accessible to untrusted parties. Public exploit code exists demonstrating deletion via crafted DELETE requests to invalid API paths. EPSS score of 0.06% (19th percentile) suggests low widespread exploitation probability, though the attack requires only network access and no authentication (AV:N/PR:N), making it trivially exploitable in misconfigured deployments.
SINEC NMS versions prior to V4.0 SP3 allow authenticated remote attackers to reset any user account password due to improper authorization validation (CWE-639). An attacker with low-privilege credentials can escalate to administrative access by resetting privileged user passwords, enabling complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). No public exploit code identified at time of analysis, though the network attack vector (AV:N) and low complexity (AC:L) increase exploitation feasibility for authenticated attackers.
Authenticated SFTP users in goshs (a Go-based HTTP/SFTP file server) can read and write files outside the configured SFTP root directory via a path validation bypass. The vulnerability affects the SFTP subsystem in goshs beta.4 and earlier v2.x versions, exploiting a flawed string-prefix check that treats sibling directories (e.g., /tmp/goshsroot_evil) as valid when the configured root is /tmp/goshsroot. Public exploit code exists with video demonstrations showing complete jail escape, allowing authenticated attackers to list directories, download sensitive files, create arbitrary directories, and upload malicious content outside the intended boundary. Fix released in goshs v2.0.0 per vendor advisory GHSA-5h6h-7rc9-3824.
Cross-site scripting (XSS) in Adobe Connect versions 12.10 and earlier, including the 2025.3 release line, enables privilege escalation when low-privileged authenticated users trick victims into visiting malicious URLs. The changed scope (CVSS S:C) indicates the vulnerability can affect resources beyond the vulnerable application's security context. EPSS data not available; no evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis. Requires user interaction (UI:R) but has low attack complexity (AC:L) and network-based attack vector (AV:N), making social engineering campaigns feasible.
Privilege escalation in Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) versions prior to V5.8 allows authenticated User Administrators to escalate their own privileges through improper group administration controls. Authenticated attackers with low-privilege User Administrator credentials can exploit flawed group membership logic to grant themselves unrestricted access to any device group at any access level, achieving full administrative control over critical industrial infrastructure. CVSS 8.8 (High) reflects network-accessible attack vector with low complexity and no user interaction required. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated insiders.
Path traversal in Adobe ColdFusion 2023.18, 2025.6 and earlier enables unauthenticated remote attackers to read arbitrary files from the server file system without user interaction. The vulnerability carries a CVSS score of 8.6 (High) due to network accessibility, low complexity, and scope change, allowing access to sensitive files and directories beyond intended boundaries. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the lack of authentication requirements and low attack complexity suggest elevated risk for publicly accessible ColdFusion instances.
Prototype pollution in Adobe Acrobat Reader allows arbitrary code execution when victims open malicious PDF files. Affects Acrobat Reader versions through 26.001.21411, 24.001.30360, and 24.001.30362. Attack requires local file access with user interaction (CVSS AV:L/UI:R) but achieves scope change and full CIA impact (S:C/C:H/I:H/A:H), yielding CVSS 8.6. No public exploit identified at time of analysis. Vendor advisory available from Adobe (APSB26-44). EPSS data not provided; exploitation status limited to user-interaction-dependent local attack vector.
Unauthenticated Server-Side Request Forgery (SSRF) in Chamilo LMS versions prior to 2.0.0-RC.3 allows remote attackers to access internal network services and cloud metadata endpoints via unfiltered package-url parameter in the PENS plugin. Attackers can steal AWS IAM credentials from 169.254.169.254, probe internal infrastructure, and trigger state-changing operations on internal services without requiring authentication. CVSS 8.6 (High) with Changed Scope reflects the ability to pivot from the LMS to other internal systems. No public exploit identified at time of analysis, though the attack vector is straightforward requiring only HTTP requests to the exposed endpoint.
Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier via DLL hijacking/search path manipulation allows local attackers to run malicious code in user context without interaction. CVSS 8.6 severity stems from changed scope and high confidentiality/integrity/availability impact despite local attack vector. No public exploit identified at time of analysis. EPSS data not available for this recent CVE. Vendor patch released per Adobe Security Bulletin APSB26-36.
Denial of service via stack buffer overflow in .NET (versions 8.0, 9.0, 10.0) and Visual Studio 2022 (versions 17.12, 17.14) allows unauthenticated remote attackers to crash affected applications over the network. The vulnerability has a CVSS score of 7.5 (High) with low attack complexity and no privileges required. Vendor-released patches are available from Microsoft (MSRC). No public exploit identified at time of analysis, and the issue is not confirmed actively exploited.
Denial of service in Microsoft .NET Framework 3.5 through 4.8.1 allows unauthenticated remote attackers to crash applications via race condition exploitation over a network. The vulnerability stems from improper synchronization when multiple threads access shared resources concurrently (CWE-755). Affected versions span .NET Framework 3.5, 4.6.2, 4.7.x, 4.8, and 4.8.1 across multiple component combinations. Microsoft has released patches addressing the flaw. No public exploit code or active explo
Information disclosure in Microsoft .NET 8.0, 9.0, 10.0, and Visual Studio 2022 allows unauthenticated remote attackers to access sensitive data through improper neutralization of special elements. This spoofing vulnerability (CWE-138) enables attackers to bypass authentication mechanisms and extract high-confidentiality information over the network with low attack complexity. No active exploitation confirmed (not in CISA KEV), but the network-accessible, no-authentication-required attack profile presents immediate risk for internet-facing .NET applications. Vendor patches available for all affected versions.
Server-Side Request Forgery in Webkul Krayin CRM 2.2.x enables authenticated users to scan internal network resources and access sensitive information through the webhook creation endpoint. Attackers with low-privilege accounts can send crafted POST requests to /settings/webhooks/create, forcing the server to make requests to arbitrary internal URLs. With CVSS 8.5 (High) and scope change to other components, this allows reconnaissance of internal infrastructure, access to cloud metadata endpoints, and potential lateral movement. EPSS data not available; no public exploit identified at time of analysis, though technical details are published in security advisory.
Information disclosure in Pure Storage FlashBlade allows high-privileged network attackers to access sensitive data through log files. Affects FlashBlade versions 4.0.0-4.4.8, 4.5.0-4.5.13, and 4.6.0-4.6.3. The vulnerability (CWE-532: insertion of sensitive information into log file) has a CVSS 4.0 score of 8.5, indicating high confidentiality impact with scope change, but requires high privileges. No public exploit or active exploitation confirmed at time of analysis. EPSS data not yet available for this recently disclosed CVE.
Local privilege escalation in Microsoft Graphics Component across Windows 11 24H2/25H2/26H1 and Server 2025 enables unauthenticated local attackers to execute arbitrary code with high integrity via heap-based buffer overflow exploitation. CVSS 8.4 (High) reflects low attack complexity and no user interaction requirement, though local access is necessary. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, but the low complexity (AC:L) and no-auth requirement (PR:N) make this highly attractive for post-compromise escalation.
Arbitrary code execution in Adobe ColdFusion 2023.18, 2025.6 and earlier allows authenticated attackers with high privileges to execute malicious code through improper input validation. Exploitation requires user interaction (victim opening a malicious file). EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 8.4 reflects high impact across confidentiality, integrity, and availability with scope change, though real-world risk is constrained by requiring both elevated privileges and user interaction.
Local privilege escalation in Microsoft Windows Brokering File System allows unprivileged attackers with physical or local access to gain SYSTEM-level privileges through a race condition vulnerability. The flaw affects all supported Windows 10, Windows 11, and Windows Server versions from 2016 through 2025. Despite an 8.4 CVSS score indicating high severity, real-world risk is moderate: EPSS score of 0.04% (12th percentile) suggests low exploitation likelihood, SSVC framework confirms no active exploitation, and the local attack vector limits exposure to scenarios where attackers already have local access. Vendor-released patches are available for all affected versions.
Local privilege escalation in Windows COM across Windows 10 (1809, 21H2, 22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows unauthenticated attackers with local access to achieve full system compromise (high confidentiality, integrity, and availability impact) by exploiting acceptance of untrusted data alongside trusted data. CVSS 8.4 reflects the severe impact of complete privilege escalation despite requiring local access. Vendor-released patch available with specific build n
Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.