Out-of-bounds read in xrdp RDP server versions ≤0.10.5 allows remote unauthenticated attackers to crash the service or disclose process memory by sending a malformed Confirm Active PDU during RDP capability negotiation. Attack complexity is low but requires user interaction. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis. Vendor-released patch available in version 0.10.6 per GitHub security advisory GHSA-rvh9-9wm3-28c7.
Dell PowerProtect Data Domain appliances log sensitive credentials when retention lock is enabled, allowing low-privileged remote attackers to harvest authentication data from log files. Affects DD OS 8.0-8.5 and LTS2025 8.3.1.0-8.3.1.10. Exploitation requires existing low-privileged access plus user interaction from a high-privileged administrator to authorize subsequent authentication attempts. EPSS score of 0.01% and SSVC assessment (non-automatable, partial impact) indicate low probability of widespread exploitation. Vendor patch available per Dell DSA-2026-060.
Path traversal in Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.9.6) allows unauthenticated remote attackers to read arbitrary files within wp-content/ directory and exfiltrate them via email attachments. The plugin accepts client-supplied mfile[] POST parameters without server-side validation, directly converting user-controlled filenames to filesystem paths. CVSS 7.5 (High) reflects network attack vector with no authentication required. SSVC marks this as automatable with partial technical impact. No active exploitation confirmed (SSVC: exploitation=none), but the attack complexity is low and requires no user interaction, making this a realistic pre-authentication data exposure risk for sites using this plugin.
Firebird database server crashes via crafted slice packet exploiting zero-length SDL descriptor validation flaw. Remote unauthenticated attackers can trigger division-by-zero errors in the sdl_desc() function to cause denial of service against Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no authentication required. EPSS data not available; no public exploit identified at time of analysis, though technical details in GitHub advisory may facilitate reproduction.
Remote denial-of-service in Firebird Database Server versions prior to 5.0.4, 4.0.7, and 3.0.14 allows unauthenticated network attackers to crash the server via crafted XDR-encoded op_response packets. The xdr_status_vector() function fails to handle isc_arg_cstring status vector types during packet decoding, triggering immediate server termination. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and CWE-228 (Improper Handling of Syntactically Invalid Structure), this represents a high-severity availability risk for internet-exposed Firebird instances. No active exploitation confirmed, but exploit development is trivial given the low attack complexity.
Buffer overflow in Firebird RDBMS allows remote unauthenticated attackers to crash database servers via malformed slice packets. Affects Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14 across all three maintained major release branches. The xdr_datum() deserialization function fails to validate cstring lengths against slice descriptor bounds during packet processing, enabling heap buffer overflow. CVSS 7.5 (High) with network attack vector and no authentication required. EPSS data not available, no KEV listing identified, but public vendor advisory and tagged releases confirm the issue and provide specific fix versions.
Remote unauthenticated denial of service in Firebird SQL database server versions prior to 6.0.0/5.0.4/4.0.7/3.0.14 allows attackers to crash the database by sending a malformed op_slice network packet that triggers a null pointer dereference in the SDL_info() function. Attack requires only network access to the database port with no authentication (CVSS AV:N/AC:L/PR:N). No public exploit code identified at time of analysis, and EPSS data not available for this recent CVE. Fixed versions released by vendor across all maintained branches.
Stored Cross-Site Scripting in WeGIA 'Member Registration' function allows remote attackers to inject malicious JavaScript through the 'Member Name' field, achieving persistent code execution in victim browsers without authentication. The payload executes whenever users navigate to affected pages, enabling session hijacking, credential theft, or administrative action execution. Version 3.6.10 provides a vendor-released patch. No public exploit identified at time of analysis, though exploitation is straightforward given the unauthenticated attack vector (CVSS AV:N/PR:N).
Path traversal in Unlimited Elements for Elementor (WordPress plugin ≤2.0.6) enables authenticated attackers with Author-level privileges to read arbitrary files from the web server via crafted URLs in the Repeater JSON/CSV URL parameter. The vulnerability chains multiple sanitization failures in URLtoRelative(), urlToPath(), and cleanPath() functions, allowing traversal sequences like ../../../../etc/passwd to bypass domain-stripping logic and access sensitive files including wp-config.php. CVSS 7.5 indicates high confidentiality impact. EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Wordfence reports the issue with detailed code references to vulnerable functions in versions through 2.0.6.
HashiCorp Vault unauthenticated denial-of-service vulnerability allows remote attackers to block critical administrative operations by monopolizing the single operation slot for root token generation and rekey workflows. Affects all Vault Community and Enterprise versions prior to 2.0.0. No active exploitation confirmed (EPSS 3rd percentile), but attack is trivially automatable per CISA SSVC framework. HashiCorp released patches in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
Server-Side Request Forgery (SSRF) in Craftql PHP library versions 1.3.7 and earlier enables remote attackers to force the server to make unintended requests, potentially leading to arbitrary code execution. The vulnerability resides in the GetAssetsFieldSchema.php listener component. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept repository with detailed exploitation documentation exists on GitHub. Despite the CVSS 7.5 rating, the extremely low EPSS score (0.01%, 0th percentile) indicates minimal real-world exploitation activity observed to date. The description claims RCE capability, but the CVSS vector shows only confidentiality impact (C:H/I:N/A:N), suggesting the SSRF may enable information disclosure that could chain into RCE rather than direct code execution - verification with vendor advisories needed.
Out-of-bounds write in dnsmasq's DHCP split-relay handler allows remote unauthenticated denial of service via crafted BOOTREPLY packets. Affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4 when dnsmasq runs with the --dhcp-split-relay option enabled. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation, but real-world risk is mitigated by the non-default configuration requirement. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CWE-787 (out-of-bounds write) primitives are well-understood by attackers.
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive operational imagery without requiring authentication or user interaction. Network-accessible instances are at immediate risk of information disclosure; the vulnerability affects all versions of Anviz CX7 Firmware. No public exploit code or active KEV listing identified at time of analysis, but the trivial exploitation requirements (network access, no authentication, no complexity) combined with CISA ICS advisory issuance (ICSA-26-106-03) indicate material risk in operational technology environments.
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without credentials, exposing SSH and RTTY status information that facilitates reconnaissance. The vulnerability exists in network-accessible endpoints that return sensitive debug data, affecting both device models across all firmware versions.
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST request, exposing visual information about the physical deployment environment without authentication. The vulnerability affects all versions of Anviz CX7 Firmware and is tracked in CISA industrial control systems advisories, indicating deployment in operational technology environments. With a CVSS score of 5.3 (network-accessible, no authentication required, low complexity), this represents a confidentiality breach suitable for reconnaissance or social engineering in sensitive facilities.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to modify read-only GPU memory and files through improper system call handling. Affects DDK versions 1.17 through 25.3 RTM across multiple release branches. Attack requires local access and low-level privileges but no user interaction (CVSS: 7.3). EPSS data not available; no active exploitation confirmed (SSVC: none); no public POC identified at time of analysis. Vulnerability stems from insufficient validation of GPU memory reservation protections, enabling authenticated local users to bypass kernel-enforced memory access controls.
Stored Cross-Site Scripting in WP Statistics plugin (≤14.16.4) allows unauthenticated attackers to inject malicious JavaScript into admin dashboard analytics pages. The vulnerability stems from unsafe handling of utm_source URL parameters that persist into database-backed charts, executing when administrators view Referrals Overview or Social Media pages. With CVSS 7.2 and network vector requiring no authentication, this represents elevated risk for WordPress sites using this analytics plugin, though no active exploitation confirmed at time of analysis.
Command injection in Dell PowerProtect Data Domain DD OS versions 7.7.1.0-8.5 (Feature), 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.50 (LTS2024) enables authenticated administrators with remote access to execute arbitrary commands as root. Dell DSA-2026-060 confirms patches in DD OS 8.6.0.0, 8.3.1.30, and 7.13.1.50. EPSS score of 0.05% (15th percentile) suggests low widespread exploitation risk despite network attack vector; no public exploit identified, CVSS 7.2 reflects high-privilege requirement limiting attack surface to compromised admin accounts or insider threats.
Improper certificate validation in Dell PowerProtect Data Domain DD OS 7.7.1.0-8.5, 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.60 (LTS2024) allows authenticated administrators with remote access to escalate privileges through certificate-based login exploitation. CVSS 7.2 (High) reflects network-based attack with low complexity, though requiring high-privilege credentials (PR:H). EPSS score of 0.02% (6th percentile) indicates very low probability of near-term exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.
Sandbox escape in JetBrains YouTrack before 2025.3.131383 allows high-privileged users to execute arbitrary code on the server. The vulnerability affects all YouTrack versions prior to 2025.3.131383 and is classified as both an authentication bypass and server-side template injection (SSTI). EPSS scoring indicates 0% exploitation probability with no evidence of active exploitation or public POCs. Despite a CVSS score of 7.2, the requirement for high-level administrative privileges significantly constrains real-world attack surface to insider threats or compromised admin accounts.
Integer underflow in miniupnpd's SOAPAction header parser triggers out-of-bounds memory reads, enabling adjacent network attackers to crash UPnP-enabled routers or leak sensitive memory contents without authentication. Affects miniupnpd versions prior to 2.3.10. Vendor patch available via commit a0ee71e9fa66. CVSS 7.1 with adjacent network vector (AV:A) indicates attackers must be on the same local network segment as the vulnerable device. No active exploitation confirmed in CISA KEV at time of analysis.
Path traversal in ByteDance DeerFlow's bootstrap-mode custom-agent creation allows authenticated remote attackers to write arbitrary files outside intended directories. Affected versions prior to commit 2176b2b fail to validate agent names, enabling directory traversal sequences (../) or absolute paths to bypass containment controls. Successful exploitation achieves arbitrary file write subject to application process permissions, enabling configuration tampering, code injection, or denial of service. Vendor patch available via GitHub commit 2176b2b. EPSS data unavailable; not currently listed in CISA KEV. Publicly available exploit code exists (GitHub PR #2274 demonstrates vulnerability).
CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.
DNN (DotNetNuke) 10.0.0 through 10.2.1 installations use an identical Host GUID across all new deployments, enabling attackers to impersonate the host administrator account and gain unauthorized access to sensitive CMS functionality. This affects only fresh installations-upgrades from 9.x retain unique identifiers. The vulnerability requires network access to exploit but no authentication or user interaction, and is patched in version 10.2.2.
Open redirect vulnerability in next-intl middleware prior to version 4.9.1 allows remote attackers to craft malicious URLs that bypass path handling validation when `localePrefix: 'as-needed'` is configured, redirecting users to arbitrary hosts via scheme-relative URLs or control characters that the WHATWG URL parser strips. Unauthenticated attackers can exploit this through social engineering (phishing links) to redirect users from trusted application URLs to attacker-controlled domains. Patch available in next-intl@4.9.1.
GREENmod before 2.8.33 allows remote code execution and server-side request forgery via incorrectly configured named pipes that accept unauthenticated XML or JSON file uploads, processing them with service-level privileges on Windows systems. An attacker on the network can abuse this to trigger SSRF attacks against SMB or WebDAV targets accessible to the service account, potentially compromising internal Windows infrastructure without authentication.
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23) to overwrite system files such as /etc/shadow, enabling unauthorized SSH access when combined with debug setting modifications. The vulnerability requires high-privilege authentication but poses significant risk in environments where administrative accounts are compromised or untrusted administrators have access.
Improper neutralization of argument delimiters in AWS EFS CSI Driver before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection, potentially leading to privilege escalation or unauthorized data access within Kubernetes clusters using EFS storage. The vulnerability requires high privileges (PersistentVolume admin role) but can be exploited remotely over the network with low complexity. Vendor-released patch v3.0.1 is available.
Denial of service in graphql-go versions 15.31.4 and below allows remote unauthenticated attackers to trigger excessive CPU consumption during GraphQL query validation by submitting queries with thousands of repeated identical fields, exploiting O(n²) complexity in the OverlappingFieldsCanBeMerged validation rule. The vulnerability bypasses existing QueryDepth and QueryComplexity mitigations. Vendor-released patch: version 15.31.5.
Stored XSS in WeGIA versions prior to 3.6.10 allows authenticated high-privilege users to inject malicious JavaScript via the Destinatário field, with payloads persisted and executed when other users view the dispatch page. The vulnerability requires administrative or high-privilege authentication but impacts confidentiality of all users accessing affected pages. No public exploit code or active exploitation has been reported.
Stored XSS in WeGIA patient management system (versions before 3.6.10) allows authenticated high-privilege users to inject malicious JavaScript via the patient name field, with execution occurring when patient records are subsequently viewed. The vulnerability affects all instances of WeGIA prior to version 3.6.10, where the fix has been released. Exploitation requires administrative or high-privilege account access but can compromise confidentiality and session integrity of users viewing affected patient records.
Command injection in Dell PowerProtect Data Domain allows high-privileged local attackers to execute arbitrary commands and gain root-level access across Feature Release versions 7.7.1.0-8.5, LTS2025 versions 8.3.1.0-8.3.1.20, and LTS2024 versions 7.13.1.0-7.13.1.50. The vulnerability requires local access and elevated privileges (PR:H), limiting exploitation scope to authenticated administrative users with shell or console access. No public exploit or active exploitation has been identified at the time of analysis.
Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0 and specific LTS releases (8.3.1.0-8.3.1.20, 7.13.1.0-7.13.1.60) contain an OS command injection vulnerability (CWE-78) that allows high-privileged local attackers to execute arbitrary commands with root privileges. The vulnerability stems from improper neutralization of special elements in OS commands, with a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact but constrained by local access and high privilege requirements.
Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0, LTS2025 releases 8.3.1.0-8.3.1.20, and LTS2024 releases 7.13.1.0-7.13.1.60 allow local high-privileged attackers to execute arbitrary OS commands with root privileges via improper neutralization of special elements in command construction (OS command injection). No public exploit code or active exploitation has been identified at the time of analysis, but the vulnerability affects critical backup and disaster recovery infrastructure with direct root access potential.
Dell PowerProtect Data Domain versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allow OS command injection via improper neutralization of special elements in OS commands. A high-privileged local attacker can execute arbitrary commands with root privileges by exploiting this vulnerability, enabling complete system compromise.
Dell PowerProtect Data Domain versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 are vulnerable to argument injection in command processing, allowing high-privileged local attackers to execute arbitrary commands as root. Exploitation requires administrative-level access and local system presence, limiting real-world exposure to insider threats or post-compromise scenarios. No public exploit code or active exploitation has been identified at the time of analysis.
Bypass of Windows Driver Signature Enforcement in Veeam Backup and Replication 12.x and Software Appliance 13.x allows local administrators to load unsigned kernel drivers, potentially enabling persistent kernel-level compromise. The vulnerability requires high-level administrative privileges and is not actively exploited in the wild; however, EPSS scoring (0.01%) suggests this is a low-probability exploitation target despite the high CVSS score, indicating the attack scenario is constrained by strict privilege and configuration requirements.
Dell PowerProtect Data Domain versions 8.4 through 8.5 contain an improper authentication vulnerability allowing high-privileged remote attackers to bypass authentication and gain unauthorized access to the system. CVSS 6.6 (high complexity, high privileges required) reflects the need for elevated attacker credentials but significant confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Dell PowerProtect Data Domain versions 8.4 through 8.5 contain an improper authentication vulnerability (CWE-287) allowing high-privileged remote attackers to bypass authentication controls and gain unauthorized access to protected systems. The vulnerability requires high privilege level and high attack complexity but enables confidentiality, integrity, and availability impact if successfully exploited. No active exploitation in CISA KEV confirmed at time of analysis.
OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenticated /playground endpoint when configured with preshared-key authentication. Remote attackers on accessible networks can retrieve credentials without authentication, compromising authorization service security. The vulnerability requires non-default configuration (preshared auth enabled, playground accessible beyond localhost), limiting but not eliminating real-world risk.
Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.
WP Statistics plugin for WordPress versions up to 14.16.4 fail to enforce capability checks on multiple AJAX endpoints, allowing authenticated Subscriber-level users to access sensitive analytics data, retrieve and modify privacy audit status, and dismiss administrative notices. The vulnerability stems from reliance on nonce verification alone without role-based access control, affecting all installations with the plugin active and at least one authenticated user account. No public exploit code or active exploitation has been confirmed at time of analysis.
SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.
wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.
Stored Cross-Site Scripting in WeGIA versions prior to 3.6.10 allows authenticated users to inject malicious JavaScript into the Intercorrências notification page, which executes when other users access that page, enabling session hijacking and account takeover. The vulnerability requires user authentication to inject the payload but affects all subsequent viewers of the notification page without additional user interaction. Patch version 3.6.10 resolves the issue.
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS in Pz-LinkCard WordPress plugin (all versions through 2.5.8.1) allows Contributor-level authenticated users to inject malicious scripts via the 'blogcard' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Heap-based buffer overflow in xrdp 0.10.5 and earlier allows unauthenticated remote attackers to cause denial of service or memory corruption when the domain_user_separator configuration directive is explicitly enabled in xrdp.ini. An attacker sends a crafted RDP logon request with an excessively long username and domain name combination that overflows an internal buffer, corrupting adjacent memory regions. The vulnerability requires non-default configuration (domain_user_separator must be uncommented) and affects only systems with this setting enabled. Vendor-released patch: version 0.10.6.
Authenticated remote command execution in xrdp through version 0.10.5 allows users to execute arbitrary shell commands on the RDP server via an unsanitized AlternateShell parameter during session initialization. When AllowAlternateShell is enabled (the default configuration), xrdp passes client-supplied shell commands directly to /bin/sh -c without sanitization, bypassing normal session constraints. An authenticated RDP user can exploit this to run arbitrary commands in the context of their login session before the window manager starts, with no public exploit code identified at time of analysis.
Dell PowerProtect Data Domain DD OS versions 8.4 through 8.5 fail to enforce rate limiting on authentication attempts, allowing high-privileged remote attackers to conduct brute-force attacks against administrative credentials without account lockout or delays. This authentication bypass vulnerability enables unauthorized access to backup infrastructure systems that manage critical data protection workflows, with CVSS 6.2 reflecting the requirement for already-elevated privileges and high attack complexity.