Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Sparx Enterprise Architect client stores and transmits OAuth2 client secrets in plaintext, allowing local attackers to extract credentials and impersonate the application to obtain unauthorized access tokens. The vulnerability affects at least version 16.1.1627 and potentially earlier versions; local file system access is required to retrieve the exposed secrets, but once obtained, an attacker can perform remote authentication without additional privileges. NCSC-FI reported this vulnerability and it is tracked as EUVD-2025-209512; exploitation likelihood is elevated due to the ease of credential extraction from local storage.
Path traversal in Qihui jtbc5 CMS 5.0.3.6 allows authenticated remote attackers to read arbitrary files via a manipulated path parameter in /dev/code/common/diplomat/manage.php. The vulnerability has a published exploit and affects the Code Endpoint component; the vendor has not responded to early disclosure. With CVSS 4.3 and EPSS probability marked as Proof-of-Concept, this represents a moderate confidentiality risk limited to authenticated users.
SQL injection in QueryMine SMS admin/editcourse.php parameter handler allows authenticated remote attackers to query or modify the database via a crafted ID parameter, with publicly available exploit code demonstrating the vulnerability. The affected product uses rolling releases with no versioning available, and the vendor has not responded to disclosure attempts. CVSS 5.3 reflects limited scope impact under authenticated access (PR:L), but real-world risk depends on network exposure of the administrative interface.
Path traversal in prasathmani TinyFileManager up to version 2.6 allows authenticated remote attackers to manipulate the file[] POST parameter in /filemanager.php to read, modify, or delete arbitrary files on the server outside the intended directory scope. CVSS 5.4 reflects the authenticated requirement and lack of confidentiality impact, though integrity and availability are compromised. Public exploit code exists and the vendor has not responded to disclosure, leaving users dependent on manual patching or upgrading.
Server-side request forgery (SSRF) in TinyFileManager file upload handler (versions up to 2.6) allows authenticated remote attackers to manipulate the uploadurl parameter and forge requests to arbitrary servers. The vulnerability affects the /filemanager.php?p=&ajax=true&type=upload endpoint and has publicly available exploit code; the vendor has not responded to disclosure attempts.
Unrestricted file upload vulnerability in QueryMine SMS admin panel allows authenticated remote attackers to upload arbitrary files via the image parameter in admin/addteacher.php, potentially enabling remote code execution. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists and the vendor has not responded to disclosure attempts.
Integer overflow in Firebird database versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with INSERT privileges to trigger a denial of service via a malformed Batch Parameter Block that overflows the totalLength value in ClumpletReader::getClumpletSize(), causing infinite loop conditions on the server.
Cross-site scripting (XSS) in lukevella Rallly up to version 4.7.4 allows authenticated users to inject malicious scripts via the redirectTo parameter in the reset password form, affecting the stored XSS vector with user interaction required. The vulnerability has public exploit code available and is mitigated by upgrading to version 4.8.0 or later. Real-world risk is limited by the requirement for authenticated access and user interaction, but the publicly available exploit increases attack feasibility.
Stored cross-site scripting (XSS) in Classroom Bookings up to version 2.17.0 allows authenticated users to inject malicious scripts via the displayname parameter in the User Display Name Handler component, resulting in arbitrary script execution in other users' browsers. The vulnerability requires user interaction (victim must view the affected page) and authenticated access, limiting immediate risk, but publicly available exploit code and vendor confirmation of the issue increase real-world threat. Upgrading to version 2.17.1 resolves the vulnerability.
Dell PowerProtect Data Domain contains a reflected cross-site scripting (XSS) vulnerability affecting DD OS Feature Release versions 7.7.1.0-8.5, LTS2025 versions 8.3.1.0-8.3.1.20, and LTS2024 versions 7.13.1.0-7.13.1.50. A high-privileged remote attacker can inject malicious scripts into the web interface via crafted requests; if a victim administrator views the malicious link, the script executes in their browser context, potentially leading to credential theft, session hijacking, or unauthorized administrative actions. CVSS 5.9 reflects the requirement for high privileges and user interaction, though the wide version range and network accessibility indicate broad exposure across deployed instances.
Heap-based buffer overflow in libvips up to version 8.18.2 via the deprecated im_minpos_vec function in libvips/deprecated/vips7compat.c allows authenticated local attackers to trigger memory corruption through manipulation of the argument n, with publicly available exploit code confirmed and vendor commitment to remove the deprecated code in libvips 8.19.
Command execution in JetBrains Junie before version 252.549.29 allows local attackers to execute arbitrary commands by crafting malicious project files, requiring user interaction to open the file. The vulnerability affects all Junie versions prior to the patched release and exploits unsafe handling of project file content without proper sanitization.
STProcessMonitor 11.11.4.0 driver in Safetica Application suite allows local privileged users to send crafted IOCTL requests (0xB822200C) that terminate processes protected by third-party security implementations due to insufficient caller validation in the kernel-mode driver handler. This enables denial of service attacks against critical services without requiring user interaction. Publicly available exploit code exists, and the vulnerability is tracked in CISA's LOLDrivers database as a legitimate-but-abused Windows driver.
Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.
Claude Code prior to version 2.1.75 on Windows allows low-privileged local users to execute arbitrary code by placing a malicious configuration file in an unprotected shared directory (C:\ProgramData\ClaudeCode\managed-settings.json). The vulnerability exploits the default writability of ProgramData to non-administrative users and the absence of directory ownership validation, enabling privilege escalation or lateral impact when a victim user subsequently launches the application. This requires local system access and user interaction (launching Claude Code), limiting real-world impact to shared multi-user systems.
LatePoint WordPress plugin versions up to 5.3.2 expose a public, unauthenticated endpoint (OsStripeConnectController::create_payment_intent_for_transaction) that allows sequential enumeration of invoice IDs and unauthorized creation of transaction intent records containing sensitive financial data, customer identifiers, and Stripe payment secrets. Unauthenticated remote attackers can exploit this Insecure Direct Object Reference (IDOR) vulnerability to leak confidential payment information and Stripe Connect tokens without authentication or user interaction. No active exploitation has been confirmed at the time of analysis.
Quiz And Survey Master plugin for WordPress (versions up to 11.1.0) allows unauthenticated attackers to execute arbitrary WordPress shortcodes via user-submitted quiz answers. User inputs are sanitized with sanitize_text_field() and htmlspecialchars(), which strip HTML tags but fail to remove shortcode brackets [ and ]. When quiz results are displayed, the plugin executes do_shortcode() on the entire results page including user answers, enabling injection of shortcodes like [qsm_result id=X] to access unauthorized quiz submissions. This is a direct information disclosure vulnerability masked by RCE tagging; confirmed CVSS 5.3 (Integrity impact) indicates data tampering/unauthorized access rather than code execution.
Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Kubio page builder plugin for WordPress allows authenticated attackers with Contributor-level access to upload arbitrary files from external URLs by bypassing capability checks in the REST API post creation handler. The kubio_rest_pre_insert_import_assets() function automatically imports remote files referenced in block attributes without verifying the user possesses the upload_files capability, violating WordPress's normal media upload restrictions. Affected versions are up to and including 2.7.2; no public exploit code has been identified at the time of analysis.
Tutor LMS plugin for WordPress versions up to 3.9.8 allow authenticated attackers to manipulate course content structure (detach lessons, move lessons between topics, reorder content) without proper authorization checks when the 'content_parent' parameter is omitted from requests to the tutor_update_course_content_order() function. Although the CVSS score of 5.3 reflects the absence of confidentiality impact, the vulnerability enables course instructors or subscribers to disrupt course integrity across the entire site despite lacking content management permissions, with no public exploit code confirmed but patch available in version 3.9.9.
Server-side request forgery (SSRF) in HashiCorp Vault's PKI engine ACME validation allows unauthenticated remote attackers to send http-01 and tls-alpn-01 challenge requests to local network targets by controlling DNS responses, potentially disclosing sensitive information from internal services. The vulnerability affects Vault Community Edition before 2.0.0 and Vault Enterprise before 1.19.16, 1.20.10, or 1.21.5. HashiCorp has released patched versions; no public exploit code has been identified at the time of analysis.
CubeCart administrative users can exploit a path traversal vulnerability prior to version 6.6.0 to read files from higher-level directories on the server, bypassing intended directory access restrictions. The vulnerability requires administrative privileges and affects CubeCart installations below 6.6.0. No active exploitation or public proof-of-concept has been identified; the low CVSS score (2.7) reflects the requirement for elevated privileges, making this a post-compromise lateral movement vector rather than an initial access risk.
SQL injection in CubeCart prior to 6.6.0 allows remote unauthenticated attackers to execute arbitrary SQL statements through a request requiring user interaction, affecting the e-commerce platform's database integrity and confidentiality. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector and low complexity, though exploitation requires user engagement (UI:R) which moderates real-world risk. No public exploit code or active exploitation in CISA KEV has been confirmed at time of analysis.
JetBackup plugin for WordPress versions up to 3.1.19.8 allows authenticated administrators to delete arbitrary directories via path traversal in the file upload handler. The vulnerability stems from insufficient input validation on the fileName parameter, which is sanitized using sanitize_text_field() but still permits path traversal sequences like '../'. When combined with the recursive directory deletion logic in the cleanup routine, attackers can traverse outside the intended upload directory and delete critical WordPress directories such as wp-content/plugins, completely disabling all plugins and severely disrupting the WordPress installation.
SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.
DOMSanitizer before version 1.0.10 fails to sanitize CSS content within SVG <style> elements, allowing attackers to inject url() references and @import rules that trigger unauthorized HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered in a browser. This affects PHP applications using the vulnerable library to sanitize user-supplied SVG content, enabling information disclosure through request metadata and potential CSRF attacks. The vulnerability requires user interaction (rendering the SVG) but affects all downstream users of the sanitized content due to scope change (C:L, S:C).
Stored Cross-Site Scripting in VideoZen WordPress plugin versions up to 1.0.1 allows authenticated administrators to inject arbitrary JavaScript into plugin settings that executes for all users accessing the settings page. The 'lang' POST parameter in the videozen_conf() function is stored without sanitization and output without escaping, enabling privilege-abusing admins to compromise any WordPress installation running the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis.
Authenticated attackers with subscriber-level WordPress access can bypass capability checks in the Canto plugin (versions up to 3.1.1) via unprotected AJAX endpoints to arbitrarily modify or delete critical plugin options controlling cron scheduling and disable scheduled update tasks. The vulnerability requires a logged-in user but accepts any authenticated account regardless of intended permissions, allowing privilege escalation of low-level accounts to perform administrative functions without authorization. No active exploitation confirmed; patch status not yet identified.
Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0-8.5, 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.50 (LTS2024) leak sensitive information to low-privileged remote attackers. An authenticated user with minimal privileges can access confidential data without authorization, resulting in information disclosure with a CVSS score of 4.3. No active exploitation reported, but the low attack complexity and remote network vector make this a practical vulnerability for attackers within administrative networks.
DNN (DotNetNuke) Platform versions 6.0.0 through 10.2.1 allow authenticated users to bypass authorization controls in the friends feature and force acceptance of friend requests on behalf of other users, resulting in unauthorized relationship modifications. The vulnerability requires valid user credentials (PR:L) and affects the integrity of user social graphs without exposing sensitive data. No public exploit code or active exploitation has been confirmed; vendors have released patched version 10.2.2.
Cross-Site Request Forgery (CSRF) in the cms-fuer-motorrad-werkstaetten WordPress plugin version 1.0.0 and earlier allows unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs by tricking logged-in users into clicking a malicious link. Eight AJAX handlers lack nonce validation and capability checks, enabling direct data destruction without authentication or authorization verification. User interaction is required (UI:R), limiting the attack to social engineering scenarios rather than direct network exploitation.
Reflected cross-site scripting (XSS) in Stirling-PDF versions before 2.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by uploading a file with a malicious filename containing script code. The vulnerability affects multiple file upload endpoints that render user-supplied filenames directly into HTML via unsafe DOM manipulation methods without sanitization. Attack requires user interaction (victim must upload the crafted file), limiting real-world impact. No public exploit code or active exploitation has been identified at time of analysis.
mcp-neo4j-cypher before version 0.6.0 allows authenticated users to bypass read-only mode enforcement via APOC CALL procedures, enabling unauthorized write operations and server-side request forgery against Neo4j databases. The vulnerability requires login credentials and attacker preparation (CVSS AT:P), limiting real-world risk to insider threats or compromised accounts with legitimate access to the MCP server.