DLL hijacking in MobaXterm Home Edition ≤26.1 allows local attackers with low privileges to execute arbitrary code by planting a malicious msimg32.dll in an uncontrolled search path location. Exploitation is complex (CVSS AC:H) but a public POC exists. Mobatek released version 26.2 to address the issue. EPSS data not provided, not listed in CISA KEV, suggesting limited active exploitation despite public proof-of-concept availability.
The Hotel Booking Management System by arnobt78 (up to commit f8922d0e0f6ac1cc761974c7616f44c2bbc04bea) exposes sensitive information through an unauthenticated network request to the /api/health/detailed endpoint, allowing remote attackers to disclose system details without authentication or user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.
SQL injection in QueryMine SMS admin/deletecourse.php allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in GET requests. Affects all versions up to commit 7ab5a9ea196209611134525ffc18de25c57d9593. Public exploit code exists (GitHub POC available). EPSS data not available. Not listed in CISA KEV. Vendor non-responsive to disclosure. CVSS 7.3 with network attack vector and no authentication required indicates moderate-high severity, but real-world risk depends on deployment exposure of admin interface.
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to intercept and steal credentials and session tokens without authentication or user interaction beyond the legitimate admin connecting to the device. This breaks confidentiality of administrative access, enabling complete device compromise. CVSS 6.5 reflects the high confidentiality impact but lack of authentication barrier; exploitation is straightforward given network access to the device.
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive operational imagery without requiring authentication or user interaction. Network-accessible instances are at immediate risk of information disclosure; the vulnerability affects all versions of Anviz CX7 Firmware. No public exploit code or active KEV listing identified at time of analysis, but the trivial exploitation requirements (network access, no authentication, no complexity) combined with CISA ICS advisory issuance (ICSA-26-106-03) indicate material risk in operational technology environments.
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without credentials, exposing SSH and RTTY status information that facilitates reconnaissance. The vulnerability exists in network-accessible endpoints that return sensitive debug data, affecting both device models across all firmware versions.
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST request, exposing visual information about the physical deployment environment without authentication. The vulnerability affects all versions of Anviz CX7 Firmware and is tracked in CISA industrial control systems advisories, indicating deployment in operational technology environments. With a CVSS score of 5.3 (network-accessible, no authentication required, low complexity), this represents a confidentiality breach suitable for reconnaissance or social engineering in sensitive facilities.
DNN (DotNetNuke) 10.0.0 through 10.2.1 installations use an identical Host GUID across all new deployments, enabling attackers to impersonate the host administrator account and gain unauthorized access to sensitive CMS functionality. This affects only fresh installations-upgrades from 9.x retain unique identifiers. The vulnerability requires network access to exploit but no authentication or user interaction, and is patched in version 10.2.2.
Open redirect vulnerability in next-intl middleware prior to version 4.9.1 allows remote attackers to craft malicious URLs that bypass path handling validation when `localePrefix: 'as-needed'` is configured, redirecting users to arbitrary hosts via scheme-relative URLs or control characters that the WHATWG URL parser strips. Unauthenticated attackers can exploit this through social engineering (phishing links) to redirect users from trusted application URLs to attacker-controlled domains. Patch available in next-intl@4.9.1.
GREENmod before 2.8.33 allows remote code execution and server-side request forgery via incorrectly configured named pipes that accept unauthenticated XML or JSON file uploads, processing them with service-level privileges on Windows systems. An attacker on the network can abuse this to trigger SSRF attacks against SMB or WebDAV targets accessible to the service account, potentially compromising internal Windows infrastructure without authentication.
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23) to overwrite system files such as /etc/shadow, enabling unauthorized SSH access when combined with debug setting modifications. The vulnerability requires high-privilege authentication but poses significant risk in environments where administrative accounts are compromised or untrusted administrators have access.
Improper neutralization of argument delimiters in AWS EFS CSI Driver before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection, potentially leading to privilege escalation or unauthorized data access within Kubernetes clusters using EFS storage. The vulnerability requires high privileges (PersistentVolume admin role) but can be exploited remotely over the network with low complexity. Vendor-released patch v3.0.1 is available.
Denial of service in graphql-go versions 15.31.4 and below allows remote unauthenticated attackers to trigger excessive CPU consumption during GraphQL query validation by submitting queries with thousands of repeated identical fields, exploiting O(n²) complexity in the OverlappingFieldsCanBeMerged validation rule. The vulnerability bypasses existing QueryDepth and QueryComplexity mitigations. Vendor-released patch: version 15.31.5.
Stored XSS in WeGIA versions prior to 3.6.10 allows authenticated high-privilege users to inject malicious JavaScript via the Destinatário field, with payloads persisted and executed when other users view the dispatch page. The vulnerability requires administrative or high-privilege authentication but impacts confidentiality of all users accessing affected pages. No public exploit code or active exploitation has been reported.
Stored XSS in WeGIA patient management system (versions before 3.6.10) allows authenticated high-privilege users to inject malicious JavaScript via the patient name field, with execution occurring when patient records are subsequently viewed. The vulnerability affects all instances of WeGIA prior to version 3.6.10, where the fix has been released. Exploitation requires administrative or high-privilege account access but can compromise confidentiality and session integrity of users viewing affected patient records.
Command injection in Dell PowerProtect Data Domain allows high-privileged local attackers to execute arbitrary commands and gain root-level access across Feature Release versions 7.7.1.0-8.5, LTS2025 versions 8.3.1.0-8.3.1.20, and LTS2024 versions 7.13.1.0-7.13.1.50. The vulnerability requires local access and elevated privileges (PR:H), limiting exploitation scope to authenticated administrative users with shell or console access. No public exploit or active exploitation has been identified at the time of analysis.
Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0 and specific LTS releases (8.3.1.0-8.3.1.20, 7.13.1.0-7.13.1.60) contain an OS command injection vulnerability (CWE-78) that allows high-privileged local attackers to execute arbitrary commands with root privileges. The vulnerability stems from improper neutralization of special elements in OS commands, with a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact but constrained by local access and high privilege requirements.
Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0, LTS2025 releases 8.3.1.0-8.3.1.20, and LTS2024 releases 7.13.1.0-7.13.1.60 allow local high-privileged attackers to execute arbitrary OS commands with root privileges via improper neutralization of special elements in command construction (OS command injection). No public exploit code or active exploitation has been identified at the time of analysis, but the vulnerability affects critical backup and disaster recovery infrastructure with direct root access potential.
Dell PowerProtect Data Domain versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allow OS command injection via improper neutralization of special elements in OS commands. A high-privileged local attacker can execute arbitrary commands with root privileges by exploiting this vulnerability, enabling complete system compromise.
Dell PowerProtect Data Domain versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 are vulnerable to argument injection in command processing, allowing high-privileged local attackers to execute arbitrary commands as root. Exploitation requires administrative-level access and local system presence, limiting real-world exposure to insider threats or post-compromise scenarios. No public exploit code or active exploitation has been identified at the time of analysis.
Bypass of Windows Driver Signature Enforcement in Veeam Backup and Replication 12.x and Software Appliance 13.x allows local administrators to load unsigned kernel drivers, potentially enabling persistent kernel-level compromise. The vulnerability requires high-level administrative privileges and is not actively exploited in the wild; however, EPSS scoring (0.01%) suggests this is a low-probability exploitation target despite the high CVSS score, indicating the attack scenario is constrained by strict privilege and configuration requirements.
Dell PowerProtect Data Domain versions 8.4 through 8.5 contain an improper authentication vulnerability allowing high-privileged remote attackers to bypass authentication and gain unauthorized access to the system. CVSS 6.6 (high complexity, high privileges required) reflects the need for elevated attacker credentials but significant confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Dell PowerProtect Data Domain versions 8.4 through 8.5 contain an improper authentication vulnerability (CWE-287) allowing high-privileged remote attackers to bypass authentication controls and gain unauthorized access to protected systems. The vulnerability requires high privilege level and high attack complexity but enables confidentiality, integrity, and availability impact if successfully exploited. No active exploitation in CISA KEV confirmed at time of analysis.
OpenFGA 0.1.4 through 1.13.1 discloses preshared API authentication keys in plaintext HTML responses from the unauthenticated /playground endpoint when configured with preshared-key authentication. Remote attackers on accessible networks can retrieve credentials without authentication, compromising authorization service security. The vulnerability requires non-default configuration (preshared auth enabled, playground accessible beyond localhost), limiting but not eliminating real-world risk.
Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.
WP Statistics plugin for WordPress versions up to 14.16.4 fail to enforce capability checks on multiple AJAX endpoints, allowing authenticated Subscriber-level users to access sensitive analytics data, retrieve and modify privacy audit status, and dismiss administrative notices. The vulnerability stems from reliance on nonce verification alone without role-based access control, affecting all installations with the plugin active and at least one authenticated user account. No public exploit code or active exploitation has been confirmed at time of analysis.
SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.
wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.
Stored Cross-Site Scripting in WeGIA versions prior to 3.6.10 allows authenticated users to inject malicious JavaScript into the Intercorrências notification page, which executes when other users access that page, enabling session hijacking and account takeover. The vulnerability requires user authentication to inject the payload but affects all subsequent viewers of the notification page without additional user interaction. Patch version 3.6.10 resolves the issue.
Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS in Pz-LinkCard WordPress plugin (all versions through 2.5.8.1) allows Contributor-level authenticated users to inject malicious scripts via the 'blogcard' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Heap-based buffer overflow in xrdp 0.10.5 and earlier allows unauthenticated remote attackers to cause denial of service or memory corruption when the domain_user_separator configuration directive is explicitly enabled in xrdp.ini. An attacker sends a crafted RDP logon request with an excessively long username and domain name combination that overflows an internal buffer, corrupting adjacent memory regions. The vulnerability requires non-default configuration (domain_user_separator must be uncommented) and affects only systems with this setting enabled. Vendor-released patch: version 0.10.6.
Authenticated remote command execution in xrdp through version 0.10.5 allows users to execute arbitrary shell commands on the RDP server via an unsanitized AlternateShell parameter during session initialization. When AllowAlternateShell is enabled (the default configuration), xrdp passes client-supplied shell commands directly to /bin/sh -c without sanitization, bypassing normal session constraints. An authenticated RDP user can exploit this to run arbitrary commands in the context of their login session before the window manager starts, with no public exploit code identified at time of analysis.
Dell PowerProtect Data Domain DD OS versions 8.4 through 8.5 fail to enforce rate limiting on authentication attempts, allowing high-privileged remote attackers to conduct brute-force attacks against administrative credentials without account lockout or delays. This authentication bypass vulnerability enables unauthorized access to backup infrastructure systems that manage critical data protection workflows, with CVSS 6.2 reflecting the requirement for already-elevated privileges and high attack complexity.
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Sparx Enterprise Architect client stores and transmits OAuth2 client secrets in plaintext, allowing local attackers to extract credentials and impersonate the application to obtain unauthorized access tokens. The vulnerability affects at least version 16.1.1627 and potentially earlier versions; local file system access is required to retrieve the exposed secrets, but once obtained, an attacker can perform remote authentication without additional privileges. NCSC-FI reported this vulnerability and it is tracked as EUVD-2025-209512; exploitation likelihood is elevated due to the ease of credential extraction from local storage.
Integer overflow in Firebird database versions prior to 5.0.4, 4.0.7, and 3.0.14 allows authenticated users with INSERT privileges to trigger a denial of service via a malformed Batch Parameter Block that overflows the totalLength value in ClumpletReader::getClumpletSize(), causing infinite loop conditions on the server.
Dell PowerProtect Data Domain contains a reflected cross-site scripting (XSS) vulnerability affecting DD OS Feature Release versions 7.7.1.0-8.5, LTS2025 versions 8.3.1.0-8.3.1.20, and LTS2024 versions 7.13.1.0-7.13.1.50. A high-privileged remote attacker can inject malicious scripts into the web interface via crafted requests; if a victim administrator views the malicious link, the script executes in their browser context, potentially leading to credential theft, session hijacking, or unauthorized administrative actions. CVSS 5.9 reflects the requirement for high privileges and user interaction, though the wide version range and network accessibility indicate broad exposure across deployed instances.
Command execution in JetBrains Junie before version 252.549.29 allows local attackers to execute arbitrary commands by crafting malicious project files, requiring user interaction to open the file. The vulnerability affects all Junie versions prior to the patched release and exploits unsafe handling of project file content without proper sanitization.
STProcessMonitor 11.11.4.0 driver in Safetica Application suite allows local privileged users to send crafted IOCTL requests (0xB822200C) that terminate processes protected by third-party security implementations due to insufficient caller validation in the kernel-mode driver handler. This enables denial of service attacks against critical services without requiring user interaction. Publicly available exploit code exists, and the vulnerability is tracked in CISA's LOLDrivers database as a legitimate-but-abused Windows driver.
Authentication bypass in Auth0 Next.js SDK versions 4.12.0 through 4.17.1 allows authenticated users with UI interaction to access sensitive endpoints through improper proxy cache lookups during concurrent nonce retry operations. The vulnerability specifically affects deployments using the proxy handler with DPoP (Demonstration of Proof-of-Possession) enabled, potentially exposing confidential user information via /me/* and /my-org/* endpoints. Vendor-released patch: version 4.18.0.
Claude Code prior to version 2.1.75 on Windows allows low-privileged local users to execute arbitrary code by placing a malicious configuration file in an unprotected shared directory (C:\ProgramData\ClaudeCode\managed-settings.json). The vulnerability exploits the default writability of ProgramData to non-administrative users and the absence of directory ownership validation, enabling privilege escalation or lateral impact when a victim user subsequently launches the application. This requires local system access and user interaction (launching Claude Code), limiting real-world impact to shared multi-user systems.
LatePoint WordPress plugin versions up to 5.3.2 expose a public, unauthenticated endpoint (OsStripeConnectController::create_payment_intent_for_transaction) that allows sequential enumeration of invoice IDs and unauthorized creation of transaction intent records containing sensitive financial data, customer identifiers, and Stripe payment secrets. Unauthenticated remote attackers can exploit this Insecure Direct Object Reference (IDOR) vulnerability to leak confidential payment information and Stripe Connect tokens without authentication or user interaction. No active exploitation has been confirmed at the time of analysis.
Quiz And Survey Master plugin for WordPress (versions up to 11.1.0) allows unauthenticated attackers to execute arbitrary WordPress shortcodes via user-submitted quiz answers. User inputs are sanitized with sanitize_text_field() and htmlspecialchars(), which strip HTML tags but fail to remove shortcode brackets [ and ]. When quiz results are displayed, the plugin executes do_shortcode() on the entire results page including user answers, enabling injection of shortcodes like [qsm_result id=X] to access unauthorized quiz submissions. This is a direct information disclosure vulnerability masked by RCE tagging; confirmed CVSS 5.3 (Integrity impact) indicates data tampering/unauthorized access rather than code execution.
Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Kubio page builder plugin for WordPress allows authenticated attackers with Contributor-level access to upload arbitrary files from external URLs by bypassing capability checks in the REST API post creation handler. The kubio_rest_pre_insert_import_assets() function automatically imports remote files referenced in block attributes without verifying the user possesses the upload_files capability, violating WordPress's normal media upload restrictions. Affected versions are up to and including 2.7.2; no public exploit code has been identified at the time of analysis.
Tutor LMS plugin for WordPress versions up to 3.9.8 allow authenticated attackers to manipulate course content structure (detach lessons, move lessons between topics, reorder content) without proper authorization checks when the 'content_parent' parameter is omitted from requests to the tutor_update_course_content_order() function. Although the CVSS score of 5.3 reflects the absence of confidentiality impact, the vulnerability enables course instructors or subscribers to disrupt course integrity across the entire site despite lacking content management permissions, with no public exploit code confirmed but patch available in version 3.9.9.
Server-side request forgery (SSRF) in HashiCorp Vault's PKI engine ACME validation allows unauthenticated remote attackers to send http-01 and tls-alpn-01 challenge requests to local network targets by controlling DNS responses, potentially disclosing sensitive information from internal services. The vulnerability affects Vault Community Edition before 2.0.0 and Vault Enterprise before 1.19.16, 1.20.10, or 1.21.5. HashiCorp has released patched versions; no public exploit code has been identified at the time of analysis.
CubeCart administrative users can exploit a path traversal vulnerability prior to version 6.6.0 to read files from higher-level directories on the server, bypassing intended directory access restrictions. The vulnerability requires administrative privileges and affects CubeCart installations below 6.6.0. No active exploitation or public proof-of-concept has been identified; the low CVSS score (2.7) reflects the requirement for elevated privileges, making this a post-compromise lateral movement vector rather than an initial access risk.
SQL injection in CubeCart prior to 6.6.0 allows remote unauthenticated attackers to execute arbitrary SQL statements through a request requiring user interaction, affecting the e-commerce platform's database integrity and confidentiality. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector and low complexity, though exploitation requires user engagement (UI:R) which moderates real-world risk. No public exploit code or active exploitation in CISA KEV has been confirmed at time of analysis.