DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.
Path traversal in kodcloud KodExplorer 4.52 and earlier allows unauthenticated remote attackers to access unauthorized files via the public share handler's path parameter. The vulnerability has publicly available exploit code (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure, leaving all versions through 4.52 unpatched at time of analysis.
Remote unauthenticated access to vector database configurations in TransformerOptimus SuperAGI ≤0.0.14 allows attackers to retrieve, modify, or disrupt stored embeddings via the /vector_dbs endpoint. Missing authentication (CWE-306) in the get_vector_db_details function enables unauthorized manipulation of AI agent knowledge bases with CVSS 7.3. Publicly available exploit code exists (Proof-of-Concept published on GitHub Gist), but no active exploitation confirmed via CISA KEV. EPSS data not provided. Vendor unresponsive to early disclosure per VulDB report.
Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.
Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. Publicly available exploit code exists (POC=YES). EPSS data not provided. Not listed in CISA KEV. Vendor unresponsive to disclosure.
Hard-coded credentials in osuuu LightPicture versions up to 1.2.2 allow unauthenticated remote attackers to bypass authentication via the /public/install/lp.sql file at the API upload endpoint. The vulnerability enables unauthorized access with confidentiality, integrity, and availability impacts. A public exploit exists (CVSS:3.1 E:P), significantly lowering the attack barrier. The vendor was notified but has not responded or issued patches.
SQL injection in dameng100 muucmf 1.9.5.20260309 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the 'keyword' parameter in /index/Search/index.html. Public exploit code is available (thinhneee.github.io), increasing immediate exploitation risk. EPSS and KEV data not available, but CVSS 7.3 with network attack vector (AV:N), low complexity (AC:L), and no authentication required (PR:N) indicate high accessibility. Vendor (dameng100) has not responded to disclosure, suggesting no official patch timeline.
Improper authentication in kodcloud KodExplorer versions up to 4.52 allows unauthenticated remote attackers to bypass access controls via the fileGet endpoint. The vulnerability resides in the fileGet function within /app/controller/share.class.php, exploitable by manipulating the fileUrl parameter. With CVSS 7.3 and network attack vector requiring no privileges or user interaction, this enables unauthorized file access and potential data manipulation. EPSS score unavailable; no CISA KEV listing indicates no confirmed widespread exploitation. Vendor non-responsive to disclosure attempts.
Stored cross-site scripting (XSS) in EMC - Easily Embed Calendly Scheduling Features WordPress plugin versions 4.4 and earlier allows authenticated contributors and above to inject arbitrary JavaScript into pages via insufficiently sanitized shortcode attributes, executing malicious scripts whenever site visitors access the affected pages. No public exploit code or active exploitation has been confirmed at analysis time.
Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.