Remote code execution in silex technology SD-330AC and AMC Manager allows unauthenticated network attackers to execute arbitrary code via heap-based buffer overflow when processing redirect URLs. CVSS 9.3 critical severity with attack vector AV:N/AC:L/PR:N/UI:N indicates trivial exploitation against internet-facing devices. No public exploit identified at time of analysis, though JPCERT coordination suggests vendor-confirmed vulnerability. EPSS data not available; real-world risk depends on internet exposure of affected silex wireless bridge and management software installations.
Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.
Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.
Privilege escalation in Doorman API gateway v0.1.0 and v1.0.2 allows authenticated users to elevate their role to high-privileged (non-admin) accounts by directly editing the 'role' field via the /platform/user/{username} endpoint. The vulnerability stems from missing authorization checks on self-service user updates - any valid login credential is sufficient to escalate privileges to roles like 'manager' or 'developer'. CVSS 9.9 (Critical) reflects the Changed scope and broad compromise potential. SSVC indicates proof-of-concept code exists but exploitation requires human interaction (not automatable), suggesting targeted rather than mass-exploitation risk. No CISA KEV listing at time of analysis.
Remote code execution in SGLang 0.5.9's /v1/rerank endpoint allows unauthenticated attackers to execute arbitrary code by loading specially crafted model files with malicious Jinja2 templates. The vulnerability stems from unsandboxed rendering of tokenizer.chat_template fields, enabling template injection attacks. Publicly available exploit code exists (GitHub POC by Stuub). With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and SSVC ratings of automatable with total technical impact, this represents critical risk for exposed SGLang deployments handling untrusted model files.
OpenXiangShan NEMU emulator's RISC-V Hypervisor extension implementation allows VS-mode guest writes to the sie (supervisor interrupt-enable) CSR to corrupt machine-level mie state, breaking privilege isolation between virtualization layers. Fixed in commit 55295c4 per GitHub PR #938. Despite CVSS 9.8 Critical rating with network attack vector (AV:N), the EPSS score of 0.03% (9th percentile) indicates extremely low observed exploitation probability, and the vulnerability specifically affects RISC-V emulator environments rather than typical network-accessible services. No CISA KEV listing or public exploit identified at time of analysis, suggesting this is a theoretical high-severity issue in specialized research/development contexts rather than an imminent widespread threat.
Heap buffer overflow in glibc scanf functions versions 2.7 through 2.43 allows remote unauthenticated attackers to execute arbitrary code by providing malicious input to applications using %mc format specifiers with width >1024. CVSS 9.8 indicates critical network-accessible impact, but EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation activity at time of analysis. No CISA KEV listing confirms this as a theoretical risk requiring specific application usage patterns rather than widespread active exploitation. Successful exploitation depends on target applications parsing attacker-controlled input through affected scanf family functions with specific format string configurations.
NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts (V=1).
Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. Attack complexity is low (AC:L) with network attack vector (AV:N), and CVSS 9.4 reflects critical impact across confidentiality, integrity, and availability. No active exploitation or public POC confirmed at time of analysis, though EPSS probability data not available.
SQL injection in Apartment Visitors Management System V1.1's login form allows remote unauthenticated attackers to bypass authentication and extract database contents via the username parameter. The vulnerability scores 9.4 CVSS with network attack vector and low complexity. Public exploit code exists (SSVC confirms POC status), making this immediately exploitable. EPSS data unavailable, but SSVC framework rates it as automatable with partial technical impact, indicating high practical risk for internet-exposed installations.
Remote code execution with container escape in Flowsint OSINT tool allows unauthenticated attackers to execute arbitrary OS commands as root on the host machine. The vulnerability exploits shell metacharacter injection in the 'org_to_asn' transformer when processing organization nodes in OSINT sketches. With CVSS 9.3 (CVSS 4.0), network attack vector, low complexity, and no authentication required, this represents critical risk to any internet-exposed Flowsint instance. Upstream fix committed (b52cbbb904c) removes vulnerable code, but no tagged release version confirmed yet. CVSS vector indicates proof-of-concept exploit exists (E:P).
SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.
Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.
Remote code execution in Vvveb CMS v1.0.8 allows authenticated administrators to execute arbitrary system commands as www-data via a two-stage file upload attack. Attackers exploit a logic flaw in the media management file rename handler that fails to block .php and .htaccess extensions, enabling MIME type manipulation followed by PHP code execution. VulnCheck published an advisory and GitHub commit 6fb8eaa confirms upstream fix. No EPSS data available; no active exploitation confirmed at time of analysis.
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's subdir parameter, which is written directly into env.php without sanitization. The vulnerability enables complete system compromise as the web server user with no authentication required. Publicly available patch exists (version 1.0.8.1) with detailed fix commit reference.
Apache Kafka 4.1.0 and 4.1.1 accept forged JWT tokens without signature validation, allowing remote unauthenticated attackers to authenticate as any user and gain unauthorized access to Kafka resources. The default SASL/OAUTHBEARER validator (DefaultJwtValidator) fails to verify token signatures, issuers, or audiences, enabling complete authentication bypass. CVSS 9.1 (Critical) with network vector and no privileges required. SSVC indicates the vulnerability is automatable with partial technical impact. No active exploitation confirmed at time of analysis, but the attack requires minimal sophistication and could be scripted trivially given the token acceptance behavior.
Buffer overflow in glibc's obsolete NIS authentication function allows remote attackers to compromise integrity and availability via spoofed UDP responses. Affects all glibc versions through 2.43, but exploitation requires the target application to actively use the deprecated nis_local_principal function (obsolete since glibc 2.26). EPSS score of 0.02% (5th percentile) indicates low real-world exploitation probability, consistent with the narrow attack surface of legacy NIS deployments. No active exploitation or public exploit code identified at time of analysis.
Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.