Server-Side Request Forgery (SSRF) in InternLM LMDeploy's vision-language module allows remote unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources through unvalidated URL fetching in the load_image() function. Affects all versions prior to 0.12.3. EPSS score not available; no public exploit identified at time of analysis. Patch released in version 0.12.3.
Buffer overflow in Tenda F451 router firmware 1.0.0.7_cn_svn7958 allows authenticated remote attackers to achieve complete compromise via the SafeClientFilter function. The httpd service improperly validates 'menufacturer' and 'Go' parameters, enabling memory corruption that leads to code execution with firmware-level privileges. A public exploit (GitHub PoC) exists, but no CISA KEV listing indicates exploitation remains proof-of-concept rather than widespread. EPSS data unavailable; CVSS 7.4 reflects network attack vector with low complexity, though low-privilege authentication is required.
Buffer overflow in Tenda F451 router (version 1.0.0.7_cn_svn7958) allows authenticated remote attackers to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability exists in the httpd component's webExcptypemanFilter function, exploitable via malicious 'page' parameter input to /goform/webExcptypemanFilter. Public exploit code is available on GitHub (CVSS 7.4, CWE-120). EPSS data not provided, not listed in CISA KEV. This targets a specific legacy Chinese firmware version of a consumer-grade router with known end-of-life support issues.
Remote buffer overflow in Tenda F451 router (version 1.0.0.7_cn_svn7958) allows authenticated attackers to achieve arbitrary code execution via crafted DHCP server configuration requests. The vulnerability exists in the httpd service's /goform/GstDhcpSetSer endpoint, exploitable by manipulating the 'dips' parameter. Public exploit code is available on GitHub, significantly lowering exploitation barriers for authenticated attackers with network access to the router's management interface.
Stack-based buffer overflow in silex technology's SD-330AC (Ver.1.42 and earlier) and AMC Manager (Ver.5.0.2 and earlier) enables authenticated remote attackers to execute arbitrary code on the device via maliciously crafted redirect URLs. Reported by JPCERT with vendor advisories published, though EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and SSVC assessment marks exploitation status as 'none' despite the critical nature of remote code execution capability.
SD-330AC wireless LAN modules and AMC Manager devices from silex technology allow unauthenticated remote attackers to modify device configuration using null-string passwords when devices remain in factory-default state. CVSS:4.0 8.7 (High Vector, High Integrity Impact) rates this as high severity due to network-based attack vector with no authentication required (AV:N/PR:N/UI:N). EPSS probability remains low at 0.03% (8th percentile), suggesting limited observed exploitation attempts. No active exploitation confirmed at time of analysis per available intelligence. Vulnerability class CWE-1188 (insecure default initialization) represents common industrial IoT security gap where devices ship with unsafe out-of-box configurations.
Weak cryptographic implementation in Silex Technology SD-330AC wireless LAN adapters (v1.42 and earlier) and AMC Manager software (v5.0.2 and earlier) allows network-positioned attackers to intercept and decrypt network traffic through man-in-the-middle attacks. The vulnerability stems from use of broken or risky cryptographic algorithms (CWE-327), enabling confidentiality breach of transmitted data. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and CISA SSVC framework classifies this as non-exploited with non-automatable attacks requiring attacker positioning. No public exploit code or active exploitation reported at time of analysis.
Authentication bypass in silex technology SD-330AC (≤1.42) and AMC Manager (≤5.0.2) allows remote attackers to gain unauthorized access by sending specially crafted packets that exploit residual sensitive data in memory. Attacker can log in without valid credentials due to improper clearance of authentication tokens or session data between requests. EPSS score of 0.03% (7th percentile) indicates low observed exploitation probability. JPCERT/CC reported this vulnerability, and vendor advisory confirms patches are available. Requires user interaction (CVSS 4.0 UI:P), limiting automated exploitation.
Missing authentication in Dell PowerProtect Data Domain 7.7.1.0-8.6 and LTS releases allows remote unauthenticated attackers to execute arbitrary commands with root privileges when combined with user interaction. Affects enterprise backup appliances across multiple release branches including LTS2025 (8.3.1.0-8.3.1.20) and LTS2024 (7.13.1.0-7.13.1.60). CVSS 8.8 with network vector but requires user interaction (UI:R), reducing immediate automation risk. No EPSS or KEV data available at time of analysis, indicating vulnerability is newly disclosed. Dell security advisory DSA-2026-060 confirms patch availability.
Privilege escalation in OpenXiangShan NEMU allows authenticated local attackers to bypass state-enable isolation controls when Smstateen extension is enabled. Clearing mstateen0.ENVCFG fails to properly restrict access to henvcfg and senvcfg Control and Status Registers (CSRs), enabling less-privileged code to read or write privileged configuration registers without triggering required exceptions. This undermines virtualization boundaries and multi-privilege isolation in RISC-V processor emulation environments. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, and publicly available exploit code exists via GitHub issue #690.
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=1 into profile save requests, escalating to Super Administrator and enabling plugin upload for remote code execution. Vendor patch available in version 1.0.8.1. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided; KEV status unknown. Public disclosure via VulnCheck advisory with commit-level fix details increases likelihood of exploitation attempts.
OS command injection in TeamT5 ThreatSonar Anti-Ransomware ≤4.0.0 allows authenticated remote attackers with shell access to escalate privileges to root. Despite the high CVSS score (8.7), exploitation requires legitimate shell access and low-privilege authentication, limiting attack surface to environments where ransomware protection agents are accessible to compromised accounts. EPSS probability is low (0.12%, 32nd percentile), and no active exploitation or public POC has been identified. Taiwan CERT published advisories, suggesting regional deployment significance.
Remote code execution in OpenMage Magento LTS versions before 20.17.0 allows authenticated attackers to upload executable PHP files through product custom options by bypassing an incomplete file extension blocklist. The vulnerability exists because the upload filter only blocks `.php` and `.exe` extensions, permitting alternative PHP-executable extensions like `.phtml`, `.phar`, `.php3-.php7`, and `.pht`. Uploaded files land in the publicly accessible `media/custom_options/quote/` directory, enabling code execution on servers without explicit script execution restrictions. No active exploitation confirmed (not in CISA KEV), but public disclosure via GitHub Security Advisory increases exploitation likelihood. EPSS data not provided.
Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. Upstream fix available via GitHub commit; EPSS data unavailable, no CISA KEV listing at time of analysis.
Heap buffer overflow in KissFFT library (all versions before commit 8a8e66e) enables remote code execution when applications process attacker-controlled FFT dimensions. Integer overflow in kiss_fftndr_alloc() causes malloc() to allocate undersized buffers, allowing heap memory corruption during multidimensional FFT operations. CVSS 8.8 (network vector, no authentication, user interaction required). EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Upstream fix available via GitHub commit, but released patched version number not independently confirmed.
Remote code execution in ASUSTOR ADM (4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1) allows authenticated high-privilege attackers to execute arbitrary code via stack-based buffer overflow in VPN client components. The vulnerability combines unbounded sscanf() calls with format string weaknesses (printf with user-controlled data), exploitable due to absent PIE and stack canary protections. EPSS exploitation probability is low (0.23%, 46th percentile) with no public exploit code identified at time of analysis, suggesting limited real-world targeting despite high CVSS score.
Disabled user accounts in Nginx UI versions before 2.3.4 retain full API access through previously issued JWT tokens for the entire token lifetime, allowing attackers with stolen credentials to maintain persistent access and create new accounts even after administrative remediation attempts. This authentication bypass enables continued confidentiality and integrity compromise of Nginx configurations despite account lockout. Reported by GitHub security advisories; no evidence of active exploitation (not in CISA KEV), but the token-reuse mechanism makes exploitation straightforward for attackers who have already obtained credentials.
Local privilege escalation in SKYSEA Client View (≤21.200.07j) and SKYMEC IT Manager (≤2024.005.10a) allows low-privileged users to execute arbitrary code with administrative privileges by exploiting insecure installation folder permissions. Attackers can write malicious files into the product directory, achieving full system compromise. EPSS score of 0.01% (2nd percentile) indicates low likelihood of widespread exploitation despite CVSS 8.5 severity. No active exploitation confirmed; CISA SSVC assessment marks exploitation status as 'none' and automatable as 'no', suggesting targeted attack potential rather than mass exploitation risk.
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. Patch available in version 1.0.8.1. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
SQL injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive database contents via the contactno parameter on the password reset page. The vulnerability bypasses authentication controls through crafted input during password recovery operations. EPSS and KEV data not available, but SSVC framework indicates proof-of-concept exists and the vulnerability is automatable with partial technical impact. The CVSS score of 8.2 reflects high confidentiality impact with network-accessible attack surface requiring no user interaction.
Arbitrary file deletion in wpForo Forum plugin versions ≤3.0.5 allows authenticated attackers with subscriber-level privileges to delete critical WordPress files including wp-config.php, enabling remote code execution. The vulnerability chains two flaws: unvalidated file paths in custom profile fields and insufficient path sanitization before file deletion. Exploitation requires the wpForo User Custom Fields addon with at least one file-type custom field configured. CVSS 8.1 (High) with network attack vector, low complexity, and low privilege requirements. EPSS data and active exploitation status not available in current intelligence.
Remote code execution in OpenMage Magento LTS versions prior to 20.17.0 allows unauthenticated attackers to execute arbitrary code by uploading malicious phar archives disguised as images and triggering PHP deserialization via phar:// stream wrappers. The attack requires high complexity (AC:H) to exploit successfully. EPSS data not available, but exploitation requires specific conditions around file upload and path manipulation. Vendor patch available in version 20.17.0, confirmed by GitHub security advisory GHSA-fg79-cr9c-7369.
Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.
Privileged CSR manipulation in XiangShan RISC-V processor core (commit aecf601e80, 2024-11-19) allows local attackers with M-mode access to corrupt processor status registers by exploiting improper handling of WPRI (Write Preserve, Read Ignore) fields in menvcfg operations. Carefully crafted csrrs instructions targeting menvcfg unexpectedly set reserved bits in xstatus to 1, violating RISC-V specification requirements that WPRI fields remain unchanged during CSR operations. Upstream fix committed (5e3dd63) but released version not confirmed. EPSS score 5th percentile indicates low real-world exploitation probability despite theoretical high impact, with no active exploitation or public POC identified.
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.
LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.
Heap buffer overflow in NanoMQ MQTT Broker's REST API allows remote unauthenticated attackers to trigger denial of service via crafted HTTP requests. The off-by-one error in uri_param_parse function (CWE-122) affects all versions prior to 0.24.11. CVSS 7.7 (High) with network attack vector, low complexity, and no authentication required. Proof-of-concept exploit exists (CVSS E:P), though no CISA KEV listing indicates limited observed exploitation. Vendor patch available in version 0.24.11 with upstream fix committed (GitHub 69a97b3).
Unauthenticated access to meeting transcripts in Vexa transcription-collector service versions before 0.10.0-260419-1910 allows remote attackers to retrieve sensitive business conversations, credentials, and personally identifiable information. The service exposes an internal endpoint without authentication, enabling enumeration of meeting IDs and bulk extraction of confidential data. No public exploit identified at time of analysis, but exploitation requires only standard HTTP requests with no special conditions (CVSS AV:N/AC:L/PR:N/UI:N).
Path traversal in Junrar library versions prior to 7.5.10 allows remote attackers to write arbitrary files into sibling directories by extracting a crafted RAR archive, enabling unauthorized file creation and potential code injection. The vulnerability requires high attack complexity (AC:H) but no authentication or user interaction, affecting any Java application using vulnerable Junrar versions to process untrusted RAR files. Vendor-released patch: version 7.5.10.
Out-of-bounds read in GNU C Library (glibc) versions 2.1.1 through 2.43 during wide character pushback operations can cause application crashes and potential information disclosure. The ungetwc() function incorrectly operates on the regular character buffer instead of the wide-stream buffer due to an implementation bug in _IO_wdefault_pbackfail, leading to reads before allocated memory regions. While CVSS rates this 7.5 High with network vector, EPSS exploitation probability is extremely low (0.02%, 5th percentile), reflecting the highly specialized conditions required: applications must use ungetwc() with character encodings having single-byte/multi-byte overlaps (not standard Unicode sets). No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.
NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
SQL Injection in Apartment Visitors Management System v1.1 allows unauthenticated remote attackers to extract sensitive user data via the forgot-password.php email parameter. The vulnerability requires no authentication (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L), enabling trivial exploitation against any internet-facing installation. EPSS data unavailable; not listed in CISA KEV. GitHub repository references suggest proof-of-concept code may exist, increasing immediate exploitation risk for the small but vulnerable user base of this PHP-based application.
Path traversal in TeamT5 ThreatSonar Anti-Ransomware versions ≤4.0.0 allows authenticated remote attackers with web access to delete arbitrary system files, potentially disabling security protections or causing system instability. With CVSS 7.2 (High Integrity and Availability impact), this poses significant risk to security infrastructure despite requiring authentication. EPSS score of 0.31% suggests low immediate exploitation likelihood, and CISA SSVC classifies it as non-automatable with total technical impact but no confirmed exploitation.
OS command injection in Dell PowerProtect Data Domain allows authenticated administrative users with network access to execute arbitrary commands with root privileges. Affects multiple release branches (7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, LTS2024 7.13.1.0-7.13.1.60). Dell released patches across all affected branches (8.6.1.10, 7.13.1.70, 8.3.1.30). EPSS data unavailable; no KEV listing or public exploit identified at time of analysis. While CVSS 7.2 reflects high impact, exploitation requires pre-existing high-privilege administrative credentials, significantly limiting real-world attack surface to insider threats or credential compromise scenarios.
OS command injection in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 allows high-privileged remote attackers to execute arbitrary commands as root. Network-accessible exploitation requires existing administrative credentials but minimal attack complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor patch available per DSA-2026-060, addressing CWE-78 command injection weakness in multiple product streams including LTS releases.
OS command injection in Dell PowerProtect Data Domain allows remote high-privileged attackers to execute arbitrary commands on DD OS versions 7.7.1.0-8.5, LTS2025 8.3.1.0-8.3.1.10, and LTS2024 7.13.1.0-7.13.1.40. Dell published DSA-2026-060 addressing this CWE-78 flaw with CVSS 7.2 (high impact on confidentiality, integrity, availability). No public exploit identified at time of analysis. Post-authentication requirement (PR:H) reduces immediate risk for environments with strong privileged access controls, but network attack vector (AV:N) enables remote exploitation once administrative credentials are obtained.
Arbitrary command execution with root privileges in Dell PowerProtect Data Domain versions 8.5 through 8.6 allows high-privileged remote attackers to escalate from administrative access to full system control via improper input validation. Dell has released patches (versions 2.7.9 with DD OS 8.3.1.30, and 8.6.1.10+) per DSA-2026-060. EPSS data not available, not listed in CISA KEV, suggesting targeted risk rather than widespread exploitation. The network attack vector (AV:N) combined with high privilege requirement (PR:H) indicates this is an admin-to-root escalation vulnerability rather than initial access.
Root-level command injection in Dell PowerProtect Data Domain versions 7.7.1.0-8.6, 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.60 (LTS2024) allows high-privileged remote attackers to execute arbitrary commands as root through improper input validation. Vendor patch available via DSA-2026-060. EPSS and KEV data not provided; CVSS 7.2 reflects high impact but requires existing high-level authentication, limiting real-world exploitation to scenarios where admin credentials are already compromised or insider threats exist.
Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.
Unencrypted client-server communications in ConnectWise Automate Solution Center expose sensitive data to network interception in all versions before 2026.4. Remote authenticated attackers with network access can capture Solution Center traffic containing potentially high-value confidential information (CVSS:3.1 C:H). No active exploitation confirmed at time of analysis. EPSS data unavailable for this recent CVE.
Out-of-bounds read in the Linux kernel's X.509 certificate parser allows local unprivileged users to trigger memory corruption or denial of service by submitting a specially crafted certificate via the keyrings(7) API. The flaw exists in the handling of empty Basic Constraints or Key Usage extensions, where the first byte is dereferenced before the length check. A proof-of-concept was responsibly disclosed by the reporter, though no public exploit is identified at time of analysis and EPSS rates the exploitation probability as very low (0.01%).