Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability.
Remote code execution in Xerte Online Toolkits 3.15 and earlier allows unauthenticated attackers to upload and execute arbitrary PHP code by chaining an incomplete file extension filter bypass (.php4 extension) with authentication bypass and path traversal vulnerabilities in the elFinder connector endpoint. Attackers can achieve complete server compromise by uploading malicious PHP files, renaming them with the .php4 extension to evade filtering, and executing operating system commands. Vendor-released patches available via three GitHub commits (02661be, 17e4f94, 507d55c). No public exploit code or active exploitation confirmed at time of analysis, though the attack chain is straightforward for skilled attackers.
Unauthenticated attackers can execute remote code and read arbitrary files in Xerte Online Toolkits 3.15 and earlier via a missing authentication flaw in the elFinder connector endpoint. The vulnerability stems from a logic error where HTTP redirects for unauthenticated requests fail to terminate PHP execution, allowing full server-side processing of file operations. Attackers can create directories, upload files, rename, duplicate, overwrite, and delete files in project media directories without authentication. When chained with path traversal and extension blocklist bypasses, this enables complete system compromise. VulnCheck identified the flaw, and vendor patches are available via three GitHub commits addressing versions 3.13.0 through 3.15.0.
Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. Vendor patches available via GitHub commits 02661be, 507d55c, and 17e4f94. CVSS 7.1 with low attack complexity and low privileges required. No public exploitation confirmed (SSVC: exploitation=none), but attack is not automatable per CISA framework.
Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.
ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Template injection combined with AngularJS 1.5.2 sandbox escape primitives in Beghelli Sicuro24 SicuroWeb enables arbitrary JavaScript execution in operator browsers, leading to session hijacking and persistent compromise. Network-adjacent attackers can exploit this via MITM on plaintext HTTP deployments requiring only passive user interaction. Publicly available POC exists (CVE-2026-22191 exploit chain documented by BoffSec Services and kmkz), confirming weaponization risk. CVSS 9.3 reflects adjacent-network access requirement (AV:A), but SSVC indicates total technical impact with POC-confirmed exploitation status.
Remote code execution via unauthenticated command injection in rclone's remote control API allows network attackers to execute arbitrary commands on the host system through a single HTTP request. The vulnerability affects rclone deployments with the RC API enabled (--rc or rclone rcd) that are network-accessible and lack global HTTP authentication. An attacker exploits the unprotected operations/fsinfo endpoint by crafting a WebDAV backend definition with a malicious bearer_token_command parameter, which executes during backend initialization. Confirmed exploitable on master branch (commit bf55d5e6) and release v1.73.4 with public proof-of-concept available. CVSS 9.2 reflects critical severity with network attack vector and no authentication required, though exploitation requires specific deployment configuration (AT:P). No CISA KEV listing or EPSS data available at time of analysis.
Authentication bypass in rclone's remote control (RC) API allows network attackers to disable authorization checks via unauthenticated configuration mutation, enabling full administrative access to RC endpoints. The `options/set` endpoint lacks authentication requirements and permits setting `rc.NoAuth=true`, which disables protection for all RC methods marked `AuthRequired: true`. Affects rclone v1.45 onward when RC is network-accessible without HTTP authentication. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub security advisory provides detailed proof-of-concept reproduction steps. CVSS 9.2 reflects critical severity with network vector and no authentication required, though CVSS:4.0 AT:P (Attack Requirements: Present) indicates specific deployment prerequisites limit automatic exploitation.
Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.
Local privilege escalation in PackageKit 1.0.2-1.3.4 allows unprivileged Linux users to install arbitrary RPM packages as root without authentication via TOCTOU race condition on transaction flags. The vulnerability exploits three synchronized bugs in the transaction state machine: unconditional flag overwrite, silent state-transition rejection that leaves corrupted flags, and late flag validation at dispatch time. Actively exploited in targeted attacks according to vendor advisory. CVSS 8.8 with scope change reflects full system compromise from low-privileged account. Patched in version 1.3.5.
LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.
SQL injection in NocoBase's @nocobase/database package allows authenticated users with record-creation privileges to execute arbitrary SQL queries and extract database credentials. The vulnerability exists in the queryParentSQL() function, which constructs recursive Common Table Expression (CTE) queries using string concatenation instead of parameterized queries when processing tree collections with string primary keys. An attacker can inject malicious SQL by creating records with crafted primary key values, triggering the vulnerability when recursive eager loading occurs. Successful exploitation leads to full database compromise, with confirmed extraction of administrator credentials (emails and password hashes) in testing against PostgreSQL. On databases where the service account has elevated privileges, attackers can achieve operating system command execution via PostgreSQL's COPY...TO PROGRAM feature. Vendor patch available via GitHub PR #9133.
Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1.
Cross-site scripting vulnerability in GitLab's Storybook development environment allows remote unauthenticated attackers to steal access tokens via crafted user interaction. Affects GitLab CE/EE versions 16.1.0 through 18.9.5, 18.10 through 18.10.3, and 18.11.0. Publicly available exploit code exists (HackerOne report 3574642), though CISA SSVC indicates no confirmed active exploitation at time of analysis. CVSS 8.0 reflects high confidentiality and integrity impact with scope change, but CVSS vector AC:H (high complexity) and UI:R (user interaction required) indicate exploitation requires targeted social engineering rather than automated mass exploitation.
Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.
SQL injection in NocoBase plugin-collection-sql allows authenticated users with collection management permissions to bypass validation controls and execute arbitrary SQL queries. The checkSQL() function blocks dangerous keywords on collection creation and execution but is completely absent from the update endpoint, enabling attackers to create benign SQL collections then modify them with malicious queries to exfiltrate sensitive data including user credentials. Vendor patch available via GitHub PR #9134 and commit 851aee5. CVSS 7.2 reflects high privileges required (PR:H), but real-world impact is severe for environments where collection managers are not fully trusted administrators.
Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized `name` and `scope` parameters in template path construction. Publicly available exploit code exists (GitHub security advisory GHSA-44c3-xjfp-3jrh), though no CISA KEV listing or confirmed active exploitation. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, but exploitation requires high-privilege (admin) access, significantly limiting real-world exposure to insider threats or compromised admin credentials.
Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Denial of service in GitLab CE/EE versions 12.3 through 18.11.0 allows authenticated users to trigger excessive resource consumption during issue import operations due to improper input validation on user-supplied data. The vulnerability affects all minor versions from 12.3 onwards until patched versions 18.9.6, 18.10.4, and 18.11.1. Publicly available exploit code exists, and CISA SSVC assessment indicates the vulnerability is exploitable but not automatable at scale.
Authenticated users can trigger denial of service in GitLab CE/EE versions 10.6 through 18.11.0 by sending crafted requests to the discussions endpoint that exhaust server resources. The vulnerability requires valid authentication credentials and affects all affected versions across the 10.6, 18.9, 18.10, and 18.11 release branches. Publicly available exploit code exists; CISA has not yet listed this in the Known Exploited Vulnerabilities catalog, but active exploitation likelihood is moderate given public POC availability and the low complexity of resource exhaustion attacks.
Authenticated users can trigger denial of service in GitLab by overwhelming system resources through the GraphQL API due to insufficient resource allocation limits. Affected versions span from 12.4 through 18.11.0 across three release branches. Publicly available exploit code exists, though active exploitation has not been confirmed in CISA KEV. CVSS 6.5 reflects moderate severity with high availability impact but requires valid authentication.
Denial of service in GitLab CE/EE affects authenticated users who can trigger resource exhaustion when retrieving notes under specific conditions, causing service unavailability. Versions 9.2 through 18.9.5, 18.10.0 through 18.10.3, and 18.11.0 are vulnerable. An authenticated attacker with standard user privileges can exploit this remotely without user interaction via crafted note retrieval requests. A publicly available exploit exists, and patches have been released by GitLab.
Complete authentication bypass in openvpn-auth-oauth2 plugin mode (v1.26.3-1.27.2) grants VPN access to unauthenticated clients. Legacy OpenVPN clients lacking WebAuth/SSO support bypass OIDC authentication entirely and gain full network access due to incorrect plugin return codes. Only the experimental shared-library plugin deployment is affected; the default management-interface mode is not vulnerable. Vendor patch released in v1.27.3 with confirmed fix commits. No active exploitation reported, but trivial to exploit with standard Linux openvpn CLI against vulnerable deployments.
In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct offsetof() value.
Authorization bypass in Sendmachine for WordPress plugin (versions ≤1.0.20) allows unauthenticated remote attackers to overwrite SMTP configuration settings without authentication. Attackers can redirect all outbound emails from WordPress sites - including password reset tokens and sensitive communications - to attacker-controlled servers, enabling credential theft and account takeover. CVSS 9.8 (Critical) reflects network attack vector with no authentication or user interaction required. No active exploitation confirmed at time of analysis, though the straightforward attack path (single HTTP request to exposed admin function) makes this a high-priority remediation target for sites using this plugin.
Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.
Use-after-free vulnerability in Linux kernel iomap subsystem allows memory corruption when filesystem block size differs from I/O granularity. The flaw occurs during buffered read operations when ctx->cur_folio is accessed after ownership transfers to the I/O helper, potentially leading to data corruption, information disclosure, or system crashes. Affects Linux kernel 6.19.x series. CVSS 9.8 critical severity, but EPSS exploitation probability is very low (0.02%, 5th percentile). Vendor patches available via mainline kernel commits. No active exploitation or public POC identified at time of analysis.
Use-after-free and NULL pointer dereference vulnerabilities in Linux kernel's ksmbd SMB server allow remote unauthenticated attackers to achieve arbitrary code execution, information disclosure, or denial of service. The flaws occur during oplock (opportunistic lock) publication when error handling frees memory still referenced by concurrent readers, and when global lease lists are accessed before critical pointers are initialized. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), this represents a critical remote attack surface, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches are available across affected kernel versions 6.6.130-6.19.9.
Use-after-free and descriptor management error in Linux kernel's Intel IDXD DMA engine driver allows NULL pointer dereferences, double completion, or descriptor leaks. The llist_abort_desc() function completes the wrong descriptor object due to a loop cursor bug introduced in commit aa8d18becc0c. Patches released for kernel 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no active exploitation or public exploit code identified. Despite CVSS 9.8 critical rating with network vector, the actual attack surface requires local access to DMA engine subsystems, making the CVSS vector likely inaccurate or context-dependent.
Privilege escalation in Augmentt 1.0 allows authenticated low-privilege users to manipulate HTTP parameters and gain super administrator access, exposing all tenant data and configurations to unauthorized modification. CVSS 9.6 critical severity with scope change indicates cross-tenant impact potential. Public proof-of-concept code exists on GitHub (PENGUINSECQ repository). SSVC framework rates this as proof-of-concept exploitation with partial technical impact, not automatable due to authentication requirement.
Integer truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge consensus quorum with insufficient signatures. Prior to v1.3.0, attackers exploit usize-to-u16 casting during BitSet iteration by inserting indices spaced at 65536 intervals - these inflate the quorum count via len() but collapse onto identical u16 slots during BLS signature aggregation, enabling a single malicious validator to masquerade as 2f+1 signers and pass verification. CVSS 9.6 (Critical) reflects network vector with low complexity and changed scope impacting integrity and availability of the Proof-of-Stake consensus. No EPSS or KEV data available; vendor-released patch confirmed in v1.3.0 via GitHub advisory and commit d020590.
Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.
Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.
Denial of service in Linux kernel ext4 filesystem allows remote attackers to trigger infinite loops and system hangs (143+ second inode lock blocking) via crafted mkdir/mknod operations. The vulnerability stems from incomplete cleanup when extent insertion fails - ext4_ext_map_blocks() reclaims physical blocks without deleting stale extent tree entries, causing reuse of blocks already allocated to xattrs. This triggers infinite loops in ext4_xattr_block_set() that hold inode locks indefinitely. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) but EPSS only 0.02% (percentile 7), the network attack vector rating appears inconsistent with typical local filesystem exploitation. Patches available across stable kernel branches 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), but tagged for denial-of-service impact.
SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.
Remote code execution and full account takeover in CI4MS (CodeIgniter 4 CMS/ERP) allows authenticated high-privilege users to escalate to superadmin and compromise all accounts via stored DOM XSS in backup module filename fields. Attackers craft malicious SQL backup files containing hidden JavaScript payloads that execute when administrators view backup listings. Vendor-released patch available in version 0.31.5.0, addressing XSS via output escaping in DataTables rendering. No CISA KEV listing or public POC identified at time of analysis, but CVSS 9.1 Critical reflects scope change and multi-stage exploitation potential.
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Create DB Tables WordPress plugin allows any authenticated user, including Subscribers, to execute arbitrary database operations including DROP TABLE commands against critical WordPress core tables. Wordfence reported this vulnerability affecting all versions through 1.2.1, where admin_post hooks lack both capability checks and nonce verification. Attackers with minimal Subscriber-level credentials can destroy entire WordPress installations by deleting wp_users, wp_options, or other core tables. CVSS vector indicates network-based attack (AV:N) with no authentication required (PR:N), though the description confirms authentication IS required at Subscriber level - this discrepancy suggests the CVSS vector may be incorrectly scored. No active exploitation confirmed via CISA KEV at time of analysis, but the vulnerability is trivially exploitable given the code is publicly viewable in WordPress plugin repository.
Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.