NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a request's target URL route loopback-bound traffic through an attacker-configured proxy by using any address in the 127.0.0.0/8 range other than 127.0.0.1 (e.g. 127.0.0.2, 127.1.2.3). This is an incomplete fix for CVE-2025-62718: the patch hardcoded only localhost, 127.0.0.1, and ::1 as loopback, ignoring RFC 1122's full /8 loopback block. Publicly available exploit code exists, but no public active exploitation is identified and EPSS is low (0.03%); it is fixed in 1.15.1 and 0.31.1.
Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.
Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.
JSON response tampering in the Axios HTTP client (versions 1.0.0 up to but not including 1.15.2) lets an attacker who can already pollute Object.prototype in a Node.js or browser application escalate that primitive into surgical, invisible rewriting of every parsed JSON API response, enabling privilege escalation, balance manipulation, and authorization bypass. The default transformResponse passes a prototype-inherited parseReviver to JSON.parse, so a planted Object.prototype.parseReviver runs against every key-value pair of every response. Publicly available exploit code exists (a PoC gist), though EPSS is very low (0.03%, 8th percentile) and the issue is not in CISA KEV.
CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.
Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.
Arbitrary file write in Kata Containers v3.4.0 to v3.28.0 allows untrusted hosts to overwrite binaries and exfiltrate data from guest workloads, including those in confidential VMs (CVMs). The vulnerability stems from inadequate validation in the CopyFile policy, permitting host-initiated writes to arbitrary paths inside guest images. This enables binary replacement for code execution or data theft across the trust boundary. Patched in v3.29.0. EPSS data not available; no active exploitation confirmed at time of analysis.
Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.
Prototype pollution in Axios HTTP client versions before 1.15.1 and 0.31.1 enables silent interception and modification of all JSON responses or complete HTTP transport hijacking when the JavaScript Object.prototype has been polluted by a co-dependency. This vulnerability requires a separate prototype pollution source within the same Node.js process but requires no authentication once that precondition exists. An attacker can then access credentials, headers, and request bodies across the application. EPSS data not available; no public exploit identified at time of analysis.
Remote unauthenticated attackers can bypass authentication and access sensitive configuration endpoints in SenseLive X3050's web management interface. The vulnerability enables complete device compromise without credentials due to improper access control enforcement (CWE-288). Reported by ICS-CERT and published in CISA advisory ICSA-26-111-12, this affects operational technology environments where the X3050 is deployed. With CVSS 9.3 (Critical) and network attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), this presents immediate risk to internet-exposed or network-accessible devices.
Unauthenticated remote attackers can retrieve and replace firmware on SenseLive X3050 industrial control devices via the remote management service, which performs no authentication, authorization, or integrity validation. This allows complete device takeover by uploading malicious firmware images. CISA has published an ICS advisory (ICSA-26-111-12), indicating industrial/OT sector relevance, though no CISA KEV listing or public exploit code has been identified at time of analysis.
SenseLive X3050's embedded management service grants full administrative control to unauthenticated remote attackers. The CVSS 4.0 score of 9.3 with network attack vector (AV:N), low complexity (AC:L), and no required privileges (PR:N) confirms this allows complete device compromise from any network-reachable host. CISA ICS Advisory ICSA-26-111-12 documents this vulnerability affecting industrial control system components, indicating potential operational technology (OT) environments are exposed. No authentication or authorization mechanisms protect the management interface, allowing arbitrary configuration changes, operational mode manipulation, and device state control through vendor or compatible clients.
Denial of service in Axios HTTP client before versions 1.15.1 and 0.31.1 allows remote unauthenticated attackers to crash Node.js processes by sending requests with deeply nested object structures that trigger unbounded recursion in the toFormData function. The vulnerability affects both browser and Node.js environments but is exploitable in server-side Node.js deployments where attacker-controlled data is passed to toFormData without depth validation.
Unauthenticated network discovery in SenseLive X3050 management ecosystem exposes device presence, identifiers, and management interfaces to attackers on the same network segment. The vendor's management protocol fails to authenticate discovery functions (CWE-306), allowing rapid enumeration of all deployed X3050 units without credentials. CISA ICS-CERT has issued an advisory (ICSA-26-111-12), indicating awareness in industrial control system environments. CVSS 8.7 reflects high confidentiality impact from network-based, low-complexity attacks requiring no privileges or user interaction.
Prototype pollution in Axios library versions prior to 1.15.1 and 0.31.1 allows remote attackers to suppress HTTP error responses via pollution of Object.prototype.validateStatus, causing authentication failures and server errors to be silently treated as successful responses. The vulnerability requires high attack complexity (prototype pollution gadget chain) but enables complete bypass of application-level authentication and error handling without user interaction.
Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victims into executing unauthorized configuration changes and potentially disruptive operations. A remote attacker with low privileges can craft malicious web pages that, when visited by an authenticated administrator, trigger state-changing requests without the victim's knowledge, leading to high integrity and availability impact on the device. CISA ICS-CERT has issued an advisory (ICSA-26-111-12) for this industrial control system component, indicating coordination with the vendor and awareness within the critical infrastructure community.
Privilege escalation in Azure IoT Central enables authenticated attackers to gain unauthorized access to sensitive information and elevate their permissions across tenant boundaries. An attacker with low-privilege credentials can exploit exposed sensitive data over the network to compromise confidentiality, integrity, and availability of other tenant resources. Microsoft has published security guidance, but no independent confirmation of patch availability exists at time of analysis.
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.
Remote code execution in Delta Electronics AS320T allows unauthenticated network attackers to exploit an unchecked buffer overflow in filename processing to execute arbitrary code with high impact to confidentiality, integrity, and availability. The CVSS 9.8 critical score reflects network-accessible attack surface with no authentication or user interaction required. No EPSS or KEV data available at time of analysis, but vendor advisory confirms multiple related vulnerabilities affecting the same product line.
Remote unauthenticated attackers can trigger denial of service in Delta Electronics AS320T industrial automation devices by invoking an undocumented subfunction. The vulnerability allows network-accessible exploitation without credentials against default configurations, potentially disrupting critical industrial control operations. Delta Electronics confirmed the flaw in PCSA-2026-00006, grouped with three other CVEs affecting the same product line.
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.
In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.
In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs. Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.
Use-after-free in Linux kernel batman-adv (B.A.T.M.A.N. Advanced mesh networking) allows remote network attackers to trigger memory corruption and potentially execute arbitrary code. The batadv_bla_add_claim() function can prematurely drop a gateway reference while readers still access the pointer, causing netlink dump and claim-check paths to dereference freed memory. Despite CVSS 9.8 critical rating, exploitation probability is low (EPSS 2%, 7th percentile), no active exploitation confirmed, and patches available across kernel stable branches 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0.
Integer underflow in Linux kernel stmmac network driver allows kernel memory disclosure and potential corruption via crafted network packets. The flaw occurs in chain mode jumbo frame handling when packets have small linear data but large total length from page fragments, causing buffer offset calculations to wrap to ~0xFFFFxxxx. This triggers massive loop iterations that DMA-map arbitrary kernel memory to the network hardware. On typical stmmac deployments (IOMMU-less embedded SoCs), attackers can remotely read kernel memory contents and potentially corrupt memory through hardware DMA operations. EPSS exploitation probability is low (0.02%) with no confirmed active exploitation, but CVSS 9.8 reflects the theoretical remote unauthenticated attack surface. Vendor patches available across all supported stable kernel branches (5.10.253, 5.15.203, 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Remote code execution in Delta Electronics AS320T industrial automation server allows unauthenticated network attackers to trigger memory corruption via malformed GET/PUT requests to the web service. The incorrect buffer size calculation (CWE-131) enables stack-based overflow attacks against network-exposed management interfaces. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating trivial exploitation conditions and CRITICAL severity, this vulnerability represents an immediate risk to industrial control systems deploying this Delta OT product, though no public exploit or active exploitation confirmed at time of analysis.
Unauthenticated remote attackers can exploit a cryptographic validation bypass in the Linux kernel's RxRPC rxkad authentication handler to potentially execute arbitrary code or cause denial of service. The rxkad_decrypt_ticket() function fails to verify that RXKAD response ticket decryption succeeded before parsing the buffer contents, allowing malformed RESPONSE packets with non-block-aligned ticket lengths to drive the ticket parser with attacker-controlled ciphertext bytes. Despite the critical 9.8 CVSS score indicating network-exploitable attack with high impact across confidentiality, integrity, and availability, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. Patches are available across multiple stable kernel versions (6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Heap buffer overflow in Linux kernel USB/IP client allows malicious USB/IP servers to execute arbitrary code with kernel privileges via crafted RET_SUBMIT responses. A rogue server can specify a larger number_of_packets value than originally submitted, causing out-of-bounds writes when processing isochronous USB transfers. Patched in kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) suggests low probability of widespread exploitation despite CVSS 9.8 criticality, indicating this is primarily a risk in environments using USB/IP with untrusted servers rather than a general internet-facing threat.
Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.
Integer overflow in Linux kernel's rxrpc rxgk_verify_response() function allows remote unauthenticated attackers to bypass length validation checks and potentially achieve arbitrary code execution. The vulnerability exists in the rxrpc protocol implementation where token_len rounding occurs before validation, enabling buffer overflow conditions. With CVSS 9.8 (critical severity) and network attack vector requiring no authentication, this represents a significant exposure despite low EPSS score (0.02%, 4th percentile), suggesting limited real-world exploitation observed to date. Vendor patches are available across multiple stable kernel versions (6.18.23, 6.19.13, 7.0).
Double-free memory corruption in the Linux kernel SMB client (smbd) allows remote unauthenticated attackers to achieve arbitrary code execution, confidentiality breach, and denial of service. The vulnerability occurs when smbd_free_send_io() is erroneously called twice after smbd_send_batch_flush() operations, creating use-after-free conditions. Exploitation probability is low (EPSS 0.02%, 4th percentile) with no confirmed active exploitation or public POC, but the critical CVSS 9.8 score reflects the severe potential impact if network-accessible SMB client operations are triggered. Vendor patches available for kernel versions 6.18.24, 6.19.14, and 7.0.1.
A double-free vulnerability in the Linux kernel's SMB Direct (RDMA transport) server implementation allows remote unauthenticated attackers to trigger memory corruption with high CVSS 9.8 severity. The flaw occurs when smb_direct_free_sendmsg() is called twice on the same memory region after smb_direct_flush_send_list() moves messages to a batch list. Vendor patches available across kernel versions 6.18.24, 6.19.14, and 7.0.1, with upstream commits confirmed in stable branches. Despite critical CVSS scoring, EPSS probability remains very low at 0.02% (4th percentile) and no active exploitation or public POC identified, suggesting limited real-world targeting of this SMB Direct RDMA feature.
Use-after-free in Linux kernel SMB server (ksmbd) RDMA handling allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or crash the system via crafted SMB Direct connections. The vulnerability arises when batched RDMA send operations without IB_SEND_SIGNALED flags are prematurely freed during connection failures, causing memory corruption. Vendor patches are available for kernel versions 6.18.11, 6.19.1, and 7.0. EPSS score of 0.02% suggests low observed exploitation probability, and no active exploitation or public POC is confirmed at time of analysis, though the critical CVSS score (9.8) reflects severe potential impact if the SMB Direct feature is enabled.
Unchecked directory name buffer in Delta Electronics AS320T enables remote code execution without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a remotely exploitable stack buffer overflow (CWE-121) requiring no user interaction or credentials. Delta Electronics disclosed this vulnerability in security advisory PCSA-2026-00006, affecting an industrial automation product. No EPSS score or KEV status available at time of analysis, but the trivial exploitation requirements (network accessible, no authentication, low complexity) present immediate risk to exposed AS320T devices.
CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findings_json field of ScanHistory records. Attackers can inject JavaScript that executes in an administrator's authenticated session when they visit the AI Scanner dashboard, allowing them to issue same-origin requests to plant cron jobs and achieve remote code execution on the server.
Authentication bypass in CodeChecker allows remote unauthenticated attackers to assign arbitrary permissions to any user through specially crafted URLs. All versions through 6.27.3 are affected, exposing static analysis infrastructure to complete compromise. CVSS 9.3 (Critical) with SSVC framework confirming total technical impact and automated exploitation potential. Proof-of-concept code exists (CVSS vector E:P), though CISA KEV does not currently list active exploitation. EPSS data unavailable but attack prerequisites are minimal (AV:N/AC:L/PR:N), making this a high-priority remediation target for organizations using CodeChecker in their development pipelines.
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers to access any protected API endpoint by appending a public endpoint path as a query parameter. The vulnerability stems from unanchored regular expressions in authentication middleware that match against the full request URL including query strings, enabling attackers to craft requests like 'POST /api/global/users/search?x=/api/system/status' to bypass all authentication checks. CVSS score of 9.1 (Critical) reflects network-based remote exploitation with no authentication or user interaction required, resulting in high confidentiality impact and high availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.
Out-of-bounds read in Linux kernel's rxrpc rxgk authentication handler allows remote unauthenticated attackers to trigger information disclosure and denial of service via malformed RESPONSE authenticator packets. The vulnerability stems from incorrect pointer arithmetic in rxgk_verify_authenticator() that inflates the parser boundary check by a factor of four, allowing reads beyond kmalloc() buffer boundaries. Vendor patches available for kernel versions 6.18.23, 6.19.13, and 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite network attack vector, though KASAN reports confirm reproducibility.
Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.
Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.
Improper session lifetime enforcement in SenseLive X3050's web management interface allows attackers with access to a previously authenticated session to maintain administrative access without re-authentication, potentially enabling unauthorized configuration changes or information disclosure. The vulnerability affects the product's session management mechanism, permitting extended session validity beyond legitimate user activity windows. CVSS 6.9 indicates moderate risk; exploitation requires prior session compromise but no special configuration.
SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.
Helix Core Server (P4D) before 2026.1 ships with insecure default configurations allowing remote unauthenticated attackers to create arbitrary user accounts, enumerate users, authenticate without passwords, and access repository contents via the built-in 'remote' user. EPSS score of 0.06% (19th percentile) suggests low observed exploitation attempts despite the high CVSS 8.8 score and SSVC classification as automatable with partial impact. No active exploitation confirmed (not in CISA KEV). Perforce reports this as vendor-disclosed with secure-by-default enforced in version 2026.1.
Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.