NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a request's target URL route loopback-bound traffic through an attacker-configured proxy by using any address in the 127.0.0.0/8 range other than 127.0.0.1 (e.g. 127.0.0.2, 127.1.2.3). This is an incomplete fix for CVE-2025-62718: the patch hardcoded only localhost, 127.0.0.1, and ::1 as loopback, ignoring RFC 1122's full /8 loopback block. Publicly available exploit code exists, but no public active exploitation is identified and EPSS is low (0.03%); it is fixed in 1.15.1 and 0.31.1.
Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.
Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.
JSON response tampering in the Axios HTTP client (versions 1.0.0 up to but not including 1.15.2) lets an attacker who can already pollute Object.prototype in a Node.js or browser application escalate that primitive into surgical, invisible rewriting of every parsed JSON API response, enabling privilege escalation, balance manipulation, and authorization bypass. The default transformResponse passes a prototype-inherited parseReviver to JSON.parse, so a planted Object.prototype.parseReviver runs against every key-value pair of every response. Publicly available exploit code exists (a PoC gist), though EPSS is very low (0.03%, 8th percentile) and the issue is not in CISA KEV.
Remote unauthenticated attackers can bypass authentication and access sensitive configuration endpoints in SenseLive X3050's web management interface. The vulnerability enables complete device compromise without credentials due to improper access control enforcement (CWE-288). Reported by ICS-CERT and published in CISA advisory ICSA-26-111-12, this affects operational technology environments where the X3050 is deployed. With CVSS 9.3 (Critical) and network attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), this presents immediate risk to internet-exposed or network-accessible devices.
Unauthenticated remote attackers can retrieve and replace firmware on SenseLive X3050 industrial control devices via the remote management service, which performs no authentication, authorization, or integrity validation. This allows complete device takeover by uploading malicious firmware images. CISA has published an ICS advisory (ICSA-26-111-12), indicating industrial/OT sector relevance, though no CISA KEV listing or public exploit code has been identified at time of analysis.
SenseLive X3050's embedded management service grants full administrative control to unauthenticated remote attackers. The CVSS 4.0 score of 9.3 with network attack vector (AV:N), low complexity (AC:L), and no required privileges (PR:N) confirms this allows complete device compromise from any network-reachable host. CISA ICS Advisory ICSA-26-111-12 documents this vulnerability affecting industrial control system components, indicating potential operational technology (OT) environments are exposed. No authentication or authorization mechanisms protect the management interface, allowing arbitrary configuration changes, operational mode manipulation, and device state control through vendor or compatible clients.
Privilege escalation in Azure IoT Central enables authenticated attackers to gain unauthorized access to sensitive information and elevate their permissions across tenant boundaries. An attacker with low-privilege credentials can exploit exposed sensitive data over the network to compromise confidentiality, integrity, and availability of other tenant resources. Microsoft has published security guidance, but no independent confirmation of patch availability exists at time of analysis.
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.
Remote code execution in Delta Electronics AS320T allows unauthenticated network attackers to exploit an unchecked buffer overflow in filename processing to execute arbitrary code with high impact to confidentiality, integrity, and availability. The CVSS 9.8 critical score reflects network-accessible attack surface with no authentication or user interaction required. No EPSS or KEV data available at time of analysis, but vendor advisory confirms multiple related vulnerabilities affecting the same product line.
Remote unauthenticated attackers can trigger denial of service in Delta Electronics AS320T industrial automation devices by invoking an undocumented subfunction. The vulnerability allows network-accessible exploitation without credentials against default configurations, potentially disrupting critical industrial control operations. Delta Electronics confirmed the flaw in PCSA-2026-00006, grouped with three other CVEs affecting the same product line.
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.
In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own lookup. Fix this by splitting the cache into cache_input and cache_output, so each path maintains its own cached dst independently.
In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocation is too small and batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object before the later packet-size check runs. Fix this by rejecting TT responses whose TVLV value length cannot fit in the 16-bit TVLV payload length field.
Use-after-free in Linux kernel batman-adv (B.A.T.M.A.N. Advanced mesh networking) allows remote network attackers to trigger memory corruption and potentially execute arbitrary code. The batadv_bla_add_claim() function can prematurely drop a gateway reference while readers still access the pointer, causing netlink dump and claim-check paths to dereference freed memory. Despite CVSS 9.8 critical rating, exploitation probability is low (EPSS 2%, 7th percentile), no active exploitation confirmed, and patches available across kernel stable branches 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0.
Integer underflow in Linux kernel stmmac network driver allows kernel memory disclosure and potential corruption via crafted network packets. The flaw occurs in chain mode jumbo frame handling when packets have small linear data but large total length from page fragments, causing buffer offset calculations to wrap to ~0xFFFFxxxx. This triggers massive loop iterations that DMA-map arbitrary kernel memory to the network hardware. On typical stmmac deployments (IOMMU-less embedded SoCs), attackers can remotely read kernel memory contents and potentially corrupt memory through hardware DMA operations. EPSS exploitation probability is low (0.02%) with no confirmed active exploitation, but CVSS 9.8 reflects the theoretical remote unauthenticated attack surface. Vendor patches available across all supported stable kernel branches (5.10.253, 5.15.203, 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Remote code execution in Delta Electronics AS320T industrial automation server allows unauthenticated network attackers to trigger memory corruption via malformed GET/PUT requests to the web service. The incorrect buffer size calculation (CWE-131) enables stack-based overflow attacks against network-exposed management interfaces. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating trivial exploitation conditions and CRITICAL severity, this vulnerability represents an immediate risk to industrial control systems deploying this Delta OT product, though no public exploit or active exploitation confirmed at time of analysis.
Unauthenticated remote attackers can exploit a cryptographic validation bypass in the Linux kernel's RxRPC rxkad authentication handler to potentially execute arbitrary code or cause denial of service. The rxkad_decrypt_ticket() function fails to verify that RXKAD response ticket decryption succeeded before parsing the buffer contents, allowing malformed RESPONSE packets with non-block-aligned ticket lengths to drive the ticket parser with attacker-controlled ciphertext bytes. Despite the critical 9.8 CVSS score indicating network-exploitable attack with high impact across confidentiality, integrity, and availability, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. Patches are available across multiple stable kernel versions (6.6.135, 6.12.82, 6.18.23, 6.19.13, 7.0).
Heap buffer overflow in Linux kernel USB/IP client allows malicious USB/IP servers to execute arbitrary code with kernel privileges via crafted RET_SUBMIT responses. A rogue server can specify a larger number_of_packets value than originally submitted, causing out-of-bounds writes when processing isochronous USB transfers. Patched in kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) suggests low probability of widespread exploitation despite CVSS 9.8 criticality, indicating this is primarily a risk in environments using USB/IP with untrusted servers rather than a general internet-facing threat.
Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.
Integer overflow in Linux kernel's rxrpc rxgk_verify_response() function allows remote unauthenticated attackers to bypass length validation checks and potentially achieve arbitrary code execution. The vulnerability exists in the rxrpc protocol implementation where token_len rounding occurs before validation, enabling buffer overflow conditions. With CVSS 9.8 (critical severity) and network attack vector requiring no authentication, this represents a significant exposure despite low EPSS score (0.02%, 4th percentile), suggesting limited real-world exploitation observed to date. Vendor patches are available across multiple stable kernel versions (6.18.23, 6.19.13, 7.0).
Double-free memory corruption in the Linux kernel SMB client (smbd) allows remote unauthenticated attackers to achieve arbitrary code execution, confidentiality breach, and denial of service. The vulnerability occurs when smbd_free_send_io() is erroneously called twice after smbd_send_batch_flush() operations, creating use-after-free conditions. Exploitation probability is low (EPSS 0.02%, 4th percentile) with no confirmed active exploitation or public POC, but the critical CVSS 9.8 score reflects the severe potential impact if network-accessible SMB client operations are triggered. Vendor patches available for kernel versions 6.18.24, 6.19.14, and 7.0.1.
A double-free vulnerability in the Linux kernel's SMB Direct (RDMA transport) server implementation allows remote unauthenticated attackers to trigger memory corruption with high CVSS 9.8 severity. The flaw occurs when smb_direct_free_sendmsg() is called twice on the same memory region after smb_direct_flush_send_list() moves messages to a batch list. Vendor patches available across kernel versions 6.18.24, 6.19.14, and 7.0.1, with upstream commits confirmed in stable branches. Despite critical CVSS scoring, EPSS probability remains very low at 0.02% (4th percentile) and no active exploitation or public POC identified, suggesting limited real-world targeting of this SMB Direct RDMA feature.
Use-after-free in Linux kernel SMB server (ksmbd) RDMA handling allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or crash the system via crafted SMB Direct connections. The vulnerability arises when batched RDMA send operations without IB_SEND_SIGNALED flags are prematurely freed during connection failures, causing memory corruption. Vendor patches are available for kernel versions 6.18.11, 6.19.1, and 7.0. EPSS score of 0.02% suggests low observed exploitation probability, and no active exploitation or public POC is confirmed at time of analysis, though the critical CVSS score (9.8) reflects severe potential impact if the SMB Direct feature is enabled.
Unchecked directory name buffer in Delta Electronics AS320T enables remote code execution without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a remotely exploitable stack buffer overflow (CWE-121) requiring no user interaction or credentials. Delta Electronics disclosed this vulnerability in security advisory PCSA-2026-00006, affecting an industrial automation product. No EPSS score or KEV status available at time of analysis, but the trivial exploitation requirements (network accessible, no authentication, low complexity) present immediate risk to exposed AS320T devices.
Authentication bypass in CodeChecker allows remote unauthenticated attackers to assign arbitrary permissions to any user through specially crafted URLs. All versions through 6.27.3 are affected, exposing static analysis infrastructure to complete compromise. CVSS 9.3 (Critical) with SSVC framework confirming total technical impact and automated exploitation potential. Proof-of-concept code exists (CVSS vector E:P), though CISA KEV does not currently list active exploitation. EPSS data unavailable but attack prerequisites are minimal (AV:N/AC:L/PR:N), making this a high-priority remediation target for organizations using CodeChecker in their development pipelines.
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.
Authentication bypass in Budibase low-code platform (versions prior to 3.35.4) allows remote unauthenticated attackers to access any protected API endpoint by appending a public endpoint path as a query parameter. The vulnerability stems from unanchored regular expressions in authentication middleware that match against the full request URL including query strings, enabling attackers to craft requests like 'POST /api/global/users/search?x=/api/system/status' to bypass all authentication checks. CVSS score of 9.1 (Critical) reflects network-based remote exploitation with no authentication or user interaction required, resulting in high confidentiality impact and high availability impact. No public exploit code or active exploitation has been identified at time of analysis.
Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.
Out-of-bounds read in Linux kernel's rxrpc rxgk authentication handler allows remote unauthenticated attackers to trigger information disclosure and denial of service via malformed RESPONSE authenticator packets. The vulnerability stems from incorrect pointer arithmetic in rxgk_verify_authenticator() that inflates the parser boundary check by a factor of four, allowing reads beyond kmalloc() buffer boundaries. Vendor patches available for kernel versions 6.18.23, 6.19.13, and 7.0. EPSS score of 0.02% (4th percentile) suggests low observed exploitation probability despite network attack vector, though KASAN reports confirm reproducibility.