Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.
Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.
Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. Apache confirmed the flaw affects applications calling IoBuffer.getObject() and released patches in versions 2.0.28, 2.1.11, and 2.2.6. CVSS 9.8 critical score reflects network-accessible unauthenticated exploitation with complete system compromise potential.
Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction. Applications using IoBuffer.getObject() are affected. Vendor-released patches available in versions 2.0.28, 2.1.11, and 2.2.6.
Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.
Authentication bypass in MERCURY MIPC252W IP camera 1.0.5 allows remote unauthenticated attackers to hijack authenticated RTSP sessions and execute unauthorized camera control commands. After an initial valid Digest authentication in a DESCRIBE request, the device fails to validate subsequent RTSP request credentials (SETUP, PLAY, TEARDOWN), accepting empty or invalid Authorization headers as long as session parameters match. This enables complete camera takeover including video stream access, configuration changes, and service disruption without credential brute-forcing. EPSS score of 0.01% suggests minimal observed exploitation activity, though the attack complexity is low (AV:N/AC:L/PR:N) and public PoC exists on GitHub.
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.