Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Command injection in Amazon ECS Agent on Windows allows authenticated attackers with task definition permissions to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The vulnerability exists in the FSx Windows File Server volume mounting component (versions prior to 1.103.0), where username field input is not properly sanitized before being passed to OS commands. This affects AWS customers running Windows-based ECS container workloads with FSx volumes - exploitation requires IAM permissions to register ECS task definitions or write to credential stores (Secrets Manager/SSM Parameter Store) used by FSx configurations. Vendor-released patch: version 1.103.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01 allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted SafeMacFilter requests. The vulnerability resides in function sub_427C3C at endpoint /goform/SafeMacFilter, where insufficient input validation of the 'page' parameter enables memory corruption. Public exploit code exists on GitHub (Axelioc/CVE), significantly lowering the barrier to exploitation for attackers with valid router credentials. CVSS 7.4 reflects high confidentiality, integrity, and availability impact requiring only low-privilege authentication.
Buffer overflow in TOTOLINK A800R router firmware 4.1.2cu.5137 enables authenticated remote attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in the setWiFiMultipleConfig function of the wireless configuration module (wireless.so) within the cstecgi.cgi web interface, exploitable via malformed wepkey2 parameter. Public proof-of-concept exploit code is available on GitHub. EPSS data not provided, CISA KEV status not listed, indicating exploitation is demonstrated but not yet observed in widespread campaigns.
Silent dependency checksum bypass in hexpm/hex package manager (versions 0.16.0 through 2.4.1) allows attackers to substitute malicious dependencies without detection. The Hex.RemoteConverger module fails to verify lockfile checksums due to a string-versus-atom type mismatch in the verification logic, causing the security check to be silently skipped. Attackers who can poison local package caches or compromise registry responses can deliver modified packages that overwrite mix.lock without raising alerts. SSVC framework indicates proof-of-concept exists, attack is non-automatable (requires user interaction and precise timing), with total technical impact. Fixed in version 2.4.2 (commit d7528c8).
Heap overflow in Wireshark 4.6.0 through 4.6.4 TLS protocol dissector enables remote code execution when a user opens a malicious capture file or inspects crafted network traffic. The vulnerability requires user interaction (UI:R) but no authentication, making it exploitable via social engineering. No public exploit code identified at time of analysis, though the technical details are disclosed in vendor advisory wnpa-sec-2026-14 and tracked in GitLab issue #21090. CVSS 8.8 reflects the combination of network vector, low complexity, and potential for complete system compromise despite the user interaction requirement.
Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.
XML External Entity (XXE) injection in RTI Connext Professional's Core Libraries allows remote unauthenticated attackers to exfiltrate sensitive data and cause denial of service through maliciously crafted XML documents processed by the DDS middleware. Affects versions 4.3x through 7.6.x across all major release branches (4.3x-7.4.0), with vendor patch available but no public exploit identified at time of analysis. CVSS 8.8 (High) reflects network attack vector with high confidentiality and availability impact but no integrity compromise, consistent with typical XXE data exfiltration and resource exhaustion scenarios. SSVC assessment indicates non-automatable exploitation with partial technical impact, suggesting targeted attack scenarios rather than mass exploitation.
XML external entity injection in SpringBlade v4.8.0's /designer/loadReport endpoint enables authenticated attackers to execute arbitrary code remotely. The vulnerability requires low-privilege authentication (PR:L) but no other special conditions (AC:L, UI:N), allowing attackers with basic credentials to compromise confidentiality, integrity, and availability. EPSS probability is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No CISA KEV listing confirms this is not yet widely exploited in the wild, though a GitHub issue documents the flaw suggesting proof-of-concept details may exist.
Cross-site request forgery in Dbit N300 T1 Pro wireless router V1.0.0 allows remote unauthenticated attackers to execute arbitrary administrative actions by convincing an authenticated administrator to visit a malicious webpage. The router lacks anti-CSRF tokens and Origin/Referer validation on configuration endpoints like /api/setWlan, enabling complete router compromise through social engineering. Publicly available exploit code exists (SSVC: poc status) with EPSS data not provided, indicating proof-of-concept demonstration but no confirmed active exploitation at time of analysis.
Cross-site request forgery in U-SPEED N300 Router V1.0.0 allows remote attackers to execute administrative actions through victim browsers when authenticated administrators visit attacker-controlled webpages. The router's web management interface lacks CSRF tokens and Origin/Referer validation, enabling attackers to craft malicious pages that trigger state-changing operations using the victim's valid session cookie. A proof-of-concept exploit exists (GitHub repository linked), though no active exploitation is confirmed in CISA KEV at time of analysis. CVSS 8.8 severity reflects high impact across confidentiality, integrity, and availability when exploitation succeeds.
Path traversal in JeeSite v5.15.1's file upload endpoint allows authenticated users with file upload permissions to write arbitrary files to any filesystem location, enabling remote code execution by uploading malicious files (e.g., JSP webshells) outside intended directories. The vulnerability exists in the fileEntityId parameter of /a/file/upload, bypassing directory restrictions while respecting file extension whitelists. EPSS score of 0.01% (3rd percentile) indicates low predicted exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, though vendor issue tracker discussion provides technical details that could facilitate POC development.
Privilege escalation in IBM Turbonomic prometurbo agent allows compromised service accounts to exfiltrate cluster-wide Kubernetes secrets and achieve full cluster takeover. Affects versions 8.16.0 through 8.17.6 deployed in Kubernetes environments. The operator grants excessive RBAC permissions enabling unrestricted read access to all secrets cluster-wide. CVSS 8.8 indicates high severity with scope change to container/cluster level. No active exploitation confirmed (not in CISA KEV), but the attack path from service account compromise to cluster admin is well-understood in Kubernetes threat models.
Remote code execution in HKUDS OpenHarness allows authenticated remote attackers to execute arbitrary operating system commands via the /bridge slash command. Attackers with remote sender privileges can invoke '/bridge spawn' with malicious command arguments that bypass input validation and execute directly through the shell subprocess helper, granting access to local files, credentials, workspace state, and repository contents. Vendor-released patch available (commit 438e373) that restricts /bridge to local-only invocation by default.
Remote denial-of-service in CryptPad 2025.3.1 allows unauthenticated attackers to flood WebSocket frames and degrade or deny service for all users of an instance. The vulnerability stems from unbounded WebSocket connection handling without rate limiting. Fixed in version 2026.2.2 via nginx rate limiting configuration (30 requests/minute with burst=5). CVSS 8.7 (High) reflects network-accessible, low-complexity attack requiring no authentication. No CISA KEV listing or public exploit identified at time of analysis, but low technical barrier suggests high exploitability.
Improper input validation in Progress MOVEit Automation enables authenticated low-privilege attackers to escalate privileges and cause high-impact denial of service across container boundaries. Affecting all versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, this network-accessible vulnerability with low attack complexity allows attackers to disrupt availability system-wide. Progress issued a Critical Security Alert Bulletin addressing this issue alongside CVE-2026-4670 in their April 2026 advisory. No public exploit identified at time of analysis, but the straightforward attack path (AV:N/AC:L/PR:L) and Changed scope indicate significant real-world risk for organizations running unpatched instances.
Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Arcane's Huma backend exposes four GET endpoints (`/api/templates*`) without authentication, allowing remote unauthenticated attackers to read all stored Docker Compose templates including plaintext environment files containing database passwords, API keys, and OAuth secrets. The vulnerability affects Arcane backend versions prior to 1.18.0. Because Arcane's "Save as Template" workflow persists production secrets verbatim into these templates, this is not theoretical information disclosure but direct credential theft. The frontend correctly treats these paths as authenticated, revealing a backend authorization gap (CWE-862). Vendor-released patch available in version 1.18.0. No active exploitation or public exploit code identified at time of analysis, though the attack is trivial (CVSS:4.0 AV:N/AC:L/PR:N).
SQL injection in SSCMS v7.4.0 enables high-privileged attackers to execute arbitrary SQL statements via the stl:sqlContent tag's queryString attribute. Attackers with administrative access can craft encrypted payloads to the /api/stl/actions/dynamic endpoint, bypassing parameterization controls to achieve database compromise, authentication bypass, or complete data exfiltration. EPSS data not available; no confirmed active exploitation (CISA KEV negative); public exploit code availability unknown but detailed technical advisory published by VulnCheck increases weaponization risk.
Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.
Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.
Stored XSS in Jupyter Notebook's CommandLinker feature enables authentication token theft through malicious notebook files, leading to complete account takeover. Attackers craft notebook files with disguised controls that, when clicked once by victims, execute arbitrary code via the Jupyter REST API, granting full filesystem access and kernel control. Reported by NVIDIA AI Red Team. Vendor-released patches available: Jupyter Notebook 7.5.6 and JupyterLab 4.5.7. No public exploit code identified at time of analysis, but proof-of-concept demonstrated internally by NVIDIA researchers. This vulnerability targets data science and ML engineering environments where notebook sharing is common practice.
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction frequency, achieving high integrity and availability impacts without confidentiality breach. This workforce management software by MeWare Software Development Inc. is vulnerable to denial-of-service conditions and potential data integrity compromise through rate-limiting bypass. Affects versions from V16.20200313 through VMYR_3.5.2025117. TR-CERT advisory available, EPSS data not provided, no CISA KEV listing identified.
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.
Remote code execution in Krayin CRM 2.1.5 allows authenticated attackers to execute arbitrary code through the compose email function via code injection. The vulnerability was patched in version 2.1.6 released by the vendor. A public proof-of-concept exploit exists on GitHub (cybercrewinc/CVE-2026-36340), significantly lowering the barrier to exploitation. With CVSS 8.1 (High) and network accessibility requiring only low-privilege authentication, this presents immediate risk to organizations running unpatched Krayin CRM instances, particularly those exposing the CRM to internal users or external partners.
Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.
Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.
Double-free vulnerability in Linux kernel Xen privcmd driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause denial of service. When userspace performs partial munmap() on privcmd mappings, VMA splitting creates duplicate pointers to the same memory pages array, leading to kvfree() being called twice on the same allocation during VMA cleanup. Xen Security Advisory XSA-487 confirms this issue affects virtualization hosts running Xen paravirtualized domains. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating low predicted exploitation probability. Vendor-released patches available for stable kernel versions 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, and 7.0.3.
Uninitialized variable use in Linux kernel CIFS replay logic allows local authenticated attackers to potentially access sensitive kernel memory, corrupt data, or trigger denial of service. The vulnerability exists in CIFS request replay code paths where certain local variables lack proper reinitialization after replay labels, potentially causing undefined behavior during SMB session recovery operations. Patches available for kernel versions 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% indicates minimal observed exploitation activity, consistent with the local access requirement and specialized triggering conditions.
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Heap buffer overflow in Wireshark's SBC codec handler enables local code execution when processing malicious capture files. Affects Wireshark versions 4.4.0-4.4.14 and 4.6.0-4.6.4. The vulnerability requires user interaction (opening a crafted packet capture file) but no authentication, posing significant risk to network analysts who routinely process captures from untrusted sources. Wireshark Foundation has published security advisory WNPA-sec-2026-16 with remediation details. EPSS probability data not available; no evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
Heap-based buffer overflow in Wireshark's RDP protocol dissector allows local attackers to cause denial of service or execute arbitrary code via maliciously crafted capture files. Affects Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14. The vulnerability requires user interaction (opening a malicious .pcap file) but no authentication, making it effective for social engineering attacks against network analysts. No active exploitation confirmed in CISA KEV, but proof-of-concept details available via GitLab issue tracker. EPSS data not available for risk prioritization.
Path traversal via profile import in Wireshark lets a malicious configuration profile archive write files outside the intended profile directory, causing denial of service and potentially arbitrary code execution when a user imports it. Affected builds are Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14, with the flaw triggered by user interaction (importing a crafted profile) rather than network traffic. EPSS is very low (0.01%) and there is no public exploit identified at time of analysis; a vendor patch is available.
Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Authorization bypass in Clerk JavaScript SDKs allows authenticated users to proceed past combined authorization checks they should fail. When developers use has() or auth.protect() with multiple authorization dimensions (e.g., role + reverification, permission + billing feature, or billing plan + permission), the predicate incorrectly returns true for users who satisfy only a subset of the required conditions. Sessions and authentication remain secure, but gated actions may execute for under-privileged users. Patches released across all affected SDK packages (Core 2 and Core 3) with no API changes. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger in production code patterns explicitly outlined in the vendor advisory.
Denial of service in Open5GS SMF component (versions before v2.7.5) allows unauthenticated remote attackers to crash the 5G core network Session Management Function by sending NGAP messages with malformed Protocol Configuration Options containing invalid length fields. The vulnerability triggers assertion failures in the PCO parser (CWE-617), causing service termination. With CVSS 7.5 (High) severity and network-accessible attack vector requiring no authentication, this poses significant operational risk to 5G networks, though the low EPSS score (0.07%, 22nd percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV). Upstream fix available via commit d770787 incorporated in v2.7.5 release.
Remote denial of service in Open5GS 2.7.3 allows unauthenticated attackers to crash the 5G core network by sending malformed PDU Session Modification Request messages. The vulnerability stems from improper input validation (CWE-20) in session management functions. EPSS score of 0.07% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. However, the attack requires no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially exploitable against exposed 5G core deployments, potentially disrupting mobile network services for enterprise or carrier environments.
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.
Brute-force attacks against U-SPEED N300 router V1.0.0 can compromise administrator credentials due to missing rate limiting on the /api/login endpoint. Local network attackers can execute unlimited authentication attempts without account lockout, enabling credential compromise and unauthorized access to router management. SSVC indicates proof-of-concept exists and the attack is automatable with partial technical impact. CVSS 7.5 reflects network accessibility, but the vulnerability description specifies 'local network' access requirement, suggesting the actual attack vector may be more constrained than the AV:N metric indicates.
Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).
Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.
Remote attackers can crash Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 and disable all routing functionality by flooding the boa web server with HTTP GET requests to non-existent URIs. The attack exhausts file descriptors and memory buffers, causing kernel deadlock that kills both the web management interface and core routing services. SSVC framework confirms proof-of-concept exploit exists and the attack is fully automatable against default router configurations with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N).
Remote unauthenticated attackers can crash the U-SPEED N300 V1.0.0 wireless router by flooding its web management interface with concurrent HTTP requests to random or non-existent endpoints, exhausting resources in the embedded Boa HTTP server until manual reboot is required. SSVC framework confirms proof-of-concept exploit code exists and the attack is fully automatable. CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this is trivially exploitable from the internet without authentication, though impact is limited to availability disruption with no data compromise.