OS command injection in VetCoders mcp-server-semgrep 1.0.0 allows remote unauthenticated attackers to execute arbitrary commands via unsanitized ID arguments passed to multiple analysis functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule) in src/index.ts. The vulnerability stems from unsafe use of child_process.exec() which interpolates user input into shell command strings. Publicly available exploit code exists, and vendor-released patch version 1.0.1 is available.
Improper authorization in the GoClaw and GoClaw Lite RPC gateway allows unauthenticated remote attackers to invoke privileged methods including configuration exfiltration, heartbeat manipulation, and agent mutation via WebSocket connections. Versions up to 3.8.5 implement a fail-open authorization policy where unclassified RPC methods default to viewer-level access and authentication failures fall back to authenticated viewer sessions. Public exploit code exists (GitHub issue #866) demonstrating unauthorized method invocation. Vendor-released patch: version 3.9.0 implements fail-closed authorization with explicit method classification and rejects connections lacking valid credentials.
Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.
SQL injection in SourceCodester Hotel Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the room_type parameter in /index.php/reservation/check. CVSS 7.3 indicates medium-to-high severity with confidentiality, integrity, and availability impacts. Publicly available exploit code (GitHub) significantly lowers the barrier to exploitation. EPSS data unavailable, but public POC availability and remote unauthenticated attack vector suggest elevated real-world risk for internet-exposed installations of this PHP-based hotel management system.
Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.
Memory corruption in Absolute Secure Access Windows clients prior to version 14.50 allows local authenticated attackers to trigger denial of service by sending malformed data to an exposed API. The vulnerability requires local system access and authenticated privileges but can completely disable the security client, creating a critical availability risk for endpoint protection.
Buffer overflow in Absolute Secure Access Windows client versions prior to 14.50 allows local attackers with high privileges to trigger denial of service by exploiting improper memory handling. The vulnerability requires local access and elevated administrative privileges, limiting exploitation to authenticated users already possessing administrative control of the affected system. Vendor-released patch: version 14.50 or later.
Authorization bypass in CKAN's datastore_search_sql function allows unauthenticated attackers to access private DataStore resources and extract PostgreSQL system information. CKAN versions prior to 2.10.10 and 2.11.0-2.11.4 are affected. The vulnerability exists in a feature that is disabled by default but can be enabled via configuration, limiting baseline exposure but creating significant risk for deployments that enable SQL search functionality.
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.
Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.
Out-of-bounds heap write in Exim before 4.99.2 allows unauthenticated remote attackers to cause denial of service and potentially corrupt memory when the JSON lookup feature is enabled and malformed JSON is present in untrusted email headers, due to incorrect backslash escape sequence handling in the JSON operator.
Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows authenticated users to crash the database server via improper neutralization of special elements in query logic. An attacker with valid database credentials can trigger the vulnerability remotely without user interaction, resulting in service unavailability. No active exploitation has been confirmed at time of analysis.
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.3 for Linux, UNIX, and Windows allows authenticated users to crash the database server by submitting a specially crafted SQL query that triggers improper system resource allocation. An attacker with valid database credentials can exhaust resources and render the database unavailable to legitimate users without leaving data corruption or unauthorized access. No public exploit code has been identified, though the vulnerability requires only valid authentication and a standard SQL interface.
Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.
IBM Langflow OSS 1.0.0 through 1.8.4 allows authenticated users to read transaction logs and vertex build data from other users' flows via direct flow_id manipulation, enabling unauthorized information disclosure and deletion of other users' persisted build data. The vulnerability requires valid user authentication (PR:L) but no additional complexity, affecting all deployments of affected versions.
Server-side request forgery (SSRF) in IBM Langflow Desktop 1.0.0 through 1.8.4 permits unauthenticated remote attackers to send arbitrary HTTP requests from the vulnerable system, enabling network enumeration, internal service probing, and facilitation of secondary attacks against backend infrastructure. CVSS 6.5 reflects moderate confidentiality and integrity impact without authentication barriers despite PR:N in vector.
Credential exposure in Apple container allows unauthenticated remote attackers to steal registry credentials in plaintext when users connect to malicious registries with hostnames matching specific bypass patterns. The vulnerability affects container versions prior to 0.12.3 and requires user interaction to establish a connection to a malicious registry. EPSS score of 0.02% indicates low real-world exploitation probability despite moderate CVSS severity.
OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 allow local attackers to inject malicious telemetry data, disclose stored telemetry payloads, or exhaust system resources by exploiting an insecure default disk retry directory that falls back to the shared system temporary path when the required directory configuration is not explicitly set. On multi-user systems, this enables attackers with read or write access to the temp directory to craft blob files that the exporter will forward to the OTLP endpoint under the application's identity, or to read exported telemetry data between transient export failures.
Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through before VMYR_3.5.2025117 due to improper access controls. The vulnerability allows disclosure of private data without authorization, affecting confidentiality. CVSS score of 6.5 reflects moderate severity with network accessibility and low attack complexity, though authentication is required. No active exploitation or public proof-of-concept has been confirmed at time of analysis.
{name}/upgrade-from-uri endpoint allows authenticated attackers to scan internal network resources and services by submitting crafted GET requests, enabling reconnaissance of backend infrastructure without direct network access.
IBM i 7.2-7.6 contains an invalid authorization check in the Web Administration GUI that allows authenticated high-privilege users with administrator access to trigger privilege escalation, enabling user-controlled code execution with administrator privileges. The vulnerability requires high privileges and user interaction (CVSS:H for confidentiality, integrity, and availability), but is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been identified as of the analysis date.
Stored cross-site scripting in IBM Langflow Desktop 1.6.0 through 1.8.4 allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially altering application functionality and disclosing session credentials to other users of the same instance. The vulnerability requires valid authentication but no user interaction from the target, affecting confidentiality and integrity of the application.
IBM watsonx.data intelligence versions 5.2.0, 5.2.1, 5.3.0, and 5.3.1 store user credentials in plain text within local filesystem locations, allowing any local user to read sensitive authentication material without authentication. This information disclosure vulnerability affects confidentiality but not integrity or availability, and requires local filesystem access to exploit.
Stored cross-site scripting (XSS) in JeeSite v5.15.1 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the msgContent parameter in the /msg/msgInner/save endpoint, affecting any user who views a message containing the malicious payload. The vulnerability requires user interaction (viewing the crafted message) but can impact confidentiality and integrity of user sessions through script execution in the victim's browser context. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in SpringBlade v4.8.0 allows unauthenticated remote attackers to inject arbitrary web scripts or HTML via the /api/blade-desk/notice/submit endpoint's content parameter, executing malicious code in the browsers of subsequent users who view the injected notice. The vulnerability requires user interaction (viewing the stored payload) to trigger, affecting the confidentiality and integrity of affected applications. No public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-site scripting (XSS) in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows remote attackers to execute arbitrary JavaScript in a victim's browser via the detail_produk.php component when a user visits a malicious link. The vulnerability requires user interaction (clicking a link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been confirmed in CISA KEV, but a proof-of-concept payload exists in public repositories.
Cross-site scripting (XSS) vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers and exfiltrate sensitive information through the product_catalogue.php component. The vulnerability requires user interaction (clicking a malicious link or visiting a compromised page) but affects all users due to stored or reflected XSS impact across site sessions. CVSS 6.1 reflects moderate risk with network-based attack vector and low complexity, though no active exploitation in CISA KEV has been confirmed at time of analysis.
FRRouting before version 10.5.3 contains an integer overflow vulnerability in OSPF Traffic Engineering and Segment Routing TLV parser functions that allows attackers with an established OSPF adjacency to send a malicious Type 10 or Type 11 Opaque LSA and trigger out-of-bounds memory reads, crashing all affected routers in the OSPF area. The vulnerability results from a uint16_t accumulator variable truncating uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition to fail while pointer advancement continues unchecked. This is a denial-of-service attack requiring OSPF neighbor status but no user interaction or additional privileges.
Denial of service in Exim before 4.99.2 on musl libc systems allows remote attackers to crash mail server connection instances by sending malformed DNS PTR records that trigger an octal printing bug in the dn_expand function. The vulnerability requires high network complexity to exploit but results in service unavailability for affected connections. No patch version confirmation available from provided references.
Dancer::Session::Abstract through version 1.3522 generates cryptographically weak session identifiers by combining predictable inputs (file path, process ID, epoch time) with an insufficiently-seeded Perl rand() function, allowing remote attackers to predict valid session IDs and hijack user sessions without authentication. The vulnerability affects Perl-based web applications using Dancer framework's default session handling; active exploitation is not confirmed but the attack requires only guessing a session ID, making it practically exploitable.
Buffer overflow in Absolute Secure Access Windows client prior to version 14.50 allows local attackers to cause denial of service by triggering a system blue screen. The vulnerability requires local access to the affected system and can be exploited without user interaction or authentication. A vendor patch is available.
Apache Airflow's SmtpHook performs STARTTLS upgrades without SSL certificate validation, allowing man-in-the-middle attackers to intercept SMTP credentials. Remote unauthenticated attackers positioned between an Airflow worker and SMTP server can present a self-signed certificate, complete the TLS handshake, and capture login credentials sent after the upgrade. The vulnerability affects apache-airflow-providers-smtp versions 2.0.0 through 2.x and is patched in version 3.0.0 or later. No public exploit code identified at time of analysis, but EPSS score of 0.01% indicates low real-world exploitation probability despite confidentiality impact.
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allows an unprivileged user with a user namespace to create interfaces in arbitrary network namespaces, including init_net. Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer namespace before allowing device creation to proceed.
Authenticated users with minimal namespace-scoped privileges can obtain administrative credentials for arbitrary OpenShift clusters provisioned through the MCE hub via the assisted-service REST API. The vulnerability exists in AUTH_TYPE=local mode (the only mode available in on-premises deployments), where the local authenticator grants full administrative access to any request bearing a valid JWT with no per-endpoint restrictions. A valid JWT is embedded as plaintext in the InfraEnvStatus.ISODownloadURL, readable by any user with get rights on an InfraEnv object, enabling extraction of kubeadmin passwords and kubeconfigs for all spoke clusters.
Denial of service in Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 via malformed Monero protocol packets causes application crash through unbounded recursion in the protocol dissector. Local attackers with user-level privileges can trigger the crash by opening a crafted pcap file or receiving a malicious network packet during live capture, requiring user interaction to open the malicious file but resulting in complete unavailability of the packet analysis tool.
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed BT-DHT protocol packets, enabling local denial of service against users who open crafted capture files or sniff untrusted network traffic. The vulnerability requires local access and user interaction (opening a file or viewing live capture), but no authentication is required. EPSS exploitation probability is moderate given the low attack complexity and the prevalence of Wireshark in security operations.
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed FC-SWILS (Fibre Channel Switch InterLink Service) protocol packets, enabling denial of service via local or remote delivery of a crafted packet file. The vulnerability requires user interaction (opening a malicious capture file), and no active exploitation has been confirmed at time of analysis.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via infinite loop in SMB2 protocol dissector allows local attackers to crash the application when processing malicious or malformed SMB2 network traffic. Exploitation requires user interaction (opening a crafted capture file or live capture), and causes high availability impact with no data confidentiality or integrity compromise. CVSS 5.5 reflects local attack vector but potential for widespread impact given Wireshark's role in network analysis workflows.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via malformed ICMPv6 PvD (Prefix Validation Data) packets crashes the protocol dissector, requiring user interaction to open a crafted capture file. The vulnerability affects local users only (AV:L) and does not enable code execution, information disclosure, or integrity compromise.
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed AFP Spotlight protocol packets, causing denial of service. An attacker can trigger the crash by delivering a crafted packet to a user running a vulnerable version, disrupting packet analysis and network monitoring. The vulnerability requires local or direct network access and user interaction to open a malicious capture file or receive the packet during live capture, but no authentication is needed.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via stack buffer overflow in the AMR-NB codec decoder allows local attackers with user interaction to crash the application. The vulnerability requires opening a specially crafted network capture file, making it exploitable in scenarios where users are tricked into opening untrusted PCAP files or when Wireshark auto-opens recent captures.
Denial of service in Wireshark 4.6.0 through 4.6.4 via crafted SDP protocol packets allows local attackers with user interaction to crash the application through a use-after-free memory corruption vulnerability in the SDP protocol dissector. EPSS and KEV status not available at analysis time; no public exploit code identified.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via crafted iLBC codec packets allows local attackers with user interaction to crash the application and interrupt service. The vulnerability stems from a use-after-free condition in the iLBC codec parser, triggered when Wireshark processes malformed audio codec data, causing an application crash without code execution.
Heap buffer overflow in the DCP-ETSI protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when a user opens a malicious packet capture file. The vulnerability requires user interaction (opening a crafted .pcap or similar file locally) and crashes the application, preventing further packet analysis. No public exploit code or active exploitation has been confirmed at this time.
Stack buffer overflow in Wireshark's BEEP protocol dissector causes denial of service when processing malformed network packets. Versions 4.6.0-4.6.4 and 4.4.0-4.4.14 are vulnerable; a local user with the ability to interact with Wireshark or supply crafted BEEP traffic can trigger a crash via a specially crafted packet that requires user interaction to open or process. No public exploit code or active exploitation has been identified at time of analysis.
Stack buffer overflow in Wireshark's ZigBee protocol dissector (versions 4.6.0-4.6.4 and 4.4.0-4.4.14) causes application crash and denial of service when processing malformed ZigBee packets. An attacker must trick a user into opening a crafted packet capture file or visiting a malicious webpage serving the packet, since the vulnerability requires local file access and user interaction. No active exploitation has been publicly reported.
Wireshark versions 4.6.0 through 4.6.4 contain an infinite loop vulnerability in the DLMS/COSEM protocol dissector that causes denial of service when processing malformed packets. A local attacker with user privileges can trigger the infinite loop by opening a crafted DLMS/COSEM packet capture file, freezing the application and rendering it unresponsive without requiring authentication or special configuration.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via infinite loop in the USB HID protocol dissector allows local attackers to crash the application by opening a maliciously crafted packet capture file. The vulnerability requires user interaction (opening a file) on a local system, making it suitable for targeted attacks against security analysts and network administrators who routinely inspect suspicious network traffic.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by triggering an unhandled exception in the LZ77 decompression engine when processing malformed compressed packet data. The vulnerability requires user interaction (opening a crafted packet capture file or receiving a malicious packet) but causes immediate application termination, impacting network analysis workflows.