OS command injection in Totolink A8000RU firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'proto' parameter in /cgi-bin/cstecgi.cgi CGI handler. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier for exploitation. CVSS 8.9 with network vector, low complexity, and no authentication requirements makes this immediately exploitable against internet-facing devices running the vulnerable firmware version.
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows network-based attackers to execute arbitrary code or crash the system without authentication. A buffer overflow in the GVRET CAN data parser (canformat_gvret.cpp) fails to validate length fields in binary frames, enabling memory corruption. CVSS 10.0 reflects unauthenticated network vector with scope change, but no public exploit or active exploitation confirmed at time of analysis. EPSS data unavailable; real-world risk depends on OVMS3 deployment exposure (typically vehicle telematics environments).
Stack-based buffer overflow in JS8Call allows remote code execution via crafted radio transmission containing an oversized Maidenhead grid locator. CVSS 10.0 reflects network-reachable attack with no authentication required. Both JS8Call (through 2.3.1) and JS8Call-improved (before 3.0) are affected by the overflow in grid2deg function within APRSISClient.cpp. Vendor patch available for JS8Call-improved 3.0+; JS8Call project status unclear. No confirmed active exploitation or public POC identified at time of analysis, though attack vector is straightforward for actors with radio transmission capabilities.
Remote code execution in cannelloni v2.0.0 allows unauthenticated network attackers to crash the service or execute arbitrary code by sending malformed CAN FD frames that trigger buffer overflows in two separate parsing functions (parseCANFrame in parser.cpp and decodeFrame in decoder.cpp). The CVSS score of 9.8 reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. Public proof-of-concept code exists (GitHub Gist reference), elevating immediate exploitation risk despite no CISA KEV listing, suggesting targeted rather than mass exploitation scenarios.
Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.
Remote unauthenticated arbitrary file write in AGL (Automotive Grade Linux) app-framework-main through version 17.1.12 allows attackers to achieve code execution or system compromise via malicious widget packages. A crafted ZIP archive combining path traversal (../ sequences in filenames) with a time-of-check-time-of-use race condition allows files to be written anywhere on the filesystem before signature validation occurs. Even when signature checks fail, malicious files persist outside the temporary directory. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Public technical analysis available via GitHub Gist reference suggests proof-of-concept may exist.
Remote code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows unauthenticated attackers to execute arbitrary code via unsafe deserialization. The fix for prior CVE-2024-52046 was incomplete-the classname allowlist protecting IoBuffer.getObject() was applied too late, allowing malicious static initializers to execute before filtering. Confirmed actively exploited (CISA KEV). EPSS exploitation probability not provided, but the network-accessible, unauthenticated attack vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) combined with KEV status indicates immediate patching is critical for applications calling IoBuffer.getObject().
Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.
Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Double-free vulnerability in Linux kernel X.25 networking subsystem allows remote network attackers to potentially achieve denial of service or arbitrary code execution. The flaw occurs in x25_queue_rx_frame when socket buffer allocation fails, causing the same skb to be freed twice through the call chain from x25_backlog_rcv. Despite critical CVSS 9.8 score, exploitation probability remains low (EPSS 2%, 7th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.
Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.
Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.
Integer underflow in Open-SAE-J1939 library's transport protocol handler enables remote unauthenticated attackers to corrupt arbitrary memory locations via manipulated CAN frame sequence numbers. CVSS 9.8 reflects network-accessible attack surface with no authentication barriers, though exploitation requires deployment in CAN-connected environments (industrial control systems, automotive networks). EPSS data unavailable; SSVC indicates total technical impact with automated exploitation potential but no confirmed active exploitation.
Heap-based buffer overflow in hashcat 7.1.2 enables remote code execution or denial of service through maliciously crafted PKZIP hash files. Attackers can exploit inadequate input validation in the hex_to_binary function affecting PKZIP hash parser modules (17200, 17210, 17220, 17225, 17230) to overflow fixed-size buffers with arbitrary hex data. CVSS 9.8 reflects network-accessible attack vector requiring no authentication or user interaction, though real-world exploitation requires victim to process attacker-supplied hash files. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation. Public proof-of-concept exists (GitHub Gist), elevating exploitation risk for environments processing untrusted hash files.
Heap-based buffer overflow in hashcat 7.1.2's Kerberos hash parser enables remote code execution without authentication. Attacker supplies a maliciously crafted Kerberos hash file with manipulated delimiter positions to overflow the fixed-size account_info buffer during memcpy operations in module_hash_decode. The vulnerability affects multiple Kerberos-related hashcat modules due to missing upper-bound validation on account_info_len before memory copy. CVSS 9.8 with network attack vector, but real-world exploitation requires user processing the malicious file. EPSS data not available; no active exploitation confirmed in CISA KEV at time of analysis.
Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.
OS command injection in Sunwood-ai-labs command-executor-mcp-server versions up to 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via the MCP interface execute_command function. The vulnerability carries a CVSS score of 7.3 with a complete remote attack vector (AV:N/AC:L/PR:N/UI:N), enabling unauthorized data access, system modification, and service disruption. A proof-of-concept exploit has been publicly disclosed via GitHub issue #6, significantly lowering the barrier to exploitation. EPSS data not available, but public POC availability and unauthenticated remote vector indicate elevated real-world risk despite the moderate CVSS score.
Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). CVSS 7.3 reflects network-accessible attack with low confidentiality, integrity, and availability impact. Despite early responsible disclosure via issue report, the maintainer has not responded, leaving the open-source project unpatched.
Hard-coded credentials in AstrBot Dashboard (versions ≤4.16.0) enable remote unauthenticated attackers to bypass authentication and gain partial system access. The vulnerability resides in astrbot/dashboard/routes/auth.py, allowing complete authentication bypass without network complexity or user interaction. A public exploit exists on GitHub, and the vendor has not responded to responsible disclosure attempts, leaving users exposed to credential-based attacks with moderate impact across confidentiality, integrity, and availability (CVSS 7.3). EPSS data not available; KEV status negative indicates no confirmed widespread exploitation despite public POC.
Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the BSF (Binding Support Function) service by manipulating the ipv4Addr parameter in the /nbsf-management/v1/pcfBindings endpoint. The vulnerability has publicly available exploit code and affects a core 5G network function, creating operational risk for mobile networks relying on this open-source implementation.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote attackers to manipulate the Username parameter in /intrams/login.php, leading to unauthorized data access and modification. The vulnerability requires no authentication and can be exploited over the network with low complexity. Publicly available exploit code exists, and the CVSS 4.0 vector indicates confidentiality and integrity impact on the affected application.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=save_customer. CVSS 7.3 with low attack complexity and no authentication required. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed installations. EPSS data not available, but the combination of network vector, zero authentication, and public POC indicates high probability of opportunistic scanning and exploitation.
SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract database contents, modify records, or execute unauthorized queries via the ID parameter in /ajax.php?action=delete_customer. Publicly available exploit code exists (GitHub POC), enabling trivial exploitation against exposed instances. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication requirement, though EPSS data unavailable and not currently listed in CISA KEV, suggesting limited widespread exploitation despite POC availability.
SQL injection in SourceCodester Advanced School Management System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL queries via the checkEmail endpoint in commonController.php, potentially exposing or modifying database contents. Publicly available exploit code exists and the vulnerability requires only network access with no authentication, making it a practical exploitation risk for exposed instances.
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the job_name parameter in the create_csv_export function. The vulnerability affects all versions up to commit 0b86b09d5e5adf0433acd43c975951224613a1a6, with publicly available exploit code disclosed via GitHub issue; no vendor patch has been released despite early notification.
Stack-based buffer overflow in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows remote unauthenticated attackers to execute arbitrary code or crash the device by sending malicious HTTP Host headers to the lighttpd web server. The vulnerability has publicly available exploit code (CVSS E:P) but is not currently listed in CISA KEV. EPSS data unavailable, but the combination of remote unauthenticated attack vector (AV:N/PR:N), low complexity (AC:L), and confirmed POC suggests elevated real-world risk for internet-facing devices running this specific firmware version.
Buffer overflow in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 enables remote code execution when processing malicious PCAP files. The canformat_pcap.cpp parser fails to validate the phdr.len field, allowing attackers to overflow stack buffers and execute arbitrary code with high confidentiality, integrity, and availability impact. Public proof-of-concept code exists (GitHub Gist), though no active exploitation is confirmed by CISA KEV. SSVC assessment indicates automatable exploitation despite requiring user interaction to open crafted PCAP files.
Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. Users who installed this specific version during the 21:57Z-23:30Z window received a backdoored package capable of executing arbitrary OS commands. EPSS data not available for this recent CVE, but the supply chain vector and brief exposure window suggest targeted rather than mass exploitation.
Incorrect authentication labeling in Linux kernel's Bluetooth SMP legacy pairing allows adjacent attackers to bypass security controls and gain high-level access without proper authentication. The flaw affects the Short Term Key (STK) derivation in Just Works/Confirm pairing modes, where keys are incorrectly marked as authenticated even when Man-in-the-Middle (MITM) protection was not established. With CVSS 8.8 (AV:A/AC:L/PR:N/UI:N), this enables adjacent network attackers to exploit Bluetooth pairing flows without authentication. EPSS score of 0.05% suggests low widespread exploitation likelihood. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Use-after-free in Linux Kernel Bluetooth stack allows adjacent network attackers to execute arbitrary code, escalate privileges, or cause denial of service without authentication. The vulnerability exists in hci_le_remote_conn_param_req_evt where hci_conn lookup and field access occurs outside the hdev lock protection, enabling concurrent memory corruption. Patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0). EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.
Remote unauthenticated attackers can trigger out-of-bounds memory access in the Linux kernel SMB client's DACL parsing code by sending a malicious SMB response with a truncated DACL structure. The vulnerability exists in build_sec_desc() and id_mode_to_cifs_acl() functions which insufficiently validate server-supplied ACL data before rewriting it during chmod/chown operations, allowing ACE traversal beyond validated memory bounds. CVSS 8.8 indicates high severity with network vector requiring user interaction. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability in the wild, and no active exploitation is confirmed (not in CISA KEV). Vendor patch available targeting Linux kernel 7.0.2 and 7.1-rc1.
Buffer overflow in Linux kernel's ksmbd SMB server allows authenticated remote attackers to trigger ~8 MB heap allocation from manipulated NTACL xattr values, potentially leading to memory exhaustion, information disclosure via uninitialized heap memory, or code execution. Exploitation requires low-privilege SMB authentication plus ability to corrupt backing filesystem metadata (offline xattr tampering or race condition). EPSS score of 0.02% indicates minimal observed exploitation activity. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Missing CRYPTO_ALG_ASYNC flag in Linux kernel's Tegra crypto driver causes the crypto API to incorrectly select asynchronous algorithms for synchronous-only requests, resulting in system crashes. This affects Tegra-based Linux systems (typically NVIDIA Jetson devices) running kernel versions 6.10 through early 7.0 development branches. Vendor patches are available across stable branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability, and no active exploitation or public POC has been identified. The CVSS vector (AV:N/AC:L/PR:L/UI:N) suggests network-based exploitation requiring authenticated access, though this conflicts with the technical nature of a local driver configuration bug.
Linux kernel IOMMU page table unmapping operations fail to invalidate extended memory regions when unmapping lands mid-entry in large/contiguous mappings, causing stale TLB entries. Affects kernel 6.19 through pre-7.0 versions with IOMMU subsystem enabled. Local authenticated attackers with low privileges can potentially access unmapped memory or escalate privileges by exploiting incomplete invalidations during IOMMU unmap operations. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood. No public exploit identified at time of analysis, though vendor acknowledges theoretical risk is low as 'nothing relies on unmapping a large entry.' Vendor-released patches available for stable branches.
Authentication bypass in Linux kernel's ksmbd SMB server allows any authenticated SMB user to hijack orphaned durable file handles by predicting persistent IDs, enabling unauthorized file access with the original owner's privileges. The flaw violates MS-SMB2 requirements for SecurityContext validation during durable handle reconnection. Vendor patches are available across multiple stable kernel branches (6.18.25, 7.0.2, 7.1-rc1). EPSS exploitation probability is low at 0.02% (4th percentile), and no active exploitation or public POC has been identified. CVSS 8.8 reflects high impact but requires low-privilege authentication.
Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.
Stack buffer overflow in miaofng/uds-c library allows adjacent network attackers to execute arbitrary code via crafted diagnostic payload. The send_diagnostic_request function allocates only 6 bytes for MAX_DIAGNOSTIC_PAYLOAD_SIZE but accepts up to 7 bytes of payload (MAX_UDS_REQUEST_PAYLOAD_LENGTH), enabling 4-byte overflow when combined with pid_length=2. Affects commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a from October 2016 and likely later versions unless patched. No CISA KEV listing or EPSS data indicates exploitation remains theoretical; vulnerability appears in automotive diagnostic library with limited deployment exposure.
Memory exhaustion in Bandit WebSocket server (versions 0.5.0 through 1.10.x) allows unauthenticated remote attackers to trigger denial of service by sending unbounded WebSocket continuation frames without setting the fin flag. The fragment reassembly logic accumulates payloads without checking cumulative message size, bypassing the max_frame_size limit which only applies to individual frames. Applications using Phoenix Channels or LiveView over Bandit expose this attack surface on any WebSocket endpoint. Patch available in version 1.11.0 introduces max_fragmented_message_size parameter (default 8MB). No public exploit code identified at time of analysis, but trivial to reproduce with standard WebSocket libraries.
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows unauthenticated network attackers to execute arbitrary code or crash the system by sending malformed CANswitch frames with invalid DLC (Data Length Code) values. The buffer overflow occurs in the canformat_canswitch.cpp parser module which fails to validate frame length parameters before processing, enabling memory corruption. A proof-of-concept exploit is publicly available on GitHub, and SSVC assessment indicates the vulnerability is automatable with partial technical impact, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Arbitrary code execution in MixPHP Framework 2.x through 2.2.17 allows local attackers to execute malicious PHP closures via unauthenticated TCP connections to the sync-invoke server. The vulnerability stems from unsafe deserialization of untrusted data on localhost-bound port 127.0.0.1, where Server.php directly passes socket data to Opis\Closure\unserialize() and executes the result without authentication or signature verification. Exploitation requires local network access or SSRF capability against the application server. No public exploit code identified at time of analysis, but the attack mechanism is straightforward for attackers with PHP deserialization knowledge.
Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.
Stack overflow in Flipper Zero Firmware (commit ad2a80) enables local arbitrary code execution with high privileges through exploitation of the Main function. SSVC framework confirms POC availability and total technical impact. CVSS 8.4 reflects local attack vector with no authentication barrier. No vendor-released patch identified at time of analysis, though GitHub issue tracking indicates developer awareness.
Integer overflow in OpenAMP v2025.10.0 ELF loader enables local attackers to corrupt memory during firmware image parsing on 32-bit embedded systems (STM32MP1, Zynq, i.MX). The vulnerability triggers when elf_loader.c multiplies two attacker-controlled 16-bit values from ELF headers without bounds checking, causing integer wraparound that bypasses allocation size limits. EPSS data not available; no CISA KEV listing confirms exploitation remains theoretical. GitHub references suggest proof-of-concept analysis exists (sgInnora gist), indicating technical feasibility for local privilege escalation or code execution in embedded/IoT firmware update scenarios.
Out-of-bounds read in Linux kernel ksmbd allows authenticated SMB clients to trigger memory corruption by crafting malicious DACL ACEs with undersized headers. Attackers with permission to set ACLs on files can cause kernel KASAN reports and state corruption when subsequent CREATE operations walk the stored DACL via smb_check_perm_dacl(). Vendor patches available for kernel versions 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low likelihood of mass exploitation despite network attack vector, consistent with the requirement for authenticated access and specific file permission prerequisites.
Memory exhaustion in Bandit WebSocket server (versions 0.5.9 through 1.10.x) allows unauthenticated remote attackers to crash BEAM nodes via compression bombs when permessage-deflate is enabled. The inflate/2 function decompresses WebSocket frames without output-size limits, enabling attackers to send tiny compressed payloads (~1024:1 ratio) that expand to gigabyte-scale heap allocations. Vendor-released patch available (version 1.11.0). EPSS data not available; no public exploit identified at time of analysis. Exploitation requires non-default configuration (both server-level compress and per-upgrade compress: true options enabled), making stock Phoenix/LiveView applications unaffected.