Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows network-based attackers to execute arbitrary code or crash the system without authentication. A buffer overflow in the GVRET CAN data parser (canformat_gvret.cpp) fails to validate length fields in binary frames, enabling memory corruption. CVSS 10.0 reflects unauthenticated network vector with scope change, but no public exploit or active exploitation confirmed at time of analysis. EPSS data unavailable; real-world risk depends on OVMS3 deployment exposure (typically vehicle telematics environments).
Stack-based buffer overflow in JS8Call allows remote code execution via crafted radio transmission containing an oversized Maidenhead grid locator. CVSS 10.0 reflects network-reachable attack with no authentication required. Both JS8Call (through 2.3.1) and JS8Call-improved (before 3.0) are affected by the overflow in grid2deg function within APRSISClient.cpp. Vendor patch available for JS8Call-improved 3.0+; JS8Call project status unclear. No confirmed active exploitation or public POC identified at time of analysis, though attack vector is straightforward for actors with radio transmission capabilities.
Remote code execution in cannelloni v2.0.0 allows unauthenticated network attackers to crash the service or execute arbitrary code by sending malformed CAN FD frames that trigger buffer overflows in two separate parsing functions (parseCANFrame in parser.cpp and decodeFrame in decoder.cpp). The CVSS score of 9.8 reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. Public proof-of-concept code exists (GitHub Gist reference), elevating immediate exploitation risk despite no CISA KEV listing, suggesting targeted rather than mass exploitation scenarios.
Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.
Remote unauthenticated arbitrary file write in AGL (Automotive Grade Linux) app-framework-main through version 17.1.12 allows attackers to achieve code execution or system compromise via malicious widget packages. A crafted ZIP archive combining path traversal (../ sequences in filenames) with a time-of-check-time-of-use race condition allows files to be written anywhere on the filesystem before signature validation occurs. Even when signature checks fail, malicious files persist outside the temporary directory. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. Public technical analysis available via GitHub Gist reference suggests proof-of-concept may exist.
Remote code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows unauthenticated attackers to execute arbitrary code via unsafe deserialization. The fix for prior CVE-2024-52046 was incomplete-the classname allowlist protecting IoBuffer.getObject() was applied too late, allowing malicious static initializers to execute before filtering. Confirmed actively exploited (CISA KEV). EPSS exploitation probability not provided, but the network-accessible, unauthenticated attack vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) combined with KEV status indicates immediate patching is critical for applications calling IoBuffer.getObject().
Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.
Remote code execution in MixPHP Framework 2.x through 2.2.17 allows unauthenticated network attackers to execute arbitrary code via unsafe deserialization. The FileHandler class processes session and cache data using PHP's unserialize() on filesystem-sourced content without validation, enabling object injection attacks. CVSS 9.8 critical severity with network attack vector and no privileges required. SSVC assessment confirms automatable exploitation with total technical impact. No active exploitation confirmed at time of analysis (not in CISA KEV), but publicly available proof-of-concept exists (GitHub gist reference).
Remote unauthenticated code execution in MixPHP Framework 2.x through 2.2.17 allows attackers to execute arbitrary PHP code by injecting malicious serialized objects into Redis-backed session or cache storage. The framework's RedisHandler directly deserializes untrusted data from Redis using PHP's unserialize() function without validation. CVSS 9.8 with network vector, low complexity, and no privileges required. EPSS and KEV status not provided; SSVC framework marks this as automatable with total technical impact, indicating high exploitability despite no confirmed active exploitation at time of analysis.
Memory corruption in Linux kernel IPv6 ICMP error handling allows remote unauthenticated attackers to potentially achieve code execution or information disclosure. The vulnerability arises from incomplete control block (CB) sanitization when converting IPv4 ICMP errors to ICMPv6, enabling forged CIPSO options in outer IPv4 packets to manipulate inner IPv6 packet parsing. This can trigger out-of-bounds memory access extending into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is extremely low (0.02%, 7th percentile), no public exploit code exists, and CISA has not listed this as actively exploited. Patches are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
A stack-based buffer overflow in the Linux kernel's IPv6-to-IPv4 tunneling (ip6_tunnel) code allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability occurs when ip4ip6_err() passes a cloned skb with IPv6-formatted control buffer data to icmp_send(), which misinterprets it as IPv4 control buffer data. This type confusion causes __ip_options_echo() to read attacker-controlled packet data as a length value and copy up to that many bytes into a fixed 40-byte stack buffer, enabling remote exploitation with no prerequisites. EPSS score of 0.02% suggests limited exploitation probability despite critical CVSS 9.8 rating. Vendor-released patches are available across all maintained kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Double-free vulnerability in Linux kernel X.25 networking subsystem allows remote network attackers to potentially achieve denial of service or arbitrary code execution. The flaw occurs in x25_queue_rx_frame when socket buffer allocation fails, causing the same skb to be freed twice through the call chain from x25_backlog_rcv. Despite critical CVSS 9.8 score, exploitation probability remains low (EPSS 2%, 7th percentile) with no confirmed active exploitation (not in CISA KEV) and no public exploit code identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0).
Use-after-free in Linux kernel ksmbd (SMB server) during durable file handle scavenging allows memory corruption and potential remote code execution. When a durable SMB2 file handle survives session disconnect, the cleanup path dereferences a freed connection object via NULL fp->conn pointer during lock cleanup, causing a slab use-after-free. Exploitation probability is extremely low (EPSS 0.02%, 5th percentile) with no active exploitation confirmed. Vendor patches available across multiple stable kernel branches (6.12.84, 6.18.25, 7.0.2, 7.1-rc1) address the asymmetric cleanup by properly managing byte-range lock lifetimes during durable handle reconnection.
Out-of-bounds write in Linux kernel's ksmbd SMB server allows memory corruption when processing extended attributes (EA) in QUERY_INFO responses. The smb2_get_ea() function performs 4-byte alignment padding without checking remaining buffer space, causing 1-3 bytes to write past allocation boundaries when EA values exactly fill the response buffer. This occurs in compound SMB2 requests where shared response buffers are tightly constrained. EPSS score of 0.02% suggests minimal observed exploitation activity, though the CVSS 9.8 critical rating reflects the theoretical network-accessible, unauthenticated attack surface. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 7.0.2, 7.1-rc1). Not listed in CISA KEV. This represents the third instance of the same vulnerability pattern in ksmbd QUERY_INFO handlers, following fixes in commits beef2634f81f and fda9522ed6af.
Remote code execution and information disclosure in Linux Kernel's TI ICSSG PRU Ethernet driver allows unauthenticated network attackers to leak kernel heap memory to userspace and potentially corrupt page_pool state. The zero-copy RX dispatch path fails to copy received packet data into newly allocated skbs, instead forwarding uninitialized heap memory up the network stack. Vendor patches available for kernel 6.19.12 and 7.0. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity despite critical CVSS 9.8 rating and network attack vector.
Integer underflow in Open-SAE-J1939 library's transport protocol handler enables remote unauthenticated attackers to corrupt arbitrary memory locations via manipulated CAN frame sequence numbers. CVSS 9.8 reflects network-accessible attack surface with no authentication barriers, though exploitation requires deployment in CAN-connected environments (industrial control systems, automotive networks). EPSS data unavailable; SSVC indicates total technical impact with automated exploitation potential but no confirmed active exploitation.
Heap-based buffer overflow in hashcat 7.1.2 enables remote code execution or denial of service through maliciously crafted PKZIP hash files. Attackers can exploit inadequate input validation in the hex_to_binary function affecting PKZIP hash parser modules (17200, 17210, 17220, 17225, 17230) to overflow fixed-size buffers with arbitrary hex data. CVSS 9.8 reflects network-accessible attack vector requiring no authentication or user interaction, though real-world exploitation requires victim to process attacker-supplied hash files. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation. Public proof-of-concept exists (GitHub Gist), elevating exploitation risk for environments processing untrusted hash files.
Heap-based buffer overflow in hashcat 7.1.2's Kerberos hash parser enables remote code execution without authentication. Attacker supplies a maliciously crafted Kerberos hash file with manipulated delimiter positions to overflow the fixed-size account_info buffer during memcpy operations in module_hash_decode. The vulnerability affects multiple Kerberos-related hashcat modules due to missing upper-bound validation on account_info_len before memory copy. CVSS 9.8 with network attack vector, but real-world exploitation requires user processing the malicious file. EPSS data not available; no active exploitation confirmed in CISA KEV at time of analysis.
Stack-based buffer overflow in hashcat 7.1.2's rule processing functions enables remote code execution when processing password candidates of 128+ characters. The vulnerability stems from inadequate bounds checking in mangle_to_hex_lower() and mangle_to_hex_upper() functions that fail to account for 2x memory expansion during byte-to-hex conversion. CVSS 9.8 (critical) with network attack vector and no authentication required. Public proof-of-concept code available via GitHub gist. No CISA KEV listing suggests targeted rather than widespread exploitation despite theoretical network exploitability.