Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.
Improper authorization in code-projects Online Hospital Management System 1.0 allows authenticated remote attackers to manipulate the Username parameter in the Registration Handler, bypassing access controls and modifying user authorization. The vulnerability requires valid authentication credentials but results in integrity impact to user accounts. Publicly available exploit code exists for this vulnerability.
Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.
Improper authorization in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote unauthenticated attackers to bypass access controls in the addMcpServer function (app/mcp/actions.ts), potentially disclosing sensitive information. The vulnerability has a CVSS score of 5.5 (moderate severity) with public exploit code available, though the vendor has not yet responded to the disclosed issue.
Local denial-of-service in the Linux kernel's vidtv virtual DVB media driver allows an authenticated local user to crash the kernel via a NULL pointer dereference triggered by uninitialized struct fields in vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into(). Affected kernel versions span from commit f90cf6079bf6 across multiple stable branches through Linux 5.10, with fixes backported to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and this CVE is not listed in the CISA KEV catalog, reflecting its low real-world exploitation likelihood.
Wireshark 4.6.0 through 4.6.4 crashes when processing malformed IEEE 802.11 frames due to a null pointer dereference in the protocol dissector. An attacker can trigger denial of service by crafting or replaying a specially malformed wireless packet that causes the dissector to crash when analyzed, rendering packet analysis impossible until the application restarts. CVSS score 5.5 reflects local attack vector with user interaction required; no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.
My Social Feeds - Social Feeds Embedder WordPress plugin up to version 1.0.4 exposes sensitive TikTok OAuth credentials via an unauthenticated AJAX endpoint due to missing authorization and nonce checks. Authenticated attackers with Subscriber-level access can retrieve stored access_token and refresh_token values belonging to administrator-connected TikTok accounts, enabling them to impersonate the site owner in TikTok API interactions. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability is trivial to exploit once network access is established.
Denial of service in Open5GS AMF (Access and Mobility Function) up to version 2.7.6 allows authenticated remote attackers to cause service unavailability by sending crafted registration requests with manipulated reg_type arguments. The vulnerability exists in the GMM (Mobility Management) handler due to insufficient validation of registration type values, potentially triggering null pointer dereferences or assertion failures. Vendor-released patch version 2.7.7 is available.
Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.
Unauthenticated remote attackers can extract sensitive user information including email addresses, usernames, and user IDs through the '/dokan/v1/stores/{id}/reviews' REST API endpoint in Dokan plugin versions up to 4.3.1. The vulnerability affects only installations with the Pro version activated and store reviews enabled, allowing information disclosure of all customers who left vendor reviews. No public exploit code has been identified, but the attack requires no authentication or user interaction and can be automated at scale.
Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.
Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.
Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.
Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.
Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.
TRENDnet TEW-821DAP firmware version 1.12B01 transmits sensitive information in cleartext via the /www/cgi/ssi endpoint during firmware updates, allowing remote unauthenticated attackers to intercept credentials or configuration data. The vulnerability affects end-of-life hardware (version v1.xR) discontinued 8 years ago and no longer supported by the vendor. Public exploit code is available, though the attack requires high complexity conditions to execute successfully.
Remote command injection in crazyrabbitLTC mcp-code-review-server up to version 0.1.0 allows authenticated attackers to execute arbitrary system commands via manipulation of the executeRepomix function in the RepoMix Command Handler. The vulnerability stems from unsafe use of the exec() function with unsanitized user-supplied options. Public exploit code is available, and while a fix has been proposed via pull request, the maintainer has not yet merged or released a patched version.
Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.
Server-side request forgery in JeecgBoot up to version 3.9.1 affects the checkPathTraversalBatch function in FileDownloadUtils.java within the LoadFile endpoint. Authenticated remote attackers can manipulate the files argument to trigger SSRF, allowing them to make unauthorized requests to internal or external resources. Publicly disclosed exploit code exists, and the vendor has confirmed the issue with a fix promised in an upcoming release.
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the ruleClass parameter in the /sys/fillRule/edit endpoint, leading to unauthorized access and information disclosure. The vulnerability affects the FillRuleUtil component and has publicly available exploit code; the vendor confirmed the issue and committed to patching in an upcoming release.
Permissive cross-domain policy in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers with user interaction to manipulate the Next.js API endpoint and enable untrusted domains to access application resources, leading to information disclosure. Public exploit code exists for this vulnerability, though the vendor has not yet responded to early disclosure notification.
SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.