Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.
OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows remote unauthenticated attackers to execute arbitrary system commands via the 'week' parameter in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint. The vulnerability has publicly available exploit code and is being actively tracked; the vendor has not responded to disclosure attempts.
Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.
Code injection via Websocket API in AV Stumpfl Pixera Two Media Server ≤25.2 R2 allows unauthenticated remote attackers to execute arbitrary code with low complexity. Publicly available exploit code (GitHub Gist) enables network-based compromise with partial impact to confidentiality, integrity, and availability (CVSS:3.1/C:L/I:L/A:L). Vendor-released patch version 25.2 R3 addresses the vulnerability. Despite network vector and proof-of-concept availability, no CISA KEV listing or EPSS data indicates limited observed exploitation at time of analysis.
Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.
Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.
Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote unauthenticated attackers to read, modify, or delete database contents via the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Publicly available exploit code exists (VulDB 360864) with low attack complexity (CVSS AC:L), enabling attackers to compromise confidentiality, integrity, and availability of backend data. EPSS data unavailable; not listed in CISA KEV. Vendor was notified but remains unresponsive, suggesting no official patch timeline.
SQL injection in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote unauthenticated attackers to manipulate the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, leading to unauthorized database queries and potential information disclosure. Publicly available exploit code exists and the vulnerability affects a widely used industrial energy management system with no vendor response or patch confirmation.
HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.