Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. The vulnerability exploits prototype chain traversal through Buffer.apply and __lookupGetter__ to access the host Function constructor, bypassing VM2's context isolation. Publicly available exploit code exists, and vendor-released patch version 3.11.0 addresses the issue. This is a complete sandbox escape requiring no authentication or user interaction, making it critical for environments executing untrusted code within VM2 contexts.
Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. EPSS data not available, but this represents complete failure of the sandbox security boundary. Patch released in version 3.10.5 addresses eleven distinct escape vectors including Function constructor leakage, proxy unwrapping, util.inspect exposure, and WebAssembly exception handling.
Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) allows unauthenticated network attackers to execute arbitrary shell commands via OS command injection in the wireless.cgi binary. Attackers exploit unsanitized sz11gChannel or PIN POST parameters in set_wifi_basic and set_wifi_do_wps functions to achieve root-level code execution without authentication. Publicly available exploit code exists. CVSS v4.0 score of 9.3 reflects the critical nature: network-accessible, no complexity, no authentication required, with high confidentiality, integrity, and availability impact. SSVC assessment confirms POC availability, full automatable exploitation, and total technical impact-making this a high-priority remediation target despite no confirmed active exploitation (not CISA KEV-listed).
Unauthenticated remote attackers can trigger complete database wipes and data deletion in phpVMS 7.x through 7.0.5 by accessing an exposed legacy importer endpoint at /importer. The vulnerability stems from deprecated import functionality that remained publicly accessible without authentication checks, allowing remote data modification or destruction. Vendor-released patch (v7.0.6) confirmed via GitHub advisory GHSA-fv26-4939-62fh. No CISA KEV listing or public exploit code identified at time of analysis, but trivial exploitation (CVSS AV:N/AC:L/PR:N/UI:N) makes active targeting likely.
OS command injection in WDR201A WiFi Extender firmware v1.02 allows unauthenticated remote attackers to execute arbitrary shell commands via the gateway parameter in internet.cgi. Exploitation requires no user interaction or authentication against internet-exposed devices. Public exploit code exists (VulnCheck advisory), demonstrating active security research interest. CVSS 9.3 reflects maximum network exploitability (AV:N/AC:L/PR:N/UI:N) with high confidentiality, integrity, and availability impact on the device itself. No vendor patch identified at time of analysis for this discontinued consumer IoT product.
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated attackers to execute arbitrary OS commands via the adm.cgi binary's reboot_time parameter. The vulnerability stems from unsanitized input handling in the reboot scheduling function, exploitable by sending crafted POST requests with shell metacharacters when reboot_enabled=1. Public exploit code exists (CVSS 9.3, SSVC: automatable/total impact), making this a critical priority for affected deployments despite no confirmed CISA KEV listing at time of analysis.
Remote unauthenticated command injection in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows attackers to execute arbitrary OS commands with device privileges via five vulnerable firewall.cgi handlers without authentication. Injected commands persist in NVRAM and automatically re-execute on every subsequent firewall request, creating a self-sustaining backdoor. Public exploit code exists per VulnCheck, making this an immediate weaponization risk for exposed devices. CVSS 9.3 reflects network attack vector with no complexity or authentication barriers (AV:N/AC:L/PR:N), though real-world impact depends on whether management interfaces are internet-exposed.
Remote code execution in WDR201A WiFi Extender (HW V2.1, FW ≤1.02) allows unauthenticated network attackers to execute arbitrary OS commands via the makeRequest.cgi binary. Exploitation requires no user interaction and has CVSS:4.0 score of 9.3. Publicly available exploit code exists (confirmed by VulnCheck and CISA SSVC framework), enabling automated attacks against exposed devices. SSVC designates this as automatable with total technical impact, representing immediate operational risk to internet-facing extenders.
Remote unauthenticated attackers can execute arbitrary code on Totolink N300RH routers version 3.2.4-B20220812 by sending crafted Password parameter values to the loginauth authentication function in /cgi-bin/cstecgi.cgi, triggering a stack-based buffer overflow. Exploitation probability is moderate (EPSS score not provided, but publicly available exploit code exists per VulDB reference). This affects consumer-grade wireless routers often deployed in home/SOHO environments with default internet-facing management interfaces, creating significant remote compromise risk despite the device's end-of-life status.
Remote unauthenticated buffer overflow in Totolink WA300 wireless repeater firmware version 5.2cu.7112_B20190227 enables complete device compromise via crafted HTTP POST requests to the login authentication handler. The vulnerability resides in the loginauth function within /cgi-bin/cstecgi.cgi, where insufficient validation of the http_host parameter allows attackers to overflow memory and achieve arbitrary code execution with device privileges. Publicly available exploit code exists (documented via Notion), enabling trivial exploitation with EPSS probability assessment pending but attack complexity rated low (AC:L) with no authentication barrier (PR:N).
Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.
Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.
Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.
Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenticated attackers to execute arbitrary code through crafted POST requests with oversized Content-Length headers. The vulnerability affects hardware version 2.1 running firmware LFMZX28040922V1.02, with publicly available proof-of-concept exploit code documented via AI-assisted vulnerability research. CVSS 8.3 with high attack complexity indicates exploitation requires advanced technical skills, though the network vector and lack of authentication requirements make this a significant risk for exposed IoT devices.
Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.
Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.
Path normalization bypass in fast-uri 3.1.0 and earlier allows remote attackers to circumvent path-based access controls through percent-encoded path traversal sequences. The normalize() and equal() functions decode URL-encoded separators (%2F) and dot segments (%2E) before applying normalization rules, causing distinct URIs to collapse onto identical normalized paths. Applications relying on fast-uri for URL validation in authorization checks can be tricked into allowing access to restricted resources. EPSS exploitation probability not yet calculated given recent disclosure; no active exploitation confirmed (not in CISA KEV), but attack vector is trivial (CVSS AV:N/AC:L/PR:N/UI:N) and patch is available in version 3.1.1.
Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. Concurrent requests can exhaust memory and crash the Prometheus process. EPSS data not provided; no evidence of active exploitation (not in CISA KEV). Vendor-released patches available in versions 3.5.3 and 3.11.3.
Prometheus monitoring system exposes Azure AD OAuth client secrets in plaintext via its /-/config HTTP API endpoint. Versions prior to 3.5.3 and 3.11.3 incorrectly type the client_secret field as a plain string instead of Prometheus's redacted Secret type, allowing remote unauthenticated attackers to retrieve sensitive Azure credentials from any exposed Prometheus instance configured for Azure AD remote write. The vulnerability has low exploitation complexity (CVSS AV:N/AC:L/PR:N) with 7.5 severity. Vendor-confirmed patches available in versions 3.5.3 and 3.11.3 (GitHub releases confirmed). EPSS data not provided; no CISA KEV listing indicating targeted exploitation campaigns at time of analysis.
Remote authenticated attackers can execute arbitrary code on Totolink N300RH 3.2.4-B20220812 routers via buffer overflow in the setMacFilterRules function. Exploitation requires low-privilege authentication to the router's web interface, then sending a crafted POST request with an oversized mac_address parameter to /cgi-bin/cstecgi.cgi. Public exploit code is available (documented on Notion), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, publicly available POC, and vulnerable IoT device suggest moderate real-world risk for internet-exposed routers with default or weak credentials.
Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 allows authenticated remote attackers to achieve complete device compromise via crafted DNS parameter in WAN configuration requests. The vulnerability exists in the setWanConfig function within /cgi-bin/cstecgi.cgi POST handler, exploitable by manipulating the priDns argument. Public exploit code is available (CVSS E:P), and CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact on the vulnerable device with no cross-scope effects.
Buffer overflow in Totolink N300RH router firmware 3.2.4-B20220812 enables authenticated remote attackers to achieve code execution via crafted FileName parameter to the setUpgradeFW function in /cgi-bin/cstecgi.cgi. Public exploit code is available (documented in Notion). CVSS 7.4 with CVSS 4.0 Exploit maturity 'Proof-of-concept' confirms POC exists. Not listed in CISA KEV, suggesting limited real-world exploitation despite public POC.
Buffer overflow in Totolink WA300 wireless range extender firmware 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary code or crash the device via crafted File parameter to the UploadCustomModule function in /cgi-bin/cstecgi.cgi. Public proof-of-concept exploit exists (documented in Notion page), enabling low-skill exploitation. EPSS data not available, but low attack complexity (AC:L) and network attack vector (AV:N) combined with public POC indicate elevated real-world risk for affected devices exposed to untrusted authenticated users.
Arbitrary file upload in OpenSTAManager 2.10 and earlier allows authenticated high-privilege users to upload malicious files via the module update functionality at modules/aggiornamenti/upload_modules.php, leading to remote code execution. Publicly available exploit code exists (GitHub POC), though EPSS exploitation probability remains low (2%, 5th percentile), suggesting limited observed exploitation activity. CVSS 7.2 reflects high impact but requires high-privilege authentication (PR:H), substantially limiting attack surface to compromised admin accounts or malicious insiders.
nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.
Remote unauthenticated code execution in GeoVision GV-VMS V20 WebCam Server allows attackers to execute arbitrary code as SYSTEM via stack buffer overflow. The `gvapi` endpoint bypasses standard authentication and copies base64-decoded HTTP Authorization headers into a 256-byte stack buffer without bounds checking, enabling full stack control. The WebCam Server binary is compiled without ASLR, significantly lowering exploitation complexity. CVSS 10.0 with network vector, no prerequisites, and changed scope reflecting system-level compromise. Publicly disclosed by Cisco Talos and vendor advisory available from GeoVision.
Sandbox escape leading to remote code execution in the vm2 Node.js sandbox library affects all versions prior to 3.11.0, where the JavaScript SuppressedError mechanism (combined with DisposableStack disposal) lets untrusted code running inside the sandbox reach a host constructor and execute arbitrary commands on the underlying server. Any application that relies on vm2 to safely run attacker-controlled or untrusted JavaScript is fully compromised, with a working proof-of-concept published in the GHSA advisory. There is publicly available exploit code but no confirmed active exploitation; the SSVC framework rates it POC, automatable, with total technical impact, while EPSS remains low at 0.06%.
Privilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute privileged operations via crafted HTTP requests. The vulnerability enables scope change (S:C) indicating potential escape from restricted web interface contexts to underlying system privileges. CVSS 9.9 (Critical) with low attack complexity and no user interaction required, making this exploitable by any authenticated user through simple web requests. No public exploit identified at time of analysis.
Tenant administrators in Comet Backup 20.11.0 through 26.1.1 and 26.2.1 can impersonate any end-user account across different tenants on the same server through an insecure direct object reference (IDOR) in an API endpoint. The vulnerability enables complete cross-tenant authentication bypass in multi-tenant deployments, allowing unauthorized access to backup data, configurations, and operations of arbitrary users. With CVSS 9.9 (Critical) rating and network-accessible exploitation requiring no privileges, this represents an immediate risk to managed service providers and multi-tenant Comet Backup installations, though no active exploitation has been confirmed via CISA KEV at time of analysis.
Remote code execution in Evolver versions before 1.69.3 allows unauthenticated network attackers to execute arbitrary shell commands via command injection in the _extractLLM() function. Attackers exploit unsanitized corpus parameters passed to execSync() through string concatenation in a curl command, achieving full system compromise. GitHub security advisory GHSA-j5w5-568x-rq53 confirms the vulnerability with proof-of-concept demonstrating shell command substitution bypass. CVSS score of 9.8 reflects no authentication or user interaction requirements. No CISA KEV listing or EPSS data provided, suggesting exploitation status remains uncertain beyond confirmed POC availability.
Apache OpenNLP's model loading mechanism executes arbitrary static initializers through crafted manifest entries, enabling attackers to trigger side effects in any classpath class before type validation occurs. Affects OpenNLP versions before 2.5.9 and 3.0.0-M3. While not direct RCE, exploitation becomes viable when third-party models from untrusted sources (community repositories, model-sharing platforms) are loaded in environments containing classes with JNDI lookups, network I/O, or filesystem operations in static initializers. EPSS score of 0.29% suggests low widespread exploitation probability despite CVSS 9.8, though attack surface grows with model-sharing ecosystem adoption. No public exploit identified at time of analysis; vendor-released patches available.
Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated attackers to escape the sandbox environment via the inspect function and execute arbitrary system commands. The vulnerability exploits handler leakage through util.inspect's showProxy option to reconstruct host-realm objects and break isolation guarantees. CRITICAL: This is a complete sandbox bypass affecting all deployments using vm2 for untrusted code execution. Vendor-released patch available in version 3.11.0 with multiple commits addressing eight distinct exploitation primitives discovered during iterative disclosure.
Remote code execution in GeoVision GV-VMS V20 (version 20.0.2) allows unauthenticated attackers to corrupt stack memory via a crafted HTTP request to the WebCam Server Login functionality, leading to arbitrary code execution on the video management system. The flaw is a CWE-787 out-of-bounds write (stack buffer overflow) carrying a CVSS 9.8 score, and no public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2369). EPSS is currently low at 0.12%, but the unauthenticated network attack surface on a video surveillance product makes this a high-priority patching target.
D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.
Hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 firmware grants remote unauthenticated attackers root shell access using static credentials ('Alphanetworks' / 'whdrv01_dlob_dir456U'). The telnet daemon launches automatically at boot via /etc/init0.d/S80telnetd.sh and validates credentials through strcmp() comparison against hardcoded values in /etc/config/image_sign. Device is End-of-Life with no patches forthcoming. CVSS 9.8 reflects network-accessible unauthenticated remote code execution, though exploitation requires local network access to telnet service.
Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.
Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns.
Remote code execution via reflected XSS in Tegsoft Online Support Application V3 through build 31122025 allows unauthenticated attackers to execute arbitrary JavaScript in victim browsers with full application privileges. Despite being classified as CWE-79 (XSS), the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates critical impact typically reserved for RCE vulnerabilities, suggesting severe exploitation potential beyond typical XSS. Reported by TR-CERT (Turkish national CERT) with advisory published at USOM, indicating regional significance. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis.
Heap buffer overflow in Assimp's FBX importer allows remote code execution when processing malicious FBX files. The vulnerability affects Assimp versions up to 6.0.2 through unsafe strcpy() operations in aiMaterial::AddBinaryProperty, enabling attackers to achieve arbitrary code execution with high CVSS severity (9.8). A proof-of-concept exploit is publicly available via GitHub Gist, though EPSS indicates only 0.02% exploitation probability and no CISA KEV listing exists, suggesting limited active exploitation despite the theoretical severity.
OS command injection in wireshark-mcp's quick_capture function allows remote unauthenticated attackers to execute arbitrary operating system commands with publicly available exploit code. The vulnerability affects all versions of the rolling-release project through commit 400c3da70074f22f3cce7ccb65304cafc7089c89, with CVSS 5.5 reflecting low confidentiality, integrity, and availability impact but network-accessible exploitation vector. Active public exploit availability increases real-world risk despite moderate CVSS score.
Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation.
Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.
SQL injection in OpenC3 COSMOS 6.7.0 to 7.0.0-rc2 allows authenticated users with minimal 'tlm' (telemetry viewer) privileges to execute arbitrary SQL commands against the QuestDB time-series database. Attackers can exfiltrate all telemetry data, drop tables, or manipulate historical records via the get_tlm_values RPC endpoint by injecting malicious SQL into the start_time parameter. Vendor-released patch available in version 7.0.0-rc3 (commit 9ba60c0). No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept payloads demonstrating both data extraction and table deletion.
Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.
Authentication bypass in Prefect WebSocket endpoint /api/events/in allows unauthenticated remote attackers to send events without valid credentials in versions up to 3.6.13. The vulnerability exploits missing authentication validation on the WebSocket connection handshake, allowing attackers to interact with the events API when authentication is configured. A publicly available exploit exists; vendor patch version 3.6.14 addresses this by implementing mandatory subprotocol-based authentication handshake.
Authentication bypass in Calibre-Web-Automated up to version 4.0.6 allows remote unauthenticated attackers to access admin endpoints in the cps/cwa_functions.py component, specifically affecting Convert Library and EPUB Fixer administrative functions. Multiple endpoints lacking required authentication decorators (@login_required_if_no_ano and @admin_required) permit unauthorized users to trigger book conversions, manage conversion jobs, download logs, and manipulate EPUB files. Publicly available exploit code exists and patch is available from vendor.
Authentication bypass in Prefect up to version 3.6.21 allows remote unauthenticated attackers to access the Health Check API endpoint by manipulating the request path suffix matching logic. The vulnerability affects the /api/health endpoint's improper authentication validation using the endswith() function, enabling attackers to craft requests that bypass authentication checks. Publicly available exploit code exists and the vendor has released patch version 3.6.22.
Unrestricted file upload in funadmin up to version 7.1.0-rc6 allows remote attackers to upload arbitrary files via the Frontend Chunked Upload Endpoint (UploadService::chunkUpload function). The vulnerability stems from insufficient validation of the File parameter and can be exploited without authentication; publicly available exploit code exists and a patch (PR #59) has been released by the vendor.
Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.