Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to execute arbitrary Perl code via the GINA UI. The vulnerability stems from an endpoint passing unsanitized user input directly to Perl's eval function, allowing complete system compromise. Reported by Switzerland's national CERT (NCSC.ch), this represents a critical pre-authentication attack surface requiring immediate patching.
Authorization bypass in SEPPmail Secure Email Gateway versions prior to 15.0.4 enables remote unauthenticated attackers to access privileged GINA UI endpoints without authentication. The vulnerability (CISA reported by Swiss NCSC) affects core access control mechanisms with CVSS 9.3 critical severity, allowing complete system compromise through network-accessible administrative interfaces. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, but the network-accessible attack vector with no authentication barrier presents immediate risk to internet-facing deployments.
Stored XSS in PrestaShop back-office Customer Service enables unauthenticated attackers to achieve full back-office takeover via malicious Contact Us form submissions. The vulnerability affects PrestaShop versions prior to 8.2.6 and 9.0.0-9.1.0, with patches released in versions 8.2.6 and 9.1.1. Despite the 9.3 CVSS score reflecting critical severity due to network attack vector, low complexity, and scope change, the CVSS UI:R requirement (user interaction) means exploitation requires a back-office employee to open the malicious customer thread. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation despite the critical impact potential.
Brute-force authentication bypass in CashDro 3 web administration panel 24.01.00.26 enables remote unauthenticated attackers to gain full administrative access. The system accepts numeric PINs without account lockout mechanisms, a legacy design from 2012 POS integrations. Successful exploitation grants access to confidential configuration settings with high impact to confidentiality and integrity (CVSS 9.3). No public exploit identified at time of analysis, though exploitation is trivial given the vulnerability class. Patch available per vendor advisory from INCIBE.
Authentication bypass in Nhost (open-source Firebase alternative) allows account takeover via OAuth email verification bypass. Attackers can claim a victim's email address on vulnerable OAuth providers (Discord, Bitbucket, AzureAD, EntraID) without verification, then authenticate to Nhost and receive a full session merged into the victim's existing account. The flaw affects multiple OAuth provider adapters that incorrectly populate the EmailVerified field - Discord silently drops the API's verified flag, Bitbucket accepts unconfirmed emails as verified, and Microsoft providers derive emails from non-ownership-proving fields like user principal names. Patched in version 0.49.1 per GitHub Security Advisory GHSA-6g38-8j4p-j3pr. No public exploit identified at time of analysis, but attack is trivially executable given the detailed technical disclosure.
Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 or V5 transactions with invalid sighash hash types. After a refactoring removed critical validation logic from C++ FFI code, Zebra failed to enforce consensus rules restricting hash type values in transparent transaction signatures, creating divergence from zcashd nodes. Attackers can exploit this remotely without authentication (CVSS:4.0 AV:N/AC:L/PR:N) to partition the Zcash network and enable potential double-spend attacks. No public exploit identified at time of analysis, but GitHub advisory (GHSA-8m29-fpq5-89jj) confirms the attack mechanism and vendor-released patches are available.
Remote code execution in SEPPmail Secure Email Gateway via insecure deserialization allows unauthenticated attackers to execute arbitrary code through the GINA UI interface. Versions prior to 15.0.4 deserialize untrusted data without validation, enabling attackers to send crafted serialized objects that execute upon processing. CVSS 9.2 reflects network-accessible attack with low complexity requiring only present attack conditions, though no active exploitation (KEV) or public POC has been identified at time of analysis.
DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required.
Remote code execution in Amazon Redshift JDBC Driver versions prior to 2.2.2 allows unauthenticated network attackers to execute arbitrary code by manipulating JDBC connection URL parameters under high-complexity conditions. The driver can be exploited to load and execute arbitrary classes from the application's classpath when specific connection URL parameters are controlled by an attacker. AWS released patch version 2.2.2 with GHSA advisory GHSA-wmmv-vvg5-993q. CVSS 9.2 (Critical) reflects high impact across confidentiality, integrity, and availability, though attack complexity is high and attack vector prerequisites are present.
Remote attackers can crash ZEBRA Zcash nodes by submitting a crafted Orchard transaction containing an identity value in the rk (randomized validating key) field, triggering a panic in the orchard crate's verification logic. All ZEBRA versions prior to 4.3.1 are affected. This critical denial-of-service vulnerability requires no authentication and has low attack complexity (CVSS 4.0: 9.2, AV:N/AC:L/PR:N). The issue stems from improper handling of the elliptic curve point identity value during transaction verification, where the orchard crate's unwrap() call on coordinate extraction causes an unhandled panic. Fixed in zebrad 4.3.1 and zebra-chain 6.0.2 by rejecting identity rk values during transaction parsing.
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0.
Integer overflow in Linux kernel's libceph authentication handler enables remote memory corruption and potential system crash against unpatched systems. A malicious Ceph monitor can send a specially crafted CEPH_MSG_AUTH_REPLY message with payload_len exceeding INT_MAX, causing ceph_handle_auth_reply() to underflow a pointer and trigger out-of-bounds memory access. This allows remote unauthenticated attackers to potentially read sensitive kernel memory (high confidentiality impact) or crash the kernel (high availability impact) on systems using Ceph storage. CVSS 9.1 (Critical) reflects network attack vector with no authentication or user interaction required. EPSS score of 0.02% (7th percentile) suggests low observed exploitation likelihood. Vendor patches available for all affected kernel series (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0), but no active exploitation confirmed via CISA KEV.
Out-of-bounds memory reads in Linux kernel's libceph messaging layer allow remote unauthenticated attackers to disclose kernel memory or trigger denial-of-service via malformed Ceph protocol frames. The vulnerability exists in process_message_header() when message frames are corrupted to make the control segment length smaller than the message header size, bypassing length validation. Vendor patches available for stable kernel versions 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% and no KEV listing suggest limited real-world exploitation observed despite network-accessible attack vector and unauthenticated access. Critical CVSS score of 9.1 reflects worst-case impact (high confidentiality and availability risk) if Ceph storage networking is exposed.
Server-Side Request Forgery in Linkwarden's fetchTitleAndHeaders function enables authenticated users to perform arbitrary HTTP requests against internal services and infrastructure. The vulnerability stems from inadequate URL validation that only verifies protocol prefixes (http:// or https://) without blocking internal address spaces, allowing attackers to scan internal networks, access metadata endpoints (e.g., cloud provider instance metadata), and potentially exfiltrate sensitive data from services not exposed to the internet. Exploitation requires only low-privilege authentication (PR:L) and can impact resources beyond the vulnerable application's security scope (S:C). Patched in version 2.13.0.
Apache::Session versions through 1.94 for Perl re-creates deleted sessions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
Unauthorized cross-tenant access in Apache CloudStack 4.21.0 through 4.22.0 allows remote unauthenticated attackers to gain full control over virtual machines belonging to other tenants via the Proxmox extension. Attackers exploit a user-editable 'proxmox_vmid' setting that lacks tenant ownership validation and predictable VM IDs to reference and control VMs across tenant boundaries, enabling VM start/stop/destroy operations. CVSS 9.1 indicates critical severity with network attack vector and no authentication required, though EPSS data and KEV status are not available to confirm active exploitation patterns.
Timing attack vulnerability in RELATE's authentication module allows remote unauthenticated attackers to infer valid sign-in keys through response time analysis. The CWE-208 timing side-channel in course/auth.py's check_sign_in_key() function enables attackers to distinguish between valid and invalid authentication tokens by measuring server response latencies. While attack complexity is high (AC:H) due to the precise timing measurements required, successful exploitation grants full authentication bypass with cross-scope impact. Patched in commit 2f68e16. No public exploit identified at time of analysis. EPSS data not provided, CVSS 9.0 (Critical) reflects potential for complete system compromise via side-channel cryptanalysis.