Traffic Management Microkernel (TMM) crashes in F5 BIG-IP Virtual Edition and hardware platforms when SSL profiles are configured without hardware crypto acceleration, allowing remote unauthenticated attackers to cause denial of service via undisclosed traffic patterns. CVSS 7.5 (High) with network attack vector and no prerequisites. EPSS data not provided, no CISA KEV listing identified, indicating theoretical rather than observed exploitation. Vendor patch available per F5 advisory K000158082.
Remote denial-of-service in F5 BIG-IP allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) by sending specially crafted UDP requests to virtual servers with classification profiles enabled. The vulnerability affects BIG-IP, BIG-IP Next CNF, and BIG-IP Next for Kubernetes platforms. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available per F5 advisory K000158038.
Traffic Management Microkernel (TMM) in F5 BIG-IP terminates when processing specific traffic against UDP virtual servers configured with Client SSL profiles having Allow Dynamic Record Sizing enabled. Remote unauthenticated attackers can trigger complete service denial by sending crafted traffic, causing TMM process crashes. F5 has released patches per advisory K000160901.
Denial of service in F5 BIG-IP virtual servers with SSL profiles allows remote unauthenticated attackers to exhaust connection processing via undisclosed traffic patterns, forcing affected servers to reject new client connections. The vulnerability affects multiple BIG-IP product lines including classic BIG-IP and all BIG-IP Next variants (SPK, CNF, Kubernetes). F5 has released vendor patches (K000158978), and with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N), this represents a straightforward network-based DoS attack requiring no authentication or special complexity.
Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) via undisclosed traffic patterns when PEM-specific iRules are configured on a virtual server. The vulnerability is a use-after-free memory corruption issue (CWE-416) affecting CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery iRule commands. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates straightforward remote exploitation with high availability impact. EPSS data not provided, but F5 has released a vendor patch (K000160875). No public exploit or CISA KEV listing identified at time of analysis.
Remote denial of service in F5 BIG-IP Access Policy Manager (APM) allows unauthenticated attackers to crash the apmd process by sending specially crafted traffic to virtual servers with APM access policies configured. The vulnerability stems from a buffer overflow (CWE-120) and requires no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. F5 has released vendor patches per advisory K000161056.
Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.
Sensitive key material disclosure in Arqit Symmetric Key Agreement Platform versions before 26.03 allows remote unauthenticated attackers to retrieve the QKEY (a critical input to the OTA-Quantum device registration process) along with internal system keys via a plain HTTP GET request. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%), but the high CVSS of 8.7 with scope-change reflects the severe downstream cryptographic compromise possible once these keys leak. A vendor patch is available in version 26.03.
SQL injection in EcclesiaCRM 8.0.0 and earlier allows authenticated remote attackers to execute arbitrary SQL queries through the query view feature. The flaw stems from an incomplete fix for CVE-2026-35184: the ValidateInput() function's default case passes user-supplied POST parameters directly into str_replace-based SQL construction without sanitization when non-standard validation types are used. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at just 0.03%.
Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches.
F5 BIG-IP iControl REST allows authenticated attackers with Manager role or higher to execute arbitrary commands through malicious configuration objects. This authenticated remote code execution vulnerability carries a CVSS score of 7.2 but requires high privileges (Manager role), significantly limiting the attack surface to insider threats or compromised administrator accounts. No public exploitation or proof-of-concept has been identified at time of analysis, and F5 has released vendor patches per advisory K000160916.
Authenticated attackers with Manager role or higher in F5 BIG-IP can execute arbitrary commands via malicious configuration objects in iControl REST API and TMOS Shell (tmsh). This privilege escalation vulnerability allows administrators to break out of their intended access boundaries and achieve full system control. CVSS 7.2 (High) reflects network accessibility with high privileges required. No public exploit code or active exploitation confirmed at time of analysis.
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to reset authentication keys of site administrator accounts within the same organization, yielding cross-tier access takeover. The flaw stems from missing authorization checks in the auth key reset workflow, enabling an org-admin to harvest a freshly generated site-admin API key. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.06%, but a vendor-released patch (2.5.37) is available.
Arbitrary file read in cPanel & WHM's cpdavd service allows remote unauthenticated attackers to retrieve sensitive files from the server through attachment download endpoints that fail to properly filter paths and enforce privilege boundaries. The flaw affects multiple supported cPanel release tiers (11.120 through 11.136) and WP Squared 11.120.1.0-11.136.1.12, scoring CVSS 8.6 due to network reach without authentication, though EPSS exploitation probability is only 0.04% and no public exploit identified at time of analysis.
Remote unauthenticated attackers can crash Klever-Go blockchain validators by sending a single 48 KiB compressed gossip packet that decompresses to multi-gigabyte allocations, killing the process via out-of-memory condition. The vulnerability in Batch.Decompress performs unbounded gzip decompression before anti-flood checks execute, enabling a single malicious peer to OOM-kill validators and disrupt chain liveness. Proof-of-concept demonstrates 45,604× amplification (48 KiB wire → 2.1 GiB heap). No public exploit identified at time of analysis, but vendor confirms internal discovery and patch development in progress.
Cross-workspace IDOR in SQLBot (DataEase) versions prior to 1.8.0 allows authenticated low-privilege users to read and modify database schemas and data sources belonging to other tenants via the /api/v1/datasource/exportDsSchema and /api/v1/datasource/uploadDsSchema endpoints. The flaw breaks multi-tenant isolation in a Text-to-SQL platform that brokers access to backend databases, meaning a tenant can pivot to another tenant's data sources. No public exploit identified at time of analysis, and EPSS probability is very low (0.04%), but SSVC rates technical impact as total.
Local privilege escalation in Samsung Galaxy Watch allows unprivileged local attackers to execute arbitrary code with system-level privileges by exploiting improper input validation in the FacAtFunction component. Affects Galaxy Watch devices running Android Watch 14 and 16 prior to Samsung's May 2026 security release (SMR May-2026 Release 1). EPSS score of 0.03% indicates low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis. Attack requires physical or ADB access to the device.
Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.
Path traversal in Lenovo Personal Cloud Storage devices allows authenticated remote attackers to move or access files belonging to other users on the same device, enabling unauthorized data disclosure and modification across user boundaries. Affects multiple product lines including Personal Cloud (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S) and Home Storage Hub (T20, X20). CVSS 8.6 reflects high confidentiality and integrity impact with low attack complexity. No active exploitation confirmed in CISA KEV at time of analysis, and EPSS data not available for this 2026 CVE identifier.
OS command injection in ELECOM wireless LAN access point devices allows authenticated administrators to execute arbitrary system commands via a crafted ping_ip_addr parameter. Affects multiple ELECOM WRC-series models including WRC-BE72XSD-B (v1.1.1 and earlier), WRC-BE65QSD-B (v1.1.0 and earlier), and WRC-W702-B (v1.1.0 and earlier). Despite the high CVSS 8.6 score, exploitation requires high-privilege (administrator) credentials, significantly limiting real-world risk to scenarios involving compromised admin accounts or malicious insiders. No active exploitation (KEV) or public POC has been identified at time of analysis. Vendor advisory available from ELECOM with remediation guidance.
Remote command injection in F5 BIG-IP Appliance mode allows high-privilege authenticated attackers to execute arbitrary OS commands through an undisclosed iControl REST endpoint, crossing security boundaries between management and administrative contexts. CVSS 8.7 with scope change (S:C) indicates container escape or privilege domain breach. F5 has released vendor patches per advisory K000160857. No public exploit code or CISA KEV listing identified at time of analysis, limiting immediate mass-exploitation risk despite network attack vector.
Privilege escalation in F5 BIG-IP allows authenticated Resource Administrator users to elevate privileges through configuration object manipulation. The command injection flaw (CWE-77) enables attackers with existing high-privilege access to gain administrative control over the BIG-IP system. CVSS score of 8.7 reflects high impact due to scope change (compromising beyond the vulnerable component), though exploitation requires existing Resource Administrator credentials (PR:H). EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation.
Command injection in F5 BIG-IP and BIG-IQ SNMP configuration allows highly privileged Resource Administrators to escalate privileges to root via crafted iControl REST API calls or TMOS shell commands. Despite the high CVSS score (8.7), exploitation requires existing Resource Administrator credentials, significantly limiting real-world attack surface to insider threats or post-compromise scenarios. Vendor-released patches are available per F5 security advisory K000160981.
Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators or Administrators to execute arbitrary OS commands by creating malicious SNMP configuration objects via the legacy iControl SOAP API. Attackers with high-level administrative credentials can break out of their role constraints to gain full system control. F5 has released patches addressing this command injection flaw (CWE-78). No active exploitation confirmed at time of analysis, but the CVSS:3.1 Changed Scope indicator and attack complexity of Low make this exploitable by any administrator with SOAP API access.
Authenticated attackers with Resource Administrator or Administrator role can execute arbitrary system commands via undisclosed iControl REST or BIG-IP TMOS Shell (tmsh) commands, potentially escalating privileges and crossing security boundaries in Appliance mode deployments. CVSS 6.5 reflects high privileges required (PR:H) but high confidentiality and integrity impact. No public exploit code identified at time of analysis.
Authenticated administrators with Resource Administrator or Administrator role can execute arbitrary system commands with elevated privileges in F5 BIG-IP scripted monitors, potentially crossing security boundaries in appliance mode deployments. The vulnerability requires high privilege level and network access but allows complete command execution with no user interaction, affecting confidentiality and integrity.
Privilege escalation in F5 BIG-IP allows authenticated Resource Administrators to gain full Administrator privileges by exploiting insecure iControl SOAP API configuration handling. Attackers with high-privilege Resource Administrator access can modify configuration objects to escalate to Administrator level, achieving cross-scope access to confidential data and integrity compromise. EPSS risk assessment unavailable, but exploitation requires legitimate Resource Administrator credentials and network access to management interface, limiting attack surface to insider threats or compromised administrative accounts.
Stored cross-site scripting in CVAT (Computer Vision Annotation Tool) versions 2.5.0 through 2.63.0 allows an authenticated user with annotation-guide create/edit privileges to inject malicious JavaScript into a task's annotation guide, which executes in any victim's browser that opens it. Executed script runs with the victim's CVAT session privileges, enabling arbitrary API requests on their behalf. No public exploit identified at time of analysis; EPSS is low (0.05%) and SSVC reports no observed exploitation.
Configuration manipulation in F5 BIG-IP and BIG-IQ Certificate Manager allows authenticated attackers with high privileges to execute arbitrary commands with scope change. Attackers holding Certificate Manager role credentials can modify configuration objects to run system commands, escalating from administrative interface access to underlying system control. CVSS 8.7 reflects the scope change (S:C) enabling broader impact than typical privileged command injection. No public exploit identified at time of analysis. F5 has released vendor patches per K000160972.
Arbitrary command execution in F5 BIG-IP and BIG-IQ Certificate Manager allows highly privileged attackers with Certificate Manager role to run OS commands by modifying configuration objects. The vulnerability requires network access and high privileges (PR:H) but enables scope change (S:C) with high confidentiality and integrity impact. Vendor-released patch available per F5 Security Advisory K000160971. EPSS data not provided; no confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.
Authenticated administrators in F5 BIG-IP Appliance mode can bypass configuration restrictions designed to prevent system-level access. Administrators with the 'Administrator' role can circumvent Appliance mode lockdown controls, potentially modifying underlying system configurations that should be protected in this deployment mode. Vendor patch available per F5 Security Advisory K000160876. CVSS 8.5 reflects high confidentiality/integrity impact despite requiring privileged authentication.
Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to gain arbitrary System Management Network (SMN) access, potentially resulting in arbitrary code execution in AMD Secure Processor (ASP) and loss of the SEV-SNP guest's confidentiality and integrity.
Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.
Server-side request forgery (SSRF) in Nautobot's Webhook feature allows authenticated users with add/change permissions on the Webhook data model to configure malicious webhook URLs targeting internal hosts, cloud metadata endpoints, or other restricted network resources. Affects all versions prior to 2.4.33 and 3.x versions prior to 3.1.2. The vulnerability allows bypassing intended network boundaries and accessing services that should not be reachable from the Nautobot server. Vendor-released patches available in v2.4.33 and v3.1.2 introduce URL scheme restrictions, IP network blocklists, and hostname allow-lists to prevent SSRF exploitation. No public exploit identified at time of analysis, but CVSS base score of 8.5 reflects significant impact with scope change allowing access to resources beyond the vulnerable component's security context.
DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.
HTTP response header injection in cPanel, WHM, and WP Squared allows unauthenticated remote attackers to inject arbitrary headers via the unsanitized `status` query parameter of the `/unprotected/nova_error` endpoint. CVSS 8.3 reflects the changed scope (S:C) with low impact across confidentiality, integrity, and availability, consistent with CRLF-style header injection that can pivot into cache poisoning, session fixation, or open redirect chains. No public exploit identified at time of analysis, and EPSS is low at 0.07%, but a vendor patch is already available.
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.
Use of an end-of-life jQuery 1.x library in HCL BigFix SCM Reporting 11.0.5 exposes the management console to client-side attacks, including DOM-based XSS, inherited from publicly known unpatched flaws in the dependency. With no public exploit identified at time of analysis and a very low EPSS score (0.04%), the CVSS 8.3 rating reflects high theoretical impact rather than confirmed in-the-wild abuse, though successful exploitation requires user interaction with a crafted resource.
F5 BIG-IP TMOS shell (tmsh) allows authenticated administrators and resource administrators to execute arbitrary system commands with elevated privileges via an undisclosed command, potentially crossing security boundaries in Appliance mode deployments. The vulnerability requires high-privilege account access and local command-line interaction but poses significant risk to appliance-mode BIG-IP systems where privilege escalation could compromise the entire platform.
Unauthenticated remote denial of service in ninenines cowlib (versions 0.1.0 through 2.16.0) allows a single crafted SPDY frame to exhaust BEAM VM memory via a zlib decompression bomb. The cow_spdy:inflate/2 path passes peer-controlled compressed bytes to zlib:inflate/2 without bounding output size, and because the SPDY ?ZDICT dictionary is public and zlib achieves roughly 1024:1 compression on repeated bytes, kilobytes of input expand to gigabytes of heap, OOM-killing the Erlang node. No public exploit identified at time of analysis, EPSS is low (0.14%), and CISA SSVC marks exploitation as none, but the upstream fix is to remove cow_spdy entirely in 2.16.1.
Account validation bypass in Solana's Anchor framework (anchor-lang 1.0.0 through 1.0.1) allows attackers to substitute arbitrary program IDs where the System program is expected, enabling arbitrary cross-program invocation (CPI) and payment bypass in downstream on-chain programs. The flaw stems from Program<'a, System> resolving to the same Pubkey::default() check as the untyped Program<'a, ()> variant, so anchor never enforces the expected system program id. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis as a weaponized tool, EPSS is 0.04% (13th percentile), and the issue is not in CISA KEV.
Credential interception in cPanel/WHM and WP Squared DNS Cluster system allows network-positioned attackers to perform man-in-the-middle attacks because SSL/TLS certificate verification is disabled when DNS Cluster nodes communicate. An attacker able to intercept traffic between cluster peers can impersonate a legitimate DNS Cluster server and capture authentication credentials transmitted during the request. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%), but SSVC marks the flaw as automatable with partial technical impact.
Unauthenticated denial of service in ninenines Cowboy 2.0.0 through 2.14.x allows remote attackers to exhaust BEAM VM memory by sending malformed multipart/form-data uploads that never complete a header section. The flaw lives in cowboy_req:read_part/3, which lacked the upper-bound buffer guard already present in read_part_body/4, letting a handful of concurrent slow uploads accumulate request bytes linearly until the Erlang node runs out of memory. EPSS is very low (0.02%) and no public exploit is identified at time of analysis, but the upstream patch and a regression test are already merged in 2.15.0.
PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.
Account and store takeover in CubeCart 6.6.x through 6.7.1 is possible because the CC_STORE_URL constant is derived from the unvalidated Host header at bootstrap and embedded into password-reset emails. A remote unauthenticated attacker who knows a victim's email address can trigger a host-header poisoning attack that emails the user a reset link pointing at attacker-controlled infrastructure, capturing a valid 3,600-second token on click. SSVC reports a public POC and total technical impact, while EPSS remains low (0.03%) and no public exploit is identified as in-the-wild.
Privilege revocation race condition in Grafana OSS allows a user whose service-account token-minting permission was just revoked to continue minting tokens for several seconds after the revocation event. The flaw, tagged as an authentication bypass affecting multiple supported branches of Grafana OSS (11.x, 12.x, 13.x), can yield high confidentiality and integrity impact by granting persistent API access via newly minted service-account tokens. No public exploit identified at time of analysis, EPSS is very low (0.03%), and SSVC marks exploitation as none - but the vendor has issued patches across all affected branches.
SQL injection in the cPanel/WHM sqloptimizer utility script allows attackers to execute arbitrary SQL queries as the MySQL root user when Slow Query logging is enabled. The flaw affects multiple cPanel branches (11.86 through 11.136), WP Squared, and the CloudLinux 6/CentOS 6 builds, with no public exploit identified at time of analysis. EPSS is low (0.03%) and SSVC marks exploitation as 'none', but technical impact is rated total because the injection runs with full database privileges.
Command injection in Node.js systeminformation library (versions 4.17.0 through 5.31.5) allows local authenticated attackers with NetworkManager configuration rights to execute arbitrary shell commands when networkInterfaces() is called on Linux systems. The vulnerability stems from unsanitized NetworkManager connection profile names being interpolated into three shell command strings executed via execSync(). While the library sanitizes network interface names, it fails to apply equivalent sanitization to connection profile names parsed from nmcli output. The vendor has released patch version 5.31.6. CVSS score of 7.8 (High) reflects local attack vector requiring low privileges, but successful exploitation grants full process privileges-critical when the calling application runs with elevated rights, as is common in monitoring agents, inventory tools, and system management dashboards.
Command injection in uniget (gitlab.com/uniget-org/cli) before v0.27.1 enables arbitrary shell command execution when the CLI processes attacker-controlled tool metadata. The `check` field from JSON metadata is concatenated into a `/bin/bash -c` invocation by `RunVersionCheck()` in tool.go, so common operations like `describe`, `install`, `update`, or `inspect` trigger execution under the invoking user's privileges. Publicly available exploit code exists (vendor PoC in GHSA-qqq4-5773-pmw5); EPSS is low at 0.03% (10th percentile) and the issue is not in CISA KEV.
Local privilege escalation potential exists in the Linux kernel's IIO chemical sensor subsystem, specifically the sps30_i2c driver, where an incorrect sizeof() calculation in sps30_i2c_read_meas() uses sizeof(size_t) instead of sizeof(*meas), creating a buffer size mismatch. Affecting Linux kernel versions from 5.14 onward, the flaw could lead to memory corruption or out-of-bounds access when handling measurement data from Sensirion SPS30 particulate matter sensors over I2C. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but a CVSS of 7.8 reflects high local impact on confidentiality, integrity, and availability.