WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Reflected XSS in CubeCart v6 (prior to 6.7.0) enables unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted search URL that triggers a specific single-result code path in the search feature. The flaw exists in classes/catalogue.class.php where the searchCatalogue() method reflects the raw $_REQUEST['search']['keywords'] parameter in a notification message without sanitization - but only when the search returns exactly one product, bypassing all other input filters. A working exploit is publicly available on Exploit-DB (52588), though no public exploit identified at time of analysis places this in CISA KEV, and EPSS remains low at 0.03%.
Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Directory traversal vulnerability in F5 BIG-IP iControl REST endpoint when running in Appliance mode allows authenticated administrators to delete arbitrary files, crossing security boundaries. The vulnerability requires high-privilege administrator role access and network connectivity to the iControl REST interface, but no user interaction. Patch availability confirmed from F5; no active exploitation reported.
Directory traversal vulnerability in F5 BIG-IP SSL Orchestrator enables authenticated high-privilege attackers to overwrite, delete, or corrupt arbitrary local files via path manipulation. The vulnerability requires network access and valid high-privilege credentials but does not require user interaction, affecting the integrity of system files on affected BIG-IP instances. A vendor patch is available.
Authenticated high-privilege attackers with Resource Administrator or Administrator roles can download sensitive files from F5 BIG-IP iControl SOAP interface due to improper path validation. The vulnerability requires valid administrative credentials and does not affect versions that have reached End of Technical Support, limiting exposure to actively maintained deployments. No public exploit code or active exploitation has been identified.
Sensitive information disclosure in F5 BIG-IP and BIG-IQ allows authenticated administrators with resource administrator role to view confidential data via undisclosed iControl REST endpoints or TMOS Shell commands. The vulnerability requires high-privilege authentication and produces no system modification or availability impact, limiting real-world risk despite network accessibility. Vendor has released patches addressing the information exposure.
Rate limit bypass in Strapi's users-permissions plugin (all versions <=5.44.0) allows unauthenticated remote attackers to conduct unlimited credential brute-force, password-reset code enumeration, and credential-stuffing attacks against /auth/local, /auth/reset-password, and /auth/change-password endpoints. The middleware incorrectly incorporated an attacker-supplied email field into its rate-limit key on routes where email is not a valid request parameter, meaning each request with a distinct email value obtained a fresh throttle window - rendering per-IP throttling entirely ineffective. No public exploit or KEV listing exists at time of analysis, but the SSVC assessment flags this as automatable, lowering the bar for scripted abuse.
IP-based access control restrictions in F5 BIG-IP httpd do not uniformly apply to all endpoints, allowing unauthenticated remote attackers from blocked IP addresses to access protected resources and disclose sensitive information. The vulnerability affects default configurations where network-based access policies are expected to enforce restrictions across the entire application stack, but certain endpoints bypass these controls. A vendor patch is available.
OpenLearnX versions prior to 2.0.4 contain a critical authentication bypass vulnerability caused by disabled JWT signature verification, enabling unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability has been patched in version 2.0.4. No public exploit code or active exploitation has been identified at time of analysis.
NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.
Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
ELECOM wireless LAN access point devices WRC-X1800GS-B, WRC-X3000GS2 series, WRC-X6000QS series, and related models use a hard-coded cryptographic key to encrypt configuration file backups. An attacker who obtains a backup file can decrypt and modify the configuration using the publicly known key, then trick a network administrator into restoring the malicious configuration, enabling complete compromise of network settings. This requires user interaction (administrator deploying a crafted backup) but no authentication, making it a practical attack vector for supply-chain compromise or insider threats. CVSS 6.5 (Medium) reflects the high integrity impact balanced against the requirement for administrator interaction.
U-SPEED AC1200 Gigabit Wi-Fi Router Model T18-21K V1.0 exposes an unauthenticated UART serial interface that grants unrestricted access to device functionality upon physical connection. An attacker with physical access to the exposed UART pins can bypass all authentication and authorization controls to gain full device compromise. EPSS exploitation probability is low (0.03%), reflecting the physical access requirement, though the impact of successful exploitation is severe (confidentiality, integrity, and availability compromise).
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.
Hiseeu C90 v5.7.15 exposes a UART bootloader in debug mode when the device battery is disconnected, allowing unauthenticated physical attackers with direct hardware access to achieve privilege escalation and potentially execute arbitrary code with full device control. This vulnerability requires physical tampering to trigger but bypasses all software-based security controls once activated.
F5 BIG-IP DNS when provisioned contains an undisclosed TMOS Shell (tmsh) command vulnerability allowing highly privileged authenticated attackers to view sensitive information. The vulnerability requires high-privilege account access and local shell access (AV:L, PR:H), limiting real-world exploitation to insider threats or post-compromise scenarios where an attacker has already obtained administrative credentials on the management interface.
BIG-IP DNS provisioning exposes SSH passwords in cleartext within iControl REST API responses and audit logs when using the gtm_add and bigip_add commands, allowing highly privileged authenticated attackers with audit log access to retrieve sensitive credentials. The vulnerability affects all supported BIG-IP DNS versions and carries a CVSS score of 4.4 with low real-world exploitation risk due to the requirement for local access and high privilege level.
Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or degrade firewall availability by sending specially crafted network traffic, with a high availability impact (VA:H) on the vulnerable system. Affected deployments span PAN-OS 10.2, 11.1, 11.2, and 12.1 branches as well as Prisma Access; vendor explicitly states Panorama and Cloud NGFW are not impacted, though Cloud NGFW appears in CPE strings - a discrepancy worth verifying. No public exploit identified at time of analysis, EPSS is very low (0.05%, 16th percentile), and SSVC classifies exploitation as none with non-automatable attack patterns, collectively suggesting a patch-cycle priority rather than an emergency response.
Nautobot's UI object bulk-rename endpoints (e.g., /dcim/interfaces/rename/) allow authenticated low-privilege users to trigger application-wide denial of service by submitting a maliciously crafted regular expression in the `find` field with the `use_regex` flag enabled, causing Python's re.sub() to enter catastrophic backtracking that stalls worker processes indefinitely. All Nautobot installations running versions prior to 2.4.33 (v2.x branch) or prior to 3.1.2 (v3.x branch, from 3.0.0a2) are affected. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and EPSS is 0.04% (14th percentile); vendor-released patches are available.
Path traversal in ERPNext exposes arbitrary server files to authenticated low-privileged users via a vulnerable endpoint that fails to restrict directory access. Affected versions are ERPNext prior to 15.101.1 and the 16.x beta line prior to 16.10.0, packaged under CPE cpe:2.3:a:frappe:erpnext. An attacker with a valid account can craft a request to read sensitive files outside the intended directory scope, resulting in full confidentiality compromise of the host filesystem. No public exploit identified at time of analysis, and CISA SSVC signals no active exploitation.
Uncontrolled resource consumption in Grafana OSS allows authenticated low-privilege users to trigger an out-of-memory (OOM) crash by exploiting the $__timeGroup macro against a configured SQL datasource. The attack is slow by nature - requiring upwards of 30 minutes to exhaust server memory - and affects Grafana OSS versions spanning from 8.0.0 through 13.0.1. Grafana reported this vulnerability directly, a vendor patch is available across all affected release branches, and no public exploit code or active exploitation has been identified at time of analysis.
Unbounded memory allocation in Grafana OSS's Live push endpoint allows any authenticated user to exhaust server memory by submitting a large or streaming HTTP request body, resulting in an out-of-memory condition and denial of service. Confirmed affected branches span Grafana OSS 8.0.0 through 13.0.1 across five actively maintained release lines, with vendor-released security patches available for each. No public exploit code exists and CISA has not listed this in KEV; the EPSS score of 0.04% (12th percentile) and SSVC exploitation status of 'none' collectively indicate low current real-world exploitation activity.
Grafana Live's concurrent request handling exposes authenticated Viewer-role users as a denial-of-service vector: sending concurrent requests triggers a fatal map access error that crashes the entire Grafana server, requiring a manual restart to restore service. All Grafana OSS releases from 8.2.0 through 13.0.1 are affected across multiple maintained branches, making the exposure surface exceptionally broad. No public exploit identified at time of analysis and EPSS sits at 0.04% (12th percentile), but the low privilege bar - any Viewer account - and reliable triggering (AC:L) mean insider threats and compromised low-privilege accounts represent a realistic DoS risk for organizations without guest/anonymous access controls.
Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.
Unbounded memory allocation in Grafana OSS's plugin resources endpoint allows any authenticated low-privileged user to trigger an out-of-memory condition by sending a sufficiently large HTTP request body, resulting in denial of service against the Grafana instance. Affected versions span a wide range from 6.7.0 through 13.0.1, with vendor-released security patches available across all supported branches. No public exploit exists and CISA has not added this to the KEV catalog; the EPSS score of 0.04% (12th percentile) reflects very low observed exploitation probability.
SQL injection in Charitable - Donation Plugin for WordPress versions up to 1.8.10.4 allows authenticated users with donation management admin privileges to inject malicious SQL via the 's' search parameter, enabling extraction of sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage in the donation search functionality. Attack requires administrator-level access to the donation management area (edit_others_donations capability), limiting scope to internal threats but carrying high confidentiality impact.
Arbitrary file read in Grafana OSS exposes server filesystem contents to authenticated low-privilege users when the sqlExpressions feature toggle is enabled. Affected versions span the 11.6.x, 12.x, and 13.0.x release trains, with fixed security builds available across all affected branches. No public exploit code exists and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, the confidentiality impact is rated High by CVSS due to the potential for unrestricted file disclosure from the Grafana server's filesystem.
SQL injection in qihang-wms (commit 75c15a) via the unsanitized `datascope` parameter in `SysDeptMapper.xml` allows remote database access without authentication. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated, network-accessible, low-complexity exploitation yielding partial confidentiality and integrity impact, including exposure of users' PII from the backend database. Publicly available exploit code exists via GitHub-hosted writeups and proof-of-concept scripts, though EPSS sits at 0.03% (9th percentile) and SSVC reports no confirmed active exploitation at time of analysis.
SQL injection in qihang-wms (commit 75c15a) exposes sensitive database contents, including user PII, to unauthenticated remote attackers via the `datascope` parameter in `SysUserMapper.xml`. The vulnerability requires no authentication, no user interaction, and is reachable over the network, making automated exploitation feasible. SSVC assessment confirms exploitation has not been observed and EPSS sits at 0.03% (9th percentile), indicating low current exploitation interest despite the permissive attack surface.
Missing authorization in Grafana OSS's snapshot deletion endpoint allows any authenticated Editor-role user to delete arbitrary snapshots across the platform, regardless of whether they hold read or write access to those snapshots. Affected versions span a wide release range from 9.4.0 through 13.0.1 across multiple major branches (CPE: cpe:2.3:a:grafana:grafana_oss). With EPSS at 0.03% (8th percentile), SSVC exploitation rated none, and no public exploit identified at time of analysis, the practical threat is primarily insider abuse or compromised Editor credentials being used to destroy monitoring data outside an attacker's legitimate scope.
Path traversal in OpenPLC v3 allows authenticated remote attackers to read arbitrary files via unvalidated file path parameters passed to the glue_generator binary. The vulnerability affects command-line input handling in the compiled binary derived from glue_generator.cpp, where user-controlled paths are passed directly to file operation functions (fopen, ifstream, ofstream) without validation. Exploitation requires authentication but no user interaction, and no public exploit code has been identified at the time of analysis.
go-billy versions prior to v5.9.0 and v6.0.0-alpha.1 lack proper depth and cycle detection in symlink resolution, allowing authenticated remote attackers to trigger infinite loops, uncontrolled recursion, or excessive resource consumption through crafted or malformed repository data and filesystem structures. The vulnerability stems from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states. CVSS 6.5 (availability impact) reflects the authenticated requirement (PR:L) and network attack vector, with no public exploit currently identified.
ProfileGrid User Profiles plugin for WordPress versions up to 5.9.8.4 allow authenticated attackers with Subscriber-level access to execute blind SQL injection attacks via the 'rid' parameter due to insufficient input escaping and lack of prepared statement use. The vulnerability enables extraction of sensitive database information without user interaction. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting (XSS) in Fluent Forms WordPress plugin versions up to 6.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'permission_message' parameter, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Component module. No active exploitation or public proof-of-concept has been reported, but the low attack complexity and network accessibility make this a practical risk for WordPress sites with contributor-level user accounts.
Stored cross-site scripting in Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin (all versions up to 4.1.0) allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit', which executes in the browsers of all users viewing the affected pages. The vulnerability requires prior account access but no user interaction for execution, making it a persistent attack vector for privilege escalation or malicious content injection on WordPress sites.
Stored Cross-Site Scripting in Snow Monkey Blocks WordPress plugin up to version 24.1.11 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'data-slick' attribute, which executes in the browsers of all users who view the affected pages. The vulnerability stems from insufficient input sanitization and output escaping in block rendering functionality. CVSS 6.4 reflects the moderate severity; exploitation requires prior authentication and contributor access, limiting the attack surface to trusted WordPress users or accounts obtained through compromise.
Unauthorized write access to Traefik's live dynamic configuration is achievable by a low-privileged Kubernetes tenant in shared Gateway deployments, because the Gateway API provider's `isInternalService()` check accepts any `TraefikService` name ending in `@internal` - not exclusively the intended `api@internal`. This allows a tenant with `HTTPRoute` creation rights to route external traffic to `rest@internal`, fully bypassing the `providers.rest.insecure=false` safeguard and gaining `PUT /api/providers/rest` write access. No active exploitation is confirmed (not in CISA KEV, EPSS at 0.01%), but a detailed proof-of-concept is published in the GHSA advisory and the SSVC framework marks the attack as automatable for tenants meeting the prerequisites.
Command injection in TeamViewer DEX Platform On-Premises (formerly 1E DEX Platform On-Premises) prior to version 9.2 allows authenticated low-privileged users to execute elevated commands on endpoints managed by the platform. The vulnerability stems from improper input validation (CWE-20) within specific platform instructions, enabling a user holding only 'questioner' privileges to escalate their effective impact to arbitrary command execution on connected devices. No public exploit exists and EPSS is low (0.08%), though SSVC rates Technical Impact as 'total', reflecting the downstream risk to managed endpoints despite the bounded CVSS partial-impact scores.
Denial of service in F5 BIG-IP affects the Traffic Management Microkernel (TMM) when Bidirectional Forwarding Detection (BFD) is configured with static or dynamic routing protocols. Undisclosed traffic patterns cause TMM to stop processing BFD packets, triggering unintended failover of the configured routing protocol. Remote unauthenticated attackers can trigger this condition over the network with low complexity, resulting in availability loss for BFD-dependent routing operations.
Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).
Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.
NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.
Improper privilege management in Samsung System Support Service prior to version 8.0.8.0 allows local attackers to trigger privileged functions.
Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp,. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_SmartAudio::loop,. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.