Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.
python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.
SQL injection in n8n workflow automation platform allows an attacker with write access to a connected git repository to execute arbitrary SQL against the internal PostgreSQL database when an administrator performs a Source Control Pull. The flaw stems from unsafe handling of column names within Data Table JSON files imported during sync. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04%.
Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.
Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.
Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.
Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.
PostgreSQL libpq client library allows malicious server superusers to execute arbitrary code on connecting clients by overwriting stack buffers via unbounded responses to PQfn() calls. The vulnerability affects lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions used by psql and pg_dump utilities. A compromised or malicious PostgreSQL server can exploit clients running these common administrative tools during routine operations like database backups or large object exports. EPSS and KEV data not available for this recent CVE. CVSS 8.8 reflects the network attack vector with user interaction requirement (connecting to malicious server).
Out-of-bounds write in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 allows remote attackers to crash applications or potentially execute arbitrary code by delivering maliciously crafted CbYCrY image files. A signed integer overflow in the ConvertCbYCrYToRGB() pixel-loop calculation generates large negative pointer offsets, corrupting memory during image processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV); exploitation requires user interaction to process attacker-supplied image files.
Remote code execution in OpenImageIO versions before 3.0.18.0 and 3.1.13.0 allows unauthenticated attackers to achieve arbitrary read/write memory access by delivering a maliciously crafted kABGR DPX image file with oversized dimensions. The signed integer overflow in SwapRGBABytes() creates a negative pointer offset that enables both out-of-bounds read via memcpy and subsequent out-of-bounds writes, potentially leading to code execution when a user opens the malicious image. EPSS data not available; no confirmed active exploitation (not in CISA KEV), though the vendor-disclosed nature and VFX industry targeting suggests focused adversary interest in content creation pipelines.
Stack buffer overflow in PostgreSQL's refint module allows low-privileged database users to execute arbitrary code as the database operating system user across all supported versions before 14.23, 15.18, 16.14, 17.10, and 18.4. The vulnerability enables two distinct attack paths: direct stack overflow leading to OS-level code execution, and SQL injection when applications expose user-controlled columns configured as refint cascade primary keys. With CVSS 8.8 (AV:N/AC:L/PR:L) and network-based exploitation requiring only low-privilege database credentials, this represents a critical privilege escalation risk for PostgreSQL deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.
Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)
Remote code inclusion in Yordam Library Automation System versions 19.5 through 22.0 allows unauthenticated attackers to execute arbitrary code with high integrity and confidentiality impact via user interaction. The vulnerability was reported by Turkey's National Cyber Security Directorate (USOM), indicating potential targeting of Turkish government or educational institutions using this library management software. With network-accessible attack vector and low complexity (CVSS AV:N/AC:L), this represents a significant risk to organizations running unpatched versions despite requiring user interaction (UI:R).
Remote attackers can bypass access controls in Yordam Library Automation System versions 19.5 through 22.0, achieving high confidentiality, integrity, and availability impact through incorrectly configured security levels. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling unauthorized access to library management functions. Reported by Turkey's national CERT (USOM), indicating regional awareness though not yet confirmed for active exploitation or CISA KEV listing.
Authentication bypass in Yordam Library Automation System versions 21.6 through 22.0 enables remote attackers to impersonate legitimate users and gain unauthorized administrative access by manipulating user identifiers in requests. Attackers who successfully exploit this vulnerability can achieve full system compromise including reading sensitive library records, modifying catalog data, and disrupting availability. The vulnerability requires user interaction (likely social engineering or malicious link), but no authentication, making it accessible to external threat actors. TR-CERT has published an advisory confirming the issue affects Turkish government and educational institutions using this library management platform.
Authorization bypass in Yaay Social Media App versions 3.8.0 through 24102025 allows remote unauthenticated attackers to access restricted functionality and data by manipulating user-controlled key parameters. The vulnerability enables unauthorized access to features normally protected by access control lists (ACLs), potentially exposing user data, administrative functions, or content modification capabilities. TR-CERT has disclosed this issue with a CVSS base score of 8.8, requiring user interaction for exploitation. No evidence of active exploitation (not in CISA KEV) or public exploit code has been identified at time of analysis.
Fleet server crashes from a single malformed gRPC request to the PublishLogs endpoint, allowing complete denial of service. An attacker with any enrolled Launcher node key can terminate the Fleet server process instantly via a crafted gRPC call. CVSS 8.7 (High) reflects the ease and impact, though exploitation requires prior enrollment of a Launcher host. Vendor-released patch version 4.81.0 available. No public exploit identified at time of analysis, but attack requires minimal sophistication given authenticated access.
Broken access control in FlowiseAI Flowise versions 3.1.1 and earlier allows any authenticated user to perform unauthorized CRUD operations on OpenAI Assistants Vector Stores via the /api/v1/openai-assistants-vector-store endpoints. The route handlers lack the checkAnyPermission() middleware applied to other privileged endpoints, so role-based access controls are bypassed entirely once an attacker has any valid API key or session. No public exploit is identified at time of analysis, but the fix is bundled in the FlowiseAI security release 3.1.2 alongside several other authorization fixes.
Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.
Hard-coded database credentials in Comarch ERP Optima client allow remote attackers on adjacent networks to access the backend database with elevated privileges and execute system commands on the server. The immutable credentials enable authentication bypass without requiring any user interaction or existing privileges. Fixed in version 2026.4, reported by CERT-PL. No public exploit or KEV listing identified at time of analysis, though the straightforward nature of credential-based attacks (CVSS:4.0 AV:A/AC:L/PR:N) suggests high exploitability for attackers with local network access.
Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.
Stored cross-site scripting in GitLab Enterprise Edition's customizable analytics dashboards allows an authenticated user to execute arbitrary JavaScript in the browsers of other users who view the affected dashboard. The flaw affects EE 18.7-18.9.6, 18.10-18.10.5, and 18.11-18.11.2, carries a CVSS 8.7 (scope-changed) rating, and a vendor patch is available. No public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Stored cross-site scripting in GitLab Enterprise Edition 18.7-18.11.x allows an authenticated user to inject arbitrary JavaScript that executes in other users' browser sessions due to improper input sanitization. The CVSS 8.7 score is elevated by Scope:Changed (S:C), reflecting that injected script can pivot across security contexts and potentially target administrators. No public exploit identified at time of analysis, EPSS is very low (0.02%, 5th percentile), and SSVC indicates no observed exploitation, but a vendor patch is available across all three affected branches.
Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.
Stored cross-site scripting in GitLab Enterprise Edition lets an authenticated user holding Developer-role permissions inject arbitrary JavaScript that executes in the browsers of other users who view the affected content. The flaw stems from improper input sanitization and affects all 16.4-series through 18.11.x releases prior to the 18.9.7, 18.10.6, and 18.11.3 patch releases. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CVSS is rated 8.7 because the scope-changing XSS can hijack higher-privileged user sessions.
Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. CVSS 8.6 (High) with network attack vector but requires high privileges (PR:H). No active exploitation confirmed at time of analysis, but attack chain is straightforward with publicly documented technique.
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.
Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.
Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.
Arbitrary file read in Portainer Community Edition allows authenticated low-privileged users to exfiltrate any file readable by the Portainer process — commonly root — by submitting a Git-backed stack whose docker-compose.yml is a symlink to a target like /etc/shadow or a Kubernetes service account token. The flaw stems from go-git v5 materializing Git symlink blobs as real OS symlinks during checkout combined with GetFileContent reading the entry point through os.ReadFile without resolving links, and is amplified by Portainer's scheduled stack auto-update, which lets a previously benign repository turn malicious after initial review. A fully validated proof-of-concept exists from the reporter (b-hermes), but there is no public exploit identified at time of analysis and no CISA KEV listing.