Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.
WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated SQL injection in phpMyFAQ before 4.1.2 allows remote attackers to extract credentials, admin tokens, and SMTP secrets by sending a crafted User-Agent header to the public GET /api/captcha endpoint. The flaw sits in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), which interpolate the header into DELETE and INSERT statements via sprintf with no escaping. No public exploit identified at time of analysis, though VulnCheck has published a detailed reachability writeup and a verified time-based blind PoC payload appears in the GHSA advisory.
Local privilege escalation in the Linux kernel ptrace subsystem allows authenticated users to bypass the traditional capability-dropping security model when accessing kernel thread details via PTRACE_MODE_READ_FSCREDS checks. The flaw stems from get_dumpable() logic returning misleading values for tasks without an associated memory map (mm), enabling uid-0 processes that have dropped capabilities to still read sensitive kernel thread information. Publicly available exploit code exists (referenced in OSS-security and a GitHub PoC against ssh-keysign), though EPSS scoring (0.02%) indicates low likelihood of widespread exploitation.
PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
Remote code execution in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows unauthenticated attackers to inject malicious JavaScript into unsanitized 'data' parameter, achieving arbitrary code execution on Node.js backend servers. Critical vulnerability (CVSS 4.0: 10.0) with complete system compromise potential affecting server confidentiality, integrity, and availability. Vendor-released patch available in version 0.7.6. No confirmed active exploitation (not in CISA KEV), but command injection via web-accessible APIs typically sees rapid weaponization once disclosed.
Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication.
Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.
Remote code execution in MCP Calculate Server versions before 0.1.1 allows unauthenticated attackers to execute arbitrary Python code via unsanitized mathematical expressions passed to eval(). The vulnerability stems from processing user-supplied math expressions without input validation, enabling injection of malicious Python code. While no public exploit or active exploitation has been identified, the network-accessible attack vector and lack of required authentication make this a critical risk for exposed instances.
Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.
Remote code execution in Tabby terminal emulator versions prior to 1.0.233 allows unauthenticated attackers to execute arbitrary OS commands via malicious tabby:// URL scheme links. When users click a crafted link containing tabby://run?command=..., Tabby spawns the specified command with full user privileges without any confirmation or sanitization. The vulnerability carries a CVSS 9.4 score due to network vector and high impact across all security dimensions.
Two-factor authentication bypass in phpMyFAQ before 4.1.2 lets unauthenticated remote attackers brute-force any administrator's six-digit TOTP code by submitting sequential POST requests to the /admin/check endpoint, which lacks session binding and rate limiting. CVSS 4.0 scores this 9.3 with no public exploit identified at time of analysis, though a proof-of-concept is described in the GHSA advisory and SSVC marks exploitation as 'poc' with total technical impact. EPSS is low at 0.12%, reflecting limited observed scanning despite the trivial 10^6 keyspace exhaustible in minutes.
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
Path traversal in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows remote unauthenticated attackers to read arbitrary local files from the server and embed them in generated PDFs. The vulnerability stems from insufficient HTML sanitization in the module's PDF generation process. CERT-PL reported this issue, and DHTMLX released version 0.7.6 to address it. No active exploitation confirmed by CISA KEV, but the low attack complexity and network attack vector make this a priority for organizations using affected Gantt or Scheduler deployments.
Path traversal in DHTMLX Diagram's export module allows remote unauthenticated attackers to exfiltrate local server files through crafted HTML payloads in the src attribute. The vulnerability exposes high-value server-side information (CVSS VC:H, SC:H) by embedding local files into generated PDFs without requiring authentication (PR:N) or user interaction (UI:N). DHTMLX released a fix in version 1.1.1, confirmed by CERT-PL advisory and vendor changelog.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Algorithm confusion in LibJWT 3.0.0 through 3.3.2 allows authentication bypass when RSA JWKs lack the 'alg' parameter. The OpenSSL backend incorrectly processes HMAC verification with a zero-length key when an RSA key without 'alg' is used to verify HS256/HS384/HS512 tokens, enabling attackers to forge valid JWTs without knowing any secret. Public exploit code exists (SSVC), making this a critical authentication bypass affecting applications using JWKS-based key lookup.
Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.
Remote code execution in AVideo streaming platform allows authenticated users with streaming privileges to execute arbitrary OS commands through shell metacharacter injection in the Live plugin. The vulnerability exists in the on_publish.php webhook endpoint which builds shell commands using unsafe string concatenation instead of proper escaping, allowing attackers to inject commands via specially crafted stream keys containing single quotes. While the CVSS indicates low privileges required (authenticated users with canStream permission), the impact is severe as it grants full web server user access.
Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.
Improper restriction of operations within the bounds of a memory buffer in the AMD secure processer (ASP) could allow an attacker to read or write to protected memory potentially resulting in. Rated high severity (CVSS 8.8). No vendor patch available.
Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Budibase servers before version 3.38.1 allow any authenticated application user to modify datasource connection parameters through the REST API endpoint PUT /api/datasources/:datasourceId, which requires only basic TABLE/READ permissions instead of builder-level access. This authorization bypass enables attackers with minimal BASIC role privileges to redirect PostgreSQL, MySQL, MongoDB, or REST datasources to arbitrary hosts and ports, creating server-side request forgery (SSRF) conditions that bypass existing HTTP-layer protections for SQL driver connections. The vulnerability has been assigned CVSS 8.8 (High) and is fixed in Budibase 3.38.1.
Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
{id}.html endpoint, leaking titles, internal IDs, languages, and category bindings via 301 redirect Location headers. The flaw stems from a missing permission filter in the getIdFromSolutionId() method, and a publicly available exploit code path is documented in the GitHub Security Advisory (GHSA-99qv-g4x9-mgc3) with SSVC marking exploitation as PoC and automatable. EPSS is low (0.06%, 19th percentile) and the issue is not in CISA KEV, indicating no confirmed active exploitation despite the high CVSS 4.0 score of 8.7.
Stored Cross-Site Scripting (XSS) in NukeViet CMS versions up to 4.5.07 allows unauthenticated attackers to inject malicious HTML/JavaScript through any module using the Request class for HTML input. The vulnerability stems from insufficient server-side sanitization that relies on client-side filtering, which attackers can bypass using proxy tools like Burp Suite. While not currently listed in CISA KEV and lacking public exploit code, the issue poses significant risk as it requires no authentication and affects administrative users viewing user-submitted content.
Command injection in Delphix Continuous Data database connectors allows authenticated attackers with low-privilege network access to execute arbitrary operating system commands on staging or target hosts. The vulnerability affects multiple database connector types (IBM DB2, MongoDB, PostgreSQL, MySQL, Oracle EBS, SAP HANA, CockroachDB, Couchbase, Cassandra, YugabyteDB) due to improper input validation (CWE-78). Network-based exploitation with low complexity (AV:N/AC:L) requires authentication (PR:L) but no user interaction, resulting in complete compromise of confidentiality, integrity, and availability on affected connector hosts. Vendor Perforce has published an advisory; no CISA KEV listing or public exploit identified at time of analysis.
Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.
Remote code execution in SzafirHost before 1.2.1 allows unauthenticated attackers to bypass JAR signature verification through a ZIP file smuggling technique. The vulnerability exploits a discrepancy between verification logic (JarInputStream reading from file beginning) and class loading (JarFile/URLClassLoader reading Central Directory from file end), enabling attackers to combine a legitimately signed JAR with malicious classes. CERT-PL confirmed this vulnerability, and the vendor released patch version 1.2.1. EPSS data not available, not listed in CISA KEV, requiring user interaction (UI:A) for exploitation.
Path traversal in SimpleSAMLphp's CAS server module allows unauthenticated remote attackers to read and deserialize arbitrary files outside the ticket directory via crafted ticket parameters. When using FileSystemTicketStore, attackers can inject '../' sequences into CAS validation endpoints to escape the configured directory, potentially deleting files that contain serialized PHP data compatible with array types. The vulnerability has a CVSS score of 8.6 with no public exploits identified at time of analysis.
Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.
Buffer overflow in AMD GPU driver IOCTL handler enables local privilege escalation to root on Linux systems running AMD Instinct or Radeon Pro GPUs. Authenticated local users with low privileges can exploit an out-of-bounds write vulnerability in the AMDGV_CMD_GET_DIAG_DATA IOCTL to achieve arbitrary kernel code execution. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.5 severity.
Cross-site request forgery in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier enables remote attackers to execute unauthorized operations through victim's authenticated session via malicious web pages. Successful exploitation achieves high confidentiality and integrity impact without requiring attacker authentication. Reported by JPCERT to JVN, indicating likely targeting of Japanese enterprise deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.
Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.
Out-of-bounds read/write in AMD Platform Management Framework (PMF) driver allows local authenticated users to escalate privileges on Ryzen 6000/7000/8000 series processors. AMD has released patched chipset software version 7.06.02.123 addressing the improper input validation vulnerability. No public exploit code identified and CISA has not added this to KEV, indicating exploitation is not yet confirmed in real-world attacks despite the high CVSS score. Attackers must already have local system access with standard user privileges to exploit this vulnerability.
Insecure installation directory permissions in AMD chipset driver allow local authenticated attackers to achieve SYSTEM-level privilege escalation and execute arbitrary code. The vulnerability affects nearly all AMD Ryzen, Threadripper, EPYC, and Athlon processors across desktop, mobile, embedded, and server product lines. AMD has released patched chipset driver versions 8.01.20.513 (consumer/workstation) and 8.03.14.329/8.03.16.641 (server). No active exploitation confirmed at time of analysis, but the local vector and low attack complexity make this exploitable by any authenticated Windows user, including standard users without admin rights.
Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to unmap arbitrary memory pages, potentially executing code with elevated privileges or triggering system crashes. Affects modern AMD Ryzen mobile processors across multiple generations (6000/7000/8000/AI 300 series, embedded variants). The vulnerability enables both horizontal escalation (confidentiality compromise via changed scope in CVSS 4.0) and vertical impact (integrity/availability degradation). No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity makes this exploitable by malware or malicious insiders once system access is obtained. EPSS data not available for risk calibration.
Command injection in the Turborepo LSP VS Code extension before version 2.9.14000 allows arbitrary code execution when opening malicious workspaces. The vulnerability stems from unsafe string interpolation in shell commands, enabling attackers to inject commands through workspace settings or task names that execute with the user's VS Code process privileges. The CVSS 4.0 score of 8.4 indicates high severity with local access and user interaction required.
Local code execution in Tabby terminal emulator versions before 1.0.233 occurs when dragging and dropping files containing control characters in their paths. The terminal fails to properly escape control sequences, allowing attackers to execute arbitrary commands through crafted filenames when a user drags a malicious file into the terminal window.
Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to execute arbitrary code with elevated system privileges through an out-of-bounds write vulnerability. Affects multiple AMD Ryzen processor series (6000, 7035, 7040, 8040, and Embedded R8000) across mobile and embedded platforms. The CVSS 4.0 score of 8.4 reflects high impact to system integrity and availability with changed scope, indicating the attacker can escape the vulnerable component's security context. No active exploitation confirmed in CISA KEV at time of analysis, and public exploit code availability is not indicated in current intelligence.