Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Expression language injection in Beetl template engine versions up to 3.20.2 enables remote attackers to execute arbitrary expressions through the SpELFunction component. The vulnerability stems from improper neutralization of special elements in Spring Expression Language (SpEL) processing, with publicly available exploit code and no vendor response despite early notification. CVSS 7.3 indicates moderate severity with confirmed remote exploitability.
Path traversal in adenhq Hive versions up to 0.11.0 allows unauthenticated remote attackers to read arbitrary files via the _read_events_tail function in the Delete Request Handler. This network-accessible vulnerability requires no user interaction and has a publicly available proof-of-concept exploit. The vendor has not responded to disclosure attempts, leaving users without an official patch. EPSS data unavailable; CVSS 5.5 reflects limited confidentiality/integrity impact but ease of exploitation warrants prioritization for internet-facing deployments.
Authentication bypass in Sanluan PublicCMS 5.202506.d allows remote unauthenticated attackers to access arbitrary user trade address data via manipulation of userId/id parameters in the TradeAddressListDirective component. Public exploit code exists (CVSS E:P), enabling unauthorized disclosure of confidential address information including names, phone numbers, and shipping details. EPSS data unavailable; not listed in CISA KEV. Vendor non-responsive to disclosure.
Business logic flaws in PublicCMS 5.202506.d trade payment controller allow unauthenticated remote attackers to manipulate payment processing workflows, potentially enabling payment bypass or unauthorized transaction modifications. Publicly available exploit code exists demonstrating the attack. The vulnerability affects three payment-related functions (TradeOrderController.pay, TradePaymentController.pay, AccountGatewayComponent.pay) in the publiccms-trade module. Vendor was notified but did not respond, and no patch has been announced.
Unrestricted file upload in Metasoft MetaCRM (versions up to 6.4.0 Beta06) allows remote unauthenticated attackers to upload arbitrary files via the /common/jsp/upload3.jsp endpoint. A publicly disclosed exploit exists (CVSS E:P), enabling attackers to upload malicious files without authentication (PR:N), potentially leading to remote code execution. The vendor did not respond to coordinated disclosure, leaving users vulnerable. EPSS data not available, but the combination of network accessibility, no authentication requirement, and public exploit code indicates elevated real-world risk despite the moderate 5.5 CVSS score.
Server-side request forgery in CoreWorxLab CAAL versions up to 1.6.0 enables unauthenticated remote attackers to make arbitrary HTTP requests from the server through the test-hass endpoint in webhooks.py. The vulnerability has publicly available exploit code and allows attackers to access internal resources, potentially leading to data exposure or further compromise of internal systems. EPSS data not available, not currently in CISA KEV despite public exploit availability.
Deserialization vulnerability in H2O-3 machine learning platform versions up to 7402 enables remote code execution through the importBinaryModel function when processing malicious JAR files. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with publicly available exploit code (CVSS 7.3, EPSS not provided). The vendor failed to respond to disclosure attempts, leaving users without an official patch.
Information disclosure in h2oai h2o-3 through version 7402 allows remote unauthenticated attackers to read arbitrary files from the server filesystem via the ImportFile API endpoint. The vulnerability resides in the importFiles function of PersistNFS.java and is confirmed actively exploited with publicly available exploit code (CVSS:4.0 E:P). Despite early vendor notification, h2oai has not responded or issued a patch, leaving deployments at risk of credential theft, source code exposure, or configuration file access.
Improper access controls in H2O-3's Rapids setproperty primitive allow remote unauthenticated attackers to modify system properties via the AstSetProperty.java exec function. The vulnerability permits low-impact integrity violations through manipulation of configuration settings accessible via the Rapids API. Public exploit code is available (VulDB 364379), increasing exploitation risk, though no active exploitation confirmed by CISA KEV at time of analysis. EPSS data not provided. Vendor unresponsive to disclosure attempts.
Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.
SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.
Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.
Path traversal in fishaudio Bert-VITS2's Gradio web interface allows remote unauthenticated attackers to read or write arbitrary files on the server filesystem via the generate_config function's data_dir parameter. Public exploit code exists (disclosed via VulDB and GitHub Gist). EPSS data unavailable; CVSS 5.5 (Medium) but CVSS 4.0 vector shows network-accessible, no authentication required (AV:N/PR:N), making this readily exploitable against any internet-exposed instance. Vendor non-responsive to early disclosure attempt, indicating no official patch available.
Server-side request forgery in Vercel AI SDK versions up to 3.0.97 allows remote unauthenticated attackers to forge requests from the server to arbitrary internal or external resources via the validateDownloadUrl function in provider-utils. Publicly available exploit code exists (CVSS E:P). EPSS data not available, not listed in CISA KEV. Vendor unresponsive to disclosure, indicating no official patch or advisory at time of analysis. Organizations using affected versions for AI model downloads or blob handling should implement immediate compensating controls.
Path traversal in fishaudio Bert-VITS2's hiyoriUI.py allows unauthenticated remote attackers to access arbitrary files outside the intended model directory via the _get_all_models function. Public exploit code exists (GitHub Gist). The project uses rolling releases with no versioned patches, and the vendor has not responded to disclosure attempts. EPSS data unavailable; not listed in CISA KEV, suggesting limited real-world exploitation despite public POC.