Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and reach the Plugin Daemon's internal REST API, including debug interfaces, by smuggling unencoded dot sequences through task identifiers or filename parameters. Because Dify Cloud permits unauthenticated free self-registration, the authentication barrier collapses to trivial account creation, and publicly available exploit code exists; the attacker only needs the victim tenant's UUID to pivot. CVSS 4.0 is rated 9.2 with high confidentiality and integrity impact.
Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another tenant's LLM trace traffic - including prompts and model responses - to an attacker-controlled observability provider. Because Dify Cloud permits free self-registration, the authentication barrier is effectively trivial; publicly available exploit code exists and a vendor patch is shipped via PR #35793. The flaw is an instance of CWE-639 (insecure direct object reference) in the trace-configuration endpoints, which accepted an app_id without validating tenant ownership.
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
Server-side request forgery in Dozzle (amir20/dozzle) versions through 8.14.12 allows remote unauthenticated attackers to coerce the Dozzle host into issuing arbitrary HTTP POST requests and reflects up to 1MB of the response body back. The flaw lives in POST /api/notifications/test-webhook, which is exposed without authentication in the documented default Docker quickstart deploy (DOZZLE_AUTH_PROVIDER unset). No public exploit identified at time of analysis, but a detailed proof-of-concept accompanies the GHSA advisory.
{file_id}/preview endpoint. The flaw is amplified on Dify Cloud, where free self-registration makes account creation trivial, and publicly available exploit code exists via the Huntr disclosure. No CISA KEV listing has been recorded at time of analysis, but the combination of low-friction account access and a documented PoC raises practical exposure considerably.
Denial of service in ImageMagick's MIFF (Magick Image File Format) decoder allows remote unauthenticated attackers to trigger an infinite loop and exhaust CPU resources by submitting a crafted MIFF file. The flaw affects Magick.NET bindings prior to version 14.13.1 across multiple platform builds (Q16, HDRI, OpenMP variants for x64/arm64/x86) and is tracked under GHSA-7gg8-qqx7-92g5. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt memory by sending an overlong pptpUserName parameter to the /goform/formPPTPSetup endpoint. Publicly available exploit code exists per VulDB disclosure, and no public exploit identified at time of analysis in CISA KEV. The vendor was reportedly contacted prior to disclosure but did not respond, leaving the device line without a confirmed fix.
Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.
OS command injection in Dokploy self-hosted PaaS (versions <= 0.26.6) allows an authenticated low-privileged user to achieve server-level remote code execution by injecting shell metacharacters into the appName parameter when creating an application or database. The cleanAppName sanitizer only lowercases and strips spaces, leaving characters like ;, $(), backticks, |, and & to be passed directly into execAsync()/execAsyncRemote() shell interpolation when service lifecycle operations run. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, but the GitHub commit diff publicly demonstrates the vulnerable code path.
Broken access control in Arcane's GitOps backend (versions <= 1.18.1) allows any authenticated low-privilege user to exfiltrate plaintext Git credentials (PATs/SSH keys) stored for source-of-truth repositories. Eight of nine /api/customize/git-repositories endpoints omit the checkAdmin() gate, letting a 'user' role attacker repoint a repository URL to an attacker-controlled host and trigger a /test or /branches call that transmits the decrypted token via HTTP Basic auth. No public exploit identified at time of analysis, but the GHSA advisory documents a complete attack chain and a patched release (1.19.0) is available.
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and patch commit are publicly disclosed.
SQL injection in projectworlds Hospital Management System in PHP 1.0 enables unauthenticated remote attackers to extract or modify patient data through the appointment_no parameter in update_info.php. The vulnerability has publicly available exploit code and affects the getAllPatientDetail function, with the vendor notified but unresponsive.
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.
Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.
Authorization bypass in Creartia's ICMS content management system allows remote unauthenticated attackers to gain unauthorized access to protected features and escalate privileges by manipulating HTTP redirect headers during the login process. The vulnerability has a CVSS 9.3 score and vendor patches are available through INCIBE advisory.
SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints.
Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication bypass in the ruby-jwt gem (versions < 3.2.0) allows remote attackers to forge valid HS256/HS384/HS512 tokens when an application supplies an empty string or nil as the verification key. Because OpenSSL::HMAC.digest happily computes a digest under an empty key and JWT::JWA::Hmac coerces nil to '' without validating, any application whose key lookup degrades to '' (common with Redis misses, ORM string defaults, or `ENV['SECRET'] || ''` patterns) will accept attacker-signed tokens. No public exploit identified at time of analysis, but the vendor advisory (GHSA-c32j-vqhx-rx3x) and the v3.2.0 patch confirm the issue and the trivial forgery primitive.
Arbitrary file deletion in DumbAssets through 1.0.11 lets unauthenticated remote attackers destroy any file the Node.js process can write to by submitting `../` sequences in the `filesToDelete` array of the `POST /api/delete-file` endpoint. Because authentication on the application is optional and disabled by default, exposed instances can be rendered completely non-functional by deleting critical files such as `server.js` or `package.json`. No public exploit identified at time of analysis, and the CVE is not currently on the CISA KEV list.
Arbitrary directory deletion in CloakBrowser's cloakserve CDP multiplexer (pip package cloakbrowser <= 0.3.27) allows unauthenticated network attackers to delete directories accessible to the service user by supplying path traversal sequences in the fingerprint query parameter. The service binds to 0.0.0.0 by default, dramatically widening exposure, and no public exploit identified at time of analysis though the vulnerability is trivially reproducible from the published advisory.
Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation in self-hosted Budibase (@budibase/worker < 3.38.1) allows any authenticated builder-level user to create a global admin account via the POST /api/global/users/onboard endpoint when SMTP is not configured, with the generated password returned directly in the HTTP response. The flaw stems from the onboard route being gated by builderOrAdmin middleware while exposing the same user-creation power as the admin-only invite endpoints, and no public exploit is identified at time of analysis although the GHSA advisory includes a complete, working proof-of-concept curl chain.
Stored cross-site scripting (XSS) in DernekWeb through version 30122025 enables attackers to inject persistent malicious scripts that execute when victims view affected pages. The vulnerability requires no authentication to exploit but does require user interaction (viewing the compromised page). With a high CVSS score of 8.8 reflecting potential for high impact across confidentiality, integrity and availability, this represents a serious risk for organizations using this Turkish association management software.
Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces.
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.
Remote unauthenticated denial-of-service in the iskorotkov/avro Go Avro decoder (and the archived upstream hamba/avro/v2) allows a malicious producer to pin a CPU core indefinitely by declaring an Avro array or map block with an attacker-controlled element count up to math.MaxInt64. The array/map decoders in codec_skip.go and reader_generic.go iterate the declared count without checking the Reader's accumulated error state, so a truncated payload triggers ~9.2×10^18 no-op iterations. No public exploit identified at time of analysis beyond the advisory's documented proof-of-concept payload; CVSS 4.0 scores this 8.7 (high) reflecting network reachability with high availability impact.
Denial-of-service in the iskorotkov/avro Go Avro decoder (a maintained fork of the archived hamba/avro) lets unauthenticated remote attackers crash or hang consumers by submitting crafted Avro streams that trigger integer narrowing, signed-integer overflow in cumulative block sizes, or unchecked-negative make() calls. All versions prior to v2.33.0 are affected; the upstream github.com/hamba/avro/v2 (all versions through v2.31.0) is also vulnerable and will not receive a fix because the module is archived. No public exploit identified at time of analysis, though the advisory itself documents concrete PoC input shapes and includes a regression test (TestDecoder_ArrayMultiBlockExceedsMaxInt) that demonstrates the cumulative-overflow path on amd64.
Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.
Mattermost versions up to 11.5.1 expose sensitive credentials in plaintext within support packets due to insufficient sanitization of configuration fields. System administrators or anyone with access to support packets can obtain database passwords, API keys, and other sensitive credentials by downloading support packets from the System Console. The vulnerability affects multiple version branches (10.11.x, 11.4.x, 11.5.x) and poses significant risk for credential theft and lateral movement.
Remote code execution in FreePBX versions below 16.0.71 and 17.0.6 allows authenticated low-privileged users with backup access to execute arbitrary PHP code by uploading a malicious tar archive containing a crafted manifest file. The backup module passes attacker-controlled data directly to PHP's unserialize() without class restrictions, enabling PHP object injection that runs as the asterisk or www-data web server user. No public exploit identified at time of analysis, though the upstream fix commits are public on GitHub, making patch-diff exploitation feasible.
SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.
Prototype pollution in the npm package parse-nested-form-data version 1.0.0 and earlier allows unauthenticated remote clients to mutate Object.prototype of the running Node.js process by submitting a FormData field whose name contains __proto__ in bracket or dot notation. The flaw resides in handlePathPart in src/index.ts, which walks nested path segments without filtering reserved keys, so a single crafted field name pollutes the prototype chain of every plain object in the process. No public exploit identified at time of analysis, but a working proof-of-concept is published in the GHSA advisory itself.
Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.
Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.
Prototype pollution in the @tmlmobilidade/utils npm package allows remote unauthenticated attackers to inject properties into Object.prototype via the setValueAtPath() helper, leading to integrity compromise and partial availability impact in any downstream application that passes user-influenced paths into the function. The flaw is rated CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and is fixed in version 20260509.0340.15; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.
Remote code execution in Caddy web server (versions 2.7.0 through 2.10.2) is possible when the FastCGI reverse proxy's splitPos() function mishandles non-ASCII bytes in request paths, causing non-PHP files to be routed to a FastCGI upstream like PHP-FPM as if they were scripts. Where an attacker can place file content (uploads, user-content stores, package mirrors), a single crafted URL containing Unicode lookalikes for '.php' or a non-ASCII byte after a dot yields unauthenticated RCE. Publicly available exploit code exists (detailed PoC in the GHSA advisory) and the issue inherits two bugs from FrankenPHP's adapted code; no public exploitation has been reported and EPSS data was not provided.
Cross-tenant credential fallback in n8n-mcp versions 2.51.1 and earlier allows an authenticated MCP tenant on a shared multi-tenant HTTP deployment to operate against the operator's own n8n instance instead of their assigned tenant. When ENABLE_MULTI_TENANT=true and a request omitted (or partially supplied) the x-n8n-url and x-n8n-key headers, n8n-mcp silently fell back to the process-level N8N_API_URL/N8N_API_KEY credentials, granting tenants unintended access to read/write workflows, executions, data-tables, and credential metadata. Patched in 2.51.2; no public exploit identified at time of analysis but the underlying logic is straightforward and the upstream fix commit is publicly visible.
Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.
Code injection vulnerability in the Command-Line Client of P4 Server (Helix Core) prior to version 2025.2 Patch 2 allows remote attackers to execute arbitrary code. The vulnerability requires user interaction but no authentication, with a CVSS 7.7 score indicating high impact across confidentiality, integrity, and availability. Perforce has released a patch in version 2025.2 Patch 2.
Information disclosure in Mattermost Calls plugin versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 exposes TURN server credentials through support packets. Administrators with support packet access can extract plaintext credentials from exported plugin configurations, potentially compromising the WebRTC infrastructure used for voice/video calls. The vulnerability requires high privileges (admin) but affects confidentiality across trust boundaries (CVSS Scope:Changed).
Denial of service in GnuTLS affects the Datagram Transport Layer Security (DTLS) packet reordering logic, where the comparator function fails to correctly handle packets with duplicate sequence numbers. Remote unauthenticated attackers can send specially crafted DTLS packet sequences to trigger unstable ordering or undefined behavior, causing service disruption. No public exploit identified at time of analysis, and the issue is rated CVSS 7.5 (High) for availability impact only.