Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer overflow in the Edimax BR-6428NS 1.10 router's web management interface allows authenticated remote attackers to corrupt memory by submitting a crafted vapurl parameter to the formWirelessTbl POST handler at /goform/formWirelessTbl. Publicly available exploit code exists (released via VulDB and a Notion writeup), and the vendor has not responded to coordinated disclosure attempts. The flaw is not currently listed in CISA KEV, but the combination of public PoC, low attack complexity, and an unpatched/unresponsive vendor makes this a tangible risk for any exposed device.
Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memory by sending an overlong pppUserName parameter to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists, and the vendor failed to respond to the coordinated disclosure attempt, leaving devices without an official fix. With a CVSS of 8.8 and full CIA impact, successful exploitation can result in arbitrary code execution or device takeover on the embedded router.
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.
Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.
Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.
Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.
Memory corruption and potential information disclosure in the Linux kernel networking stack (skbuff) occurs because skb_try_coalesce() fails to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between socket buffers. The flaw breaks an invariant relied upon by IPsec ESP input processing, which may then decrypt data in-place over page-cache-backed fragments belonging to other contexts. No public exploit identified at time of analysis, EPSS sits at 0.02%, and the issue is patched across multiple stable trees.
{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.
Pre-authentication denial of service in Parse Server (versions <8.6.77 and 9.0.0 through 9.9.0) allows remote unauthenticated attackers who know a publicly-discoverable Parse Application ID to pin Node.js workers for seconds to minutes by sending a crafted X-Parse-Client-Version header or _ClientVersion JSON body field that triggers polynomial regex backtracking in the client SDK version parser. The parser runs before session authentication and rate limiting on every /parse/* request, so a handful of concurrent requests can saturate a worker fleet. No public exploit identified at time of analysis, EPSS sits at 0.16% (37th percentile), and the issue is not in CISA KEV.
Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.
Server-side request forgery in Nezha Monitoring dashboard (versions >=1.4.0, <1.14.15-0.20260517022419-d06d539d34c1) allows authenticated low-privilege RoleMember accounts to issue arbitrary HTTP requests to intranet targets via the POST /api/v1/notification and PATCH /api/v1/notification/:id endpoints, with full unbounded response bodies reflected back through error messages. Publicly available exploit code exists in the GHSA advisory, though EPSS is 0.03% (9th percentile) suggesting low mass-exploitation likelihood against this niche server-monitoring tool. Root cause is a missing adminHandler authorization gate combined with a notification webhook tester that ignores private/loopback CIDRs and lacks an io.LimitReader.
Privilege escalation in Nezha Monitoring (>= 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97) lets an authenticated RoleMember invoke arbitrary cron tasks owned by other users - including admins - by referencing their task IDs in an alert rule's FailTriggerTasks/RecoverTriggerTasks fields. When the attacker's alert trips, the admin's cron command fans out to every connected agent, yielding cross-tenant command execution across the entire monitored fleet. EPSS is very low (0.04%), no public exploit identified at time of analysis beyond the PoC embedded in the GHSA advisory, and the vendor has shipped a patched commit.