Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation in the StoreApps Smart Manager WordPress plugin (versions up to and including 8.85.0) allows authenticated low-privilege users to elevate themselves to higher-privileged roles due to incorrect privilege assignment (CWE-266). The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.8, though there is no public exploit identified at time of analysis and EPSS is very low at 0.04%. Affected WooCommerce stores running this plugin should treat this as a meaningful internal-risk issue because any subscriber, customer, or shop-manager account could be leveraged to seize administrator control.
Denial of service in benoitc hackney (Erlang HTTP client) versions 2.0.0 through 4.0.0 allows a malicious WebSocket server to exhaust client memory via three unbounded buffer paths in src/hackney_ws.erl. An attacker controlling the server the hackney client connects to can drive the Erlang VM to OOM by streaming bytes without terminator, declaring a giant RFC 6455 frame length, or sending endless non-final continuation fragments. Publicly available exploit code exists per SSVC, EPSS is low at 0.09%, and a vendor patch is available in 4.0.1.
Denial of service in benoitc hackney (Erlang HTTP client) 2.0.0 through 4.0.0 allows remote unauthenticated attackers to crash the BEAM VM by supplying URLs with attacker-chosen scheme prefixes, exhausting the non-garbage-collected atom table (default limit 1,048,576). Exploitation is automatable per SSVC and affects any application that parses untrusted URLs via hackney - including request targets, configured webhook URLs, or Location redirect headers. No public exploit identified at time of analysis and EPSS is low (0.04%), but a vendor patch is available in 4.0.1.
Denial-of-service in benoitc's hackney Erlang HTTP client (versions 2.0.0-beta.1 through 4.0.0) allows any HTTP origin server to pin a client process at 100% CPU by returning a malformed Alt-Svc response header. The flaw is a CWE-835 infinite loop in the Alt-Svc parser, triggerable by a single byte such as '!' in the header value. No public exploit identified at time of analysis, EPSS is low (0.04%), but SSVC rates exploitation as POC and the attack is automatable; a vendor patch is available in 4.0.1.
An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product’s web console, they may be able to execute arbitrary OS commands via adjacent network.
Blind SQL injection in the Unlimited Elements For Elementor WordPress plugin (versions up to and including 2.0.8) allows authenticated low-privilege attackers to inject arbitrary SQL into backend database queries. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5 due to scope change and high confidentiality impact, though no public exploit identified at time of analysis and EPSS probability remains low at 0.03%. The scope change (S:C) indicates the injection crosses a trust boundary, amplifying impact beyond the vulnerable component.
NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges.
Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21.
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame - it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.
Denial of service in benoitc hackney (Erlang HTTP client) versions 0.10.0 through 4.0.0 lets a hostile SOCKS5 or HTTP CONNECT proxy hang the connecting Erlang process indefinitely during the TLS upgrade phase. Because the caller-supplied timeout was not forwarded to ssl:connect/2, which defaults to infinity, recv_timeout and connect_timeout options are silently bypassed. Publicly available exploit code exists per SSVC, EPSS is low (0.04%), and a vendor patch is available in 4.0.1.
Pre-authentication SQL injection in Roundcube Webmail's virtuser_query plugin allows unauthenticated remote attackers to bypass input sanitization through a preg_replace() backslash escape flaw and inject arbitrary SQL against the backing database. Versions 1.6.x prior to 1.6.16 and 1.7.x prior to 1.7.1 are affected. Vendor patches are available, no public exploit identified at time of analysis, and EPSS is low (0.08%), but SSVC rates technical impact as total.
Man-in-the-middle exposure in Apache Airflow's `apache-airflow-providers-google` package (versions prior to 22.0.0) stems from the `ComputeEngineSSHHook` shipping with `paramiko.AutoAddPolicy` as its default missing-host-key policy, silently trusting any SSH host key presented by a Compute Engine VM. An in-path network attacker positioned between the Airflow worker and the GCE instance can intercept or tamper with the SSH session, exposing credentials, DAG-driven commands, and transferred data. No public exploit identified at time of analysis and EPSS is very low (0.02%), but technical impact is rated total by SSVC.
Credential exposure in Gallagher Command Centre Service installers writes Service Account credentials into installer log files under %programdata%\Gallagher\Command Centre, allowing a local low-privileged user who can read those logs to recover the configured Service Account password. The flaw (CWE-532) affects a broad set of Gallagher Command Centre components including Command Centre Server, Active Directory Sync, Entra ID Sync, Elevator Service, Middleware Framework and others, but only when the operator deviated from the default Network Service account during install. There is no public exploit identified at time of analysis and EPSS is 0.01%, but a successful read yields high-impact credential compromise of a privileged service identity.
Code injection in Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 allows authenticated attackers to execute arbitrary PHP via the LDAP autovalues option, which previously evaluated user-influenced expressions as code. The upstream maintainers removed code evaluation support entirely in the fixed releases. EPSS sits at 0.05% (14th percentile) and there is no public exploit identified at time of analysis, but the issue is patched and rated CVSS 7.5.
Information disclosure in the MyCryptoCheckout WordPress plugin (versions up to and including 2.161) allows remote unauthenticated attackers to access protected data due to a missing authorization check. The flaw stems from incorrectly configured access control security levels, enabling exploitation over the network without privileges or user interaction. No public exploit identified at time of analysis, and EPSS scoring (0.03%, 9th percentile) suggests low near-term exploitation likelihood.
Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.
Authenticated code injection in the VideoWhisper Broadcast Live Video WordPress plugin (versions before 7.1.3) lets a high-privileged user execute arbitrary PHP on the underlying host, yielding full confidentiality, integrity, and availability loss on the WordPress instance. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.04% (14th percentile), but SSVC rates the technical impact as total. A vendor patch is available in 7.1.3.
CSS injection in Roundcube Webmail 1.6.x (before 1.6.16) and 1.7.x (before 1.7.1) allows remote attackers to bypass the HTML sanitizer by embedding an SVG document with an animate element whose attributeName references style, enabling cross-site scripting style attacks against mail recipients. The flaw carries a CVSS 7.2 (changed scope) with no privileges or user interaction required beyond viewing a crafted message, no public exploit identified at time of analysis, and an EPSS of 0.04% (14th percentile) indicating low predicted exploitation volume despite the trivially-triggerable attack vector.
Server-Side Request Forgery and information disclosure in Roundcube Webmail 1.6.14-1.6.15 and 1.7.0 allows remote attackers to force the webmail server to fetch internal network resources by embedding malicious stylesheet links in HTML email messages. The flaw is a regression of CVE-2026-35540 caused by insufficient CSS sanitization, and while no public exploit identified at time of analysis, the EPSS score sits at a low 0.03% (9th percentile) despite the vulnerability being trivially triggerable by sending a crafted email.
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a high-privileged administrator holding Implementations entitlements to run untrusted code outside the sandbox. By placing payload logic in a Groovy class static initializer, the attacker reaches a non-sandboxed execution path, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 6th percentile), consistent with a privilege-gated, not mass-scanned, issue.
Cross-Site Request Forgery in the CformsII WordPress plugin (bgermann) through version 15.1.3 allows remote unauthenticated attackers to coerce an authenticated victim into submitting forged state-changing requests, resulting in limited integrity loss and high availability impact. No public exploit identified at time of analysis and EPSS sits at 0.01% (4th percentile), indicating very low near-term exploitation probability, and SSVC marks exploitation as none. Patchstack tracks the issue and EUVD-2026-31766 mirrors the advisory.