Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.
Server process termination in Mattermost is achievable by any authenticated user via a crafted outgoing webhook callback response that contains a null attachment entry - exploiting the server's failure to filter nil elements from attachment payloads before processing (CWE-754). Affected release trains span 10.11.x through 11.6.x, covering a wide installed base. No public exploit exists and EPSS is extremely low at 0.04% (12th percentile), but the availability impact is rated High by CVSS and the attack requires only low-privilege authentication over the network with no user interaction, making this a meaningful insider or compromised-account threat capable of triggering a full service outage.
Path traversal in Spring AI 1.1.0-1.1.x allows authenticated remote attackers to write arbitrary files outside the intended target directory by exploiting unsanitized LLM-influenced filenames in the Anthropic Skills API file-write workflow. The root cause is Spring AI passing filenames derived from LLM output directly to Path.resolve() without input sanitization, enabling directory escape via traversal sequences. No public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), though the high integrity impact (CVSS I:H) makes unauthorized file writes to restricted directories a meaningful concern in production deployments.
DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.
Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.
Remote image blocking in Roundcube Webmail 1.6.x and 1.7.x can be silently bypassed by embedding a crafted CSS var() expression in an HTML email, causing the victim's browser to fetch attacker-controlled external resources despite the privacy control being active. This leads to information disclosure - including IP address leakage and email-open tracking - and potential access-control bypass. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but SSVC rates this 'Automatable: yes,' making mass-scale email tracking campaigns feasible against unpatched Roundcube deployments.
Remote image blocking bypass in Roundcube Webmail allows unauthenticated network attackers to embed HTML email image tags pointing to local or private network destinations, causing the server to fetch those resources despite the 'block remote images' policy being active. Affected versions are 1.6.14 through 1.6.15 and 1.7.0, with vendor-released patches 1.6.16 and 1.7.1 available since May 2026 per the official advisory. No public exploit has been identified at time of analysis and EPSS is very low at 0.03%, though SSVC rates technical impact as total - a notable discrepancy that warrants attention for deployments where the mail server has internal network access.
Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.
Cross-Site Request Forgery in the Recorp Export WP Page to Static HTML/CSS WordPress plugin (versions through 6.0.0) allows unauthenticated remote attackers to force authenticated WordPress administrators into executing unauthorized state-changing plugin actions by tricking them into visiting a malicious web page. The CVSS vector (PR:N/UI:R/I:H) confirms no attacker authentication is required but victim interaction is mandatory, resulting in high integrity impact with no confidentiality or availability loss. No public exploit has been identified at time of analysis, and EPSS at 0.01% (3rd percentile) alongside SSVC exploitation status of 'none' indicate minimal current threat activity.
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.
Command injection in Edimax BR-6478AC 1.23 exposes the router's web management interface to remote exploitation via a crafted POST request targeting the formiNICbasic endpoint. The rootAPmac parameter - likely used for wireless bridging MAC address configuration - is passed unsanitized to a system-level command, allowing an authenticated attacker with low privileges to inject arbitrary OS commands. A public proof-of-concept exploit has been released; the vendor was notified but did not respond, leaving the vulnerability unpatched. While not listed in CISA KEV, the EPSS score of 0.84% at the 75th percentile and confirmed POC availability represent a meaningful risk for exposed devices.
Command injection in the Edimax BR-6478AC 1.23 wireless router's formAccept POST handler allows an authenticated remote attacker to execute arbitrary OS commands by injecting shell metacharacters into the submit-url argument at /goform/formAccept. A public proof-of-concept exploit is documented via a Notion writeup, lowering the bar for exploitation; the vendor did not respond to responsible disclosure, leaving no patch available. No public exploit identified at time of analysis conflicts with KEV status - active exploitation is not confirmed by CISA, but EPSS at 0.84% (75th percentile) signals above-average relative exploitation interest given the public POC.
Command injection in the Edimax BR-6675nD 1.12 router's web management interface allows a low-privileged remote attacker to execute arbitrary OS commands by submitting a crafted value for the `interface` parameter to the `/goform/stainfo` endpoint. A public proof-of-concept exploit is available on Notion and documented via VulDB, lowering the bar for exploitation. No vendor patch has been issued; the vendor did not respond to coordinated disclosure, leaving affected deployments without an official fix.
OS command injection in DTStack Taier 1.4.0 permits remote low-privileged authenticated attackers to execute arbitrary operating system commands by injecting shell metacharacters into the `sqlText` parameter, which is passed unsanitized to Java's `Runtime.exec()` within the REST API. A public proof-of-concept exploit has been disclosed on GitHub. No vendor patch exists - the vendor did not respond to responsible disclosure - leaving all Taier 1.4.0 deployments without an official remediation path at time of analysis.
OS command injection in Edimax EW-7438RPn 1.31 allows a low-privileged, remote attacker to execute arbitrary commands on the device by manipulating any of approximately 29 parameters passed to the formWlanMP function via the /goform/formWlanMP endpoint. The vulnerable parameters - including ateFunc, ateGain, ateTxCount, and e2pTxPower series - are characteristic of ATE (Automatic Test Equipment) manufacturing-mode calibration parameters left accessible in the production firmware. A public proof-of-concept exploit has been published on GitHub, and the vendor did not respond to the disclosure; no patch is available. No public exploit identified as confirmed actively exploited (CISA KEV), though the public PoC elevates real-world risk.
Resource injection in yashpokharna2555's StudentManagementSystem allows low-privileged remote attackers to manipulate the ID parameter in courseDel.php to control which course records are deleted or affected, resulting in unauthorized data integrity and availability impact. The flaw affects the specific git commit cb2f558ddf8d19396de0f92abf2d224d46a0a203 and exploit code is publicly available via a GitHub issue. No patch has been released, and the project maintainer has not responded to the disclosure.
Improper authorization in SourceCodester Student Grades Management System 1.0 allows authenticated remote attackers to manipulate the classroom_id parameter within classroom.php to access or modify classroom enrollment data beyond their authorized scope. The vulnerability affects the getClassroomStudents and removeStudentFromClassroom functions, enabling unauthorized listing of enrolled students or removal of students from classrooms the attacker does not administer. A publicly available proof-of-concept exploit exists on GitHub, though EPSS places exploitation probability at just 0.04% (13th percentile), and the vulnerability is not currently listed in the CISA KEV catalog.
Path traversal in jimeng-mcp 1.10.0 allows low-privileged remote attackers to read and write files outside the intended directory by supplying crafted filePath arguments to four distinct API functions: getFileContent, uploadCoverFile, generateImage, and generateVideo in src/api.ts. A publicly available proof-of-concept exploit exists, disclosed via GitHub issue #15, though EPSS at 0.04% (13th percentile) indicates minimal observed mass-exploitation activity to date. No patch has been released and the vendor has not responded to the responsible disclosure, leaving deployments without an official remediation path.
Path traversal in dazeb markdown-downloader exposes server-side file systems to low-privileged remote attackers through unsanitized input in three functions within src/index.ts. The affected functions - download_markdown, list_downloaded_files, and create_subdirectory - fail to restrict directory scope, allowing authenticated users with low privileges to read or write files outside intended boundaries. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via a GitHub issue report, and the project maintainer has not acknowledged or patched the disclosure.
Path traversal in dazeb cline-mcp-memory-bank exposes host filesystems to authenticated remote attackers via unsanitized user input in the `handleInitializeMemoryBank` function of `src/index.ts`. All versions up to and including commit 55c81b9cf6c16700983c84dc4cdea3cafa19a75f are affected, covering the entire release history of this rolling-release MCP memory tool. A public proof-of-concept exploit exists via the project's GitHub issue tracker, though EPSS scoring (0.04%, 13th percentile) and SSVC's non-automatable classification suggest limited mass exploitation risk at time of analysis.
Server-side template injection (SSTI) in Dromara lamp-cloud versions 5.6.0 through 5.6.2 exposes the Message Template Handler to remote exploitation by authenticated low-privileged users who can inject malicious Groovy expressions via the DefMsgTemplate.content parameter. The vulnerable function GroovyClassLoader.parseClass compiles and executes attacker-controlled input as Groovy code at runtime. A public proof-of-concept exploit has been disclosed on GitHub, and the vendor has not responded to the coordinated disclosure, leaving no official patch available at time of analysis.
Path traversal in debugmcp mcp-debugger through version 0.20.0 enables authenticated remote attackers with low-privilege access to read arbitrary files outside the intended directory via the `handleGetSourceContext` function in `src/server.ts`. Impact is restricted to limited confidentiality exposure on the vulnerable system (CVSS VC:L) with no integrity or availability consequence, yielding a CVSS 4.0 score of 2.1. A public proof-of-concept exploit exists on GitHub, though the EPSS score remains at 0.04% (12th percentile) and the issue is absent from the CISA KEV catalog, indicating exploitation has not been observed at meaningful scale. The vendor did not respond to responsible disclosure, meaning no official patch is available.
Improper authorization in SourceCodester Student Grades Management System 1.0 permits authenticated remote attackers to access or manipulate grade records belonging to other students by tampering with the student_id parameter in grades.php. The flaw (CWE-285) reflects a failure to enforce object-level authorization, allowing a low-privileged user to cross access boundaries to other students' data. A publicly available proof-of-concept exists on GitHub, though EPSS sits at 0.04% (11th percentile) and SSVC classifies exploitation as none, indicating no evidence of active exploitation in the wild despite the POC.
Unrestricted file upload in SourceCodester Simple POS and Inventory System 1.0 allows authenticated remote attackers to upload arbitrary files through the image argument of /admin/addproduct.php, potentially enabling web shell deployment and remote code execution. A publicly available proof-of-concept exploit exists (GitHub gist), and SSVC confirms exploitation: poc status. Despite the severe nature of CWE-434 unrestricted upload flaws, EPSS sits at 0.04% (11th percentile) and CISA has not added this to KEV, indicating limited observed exploitation in the wild at time of analysis.
Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. A publicly available proof-of-concept exploit exists (hosted on GitHub), though EPSS remains at 0.04% (11th percentile) and the vulnerability is not in the CISA KEV catalog, indicating no confirmed widespread exploitation at time of analysis.
Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `id` parameter in `/applyleave.php`. The attack requires victim interaction (UI:P per CVSS 4.0), meaning a victim must visit or be socially engineered into clicking a crafted URL. Publicly available exploit code exists on GitHub (no public exploit identified at time of analysis for widespread KEV-confirmed exploitation), though EPSS at 0.03% (10th percentile) signals negligible observed exploitation activity at scale.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `ID` parameter of `/empproject.php`. A publicly available proof-of-concept exploit exists on GitHub, lowering the barrier to exploitation, though user interaction is required to trigger the payload. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.03% places this in the bottom 10th percentile of exploitation likelihood, consistent with the low CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts into victim browsers via the unsanitized 'ID' parameter in /changepassemp.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting mass exploitation, but a publicly available proof-of-concept exploit exists on GitHub. No patch has been identified from the vendor; EPSS of 0.03% (10th percentile) indicates low observed exploitation probability, and this CVE is not listed in the CISA KEV catalog.
Cross-site scripting in code-projects Employee Management System 1.0 allows remote, unauthenticated attackers to inject malicious scripts via the ID parameter of /myprofileup.php, requiring only passive user interaction to execute. A publicly available proof-of-concept exploit exists on GitHub, though EPSS at 0.03% (10th percentile) and SSVC's 'not automatable' rating indicate minimal observed real-world exploitation activity. The vulnerability is limited to partial integrity impact on the vulnerable system with no confidentiality or availability impact, consistent with the CVSS 4.0 score of 2.1.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by manipulating the `id` parameter of `/myprofile.php`. Exploitation requires passive user interaction (UI:P) - the victim must load a crafted URL - which constrains automated attack chains. A public proof-of-concept is confirmed available on GitHub, though the EPSS score of 0.03% (10th percentile) indicates minimal real-world exploitation activity; the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject and execute malicious scripts in a victim's browser via the ID parameter of /eloginwel.php. Exploitation requires user interaction (UI:P per CVSS 4.0), limiting automatable mass exploitation, though a publicly available proof-of-concept lowers the technical bar for targeted attacks. No vendor patch has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates low observed exploitation probability despite POC availability.
Reflected cross-site scripting (XSS) in SourceCodester Indian Invoicing System 1.0 allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by manipulating the `msg` parameter in `/Invoicing/category.php`. A proof-of-concept exploit is publicly available on GitHub. Despite the public POC, EPSS stands at just 0.03% (10th percentile) and the vulnerability is absent from CISA KEV, reflecting the narrow deployment footprint of this niche PHP invoicing application and the user-interaction requirement that limits automated exploitation.
SQL injection in code-projects Employee Management System 1.0 allows remote low-privileged attackers to manipulate the `ID` parameter in `/process/applyleaveprocess.php`, enabling unauthorized database read and write operations with partial impact across confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists on GitHub, though no confirmed active exploitation (CISA KEV) has been recorded. EPSS at 0.03% (8th percentile) and an SSVC assessment of 'not automatable' indicate low broad exploitation likelihood, though the accessible POC meaningfully lowers the barrier for targeted manual attacks against organizations running this application.
SQL injection in the /psubmit.php endpoint of code-projects Employee Management System 1.0 enables authenticated remote attackers to manipulate the pid parameter and inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been released on GitHub, reducing the skill barrier for exploitation against unpatched deployments. Despite a low CVSS 4.0 base score of 2.1 reflecting partial impact scope and low-privilege requirements, the combination of network accessibility and public PoC warrants prompt remediation for any internet-facing instance; no public exploit identified meets CISA KEV criteria, and no vendor-released patch has been confirmed at time of analysis.
SQL injection in code-projects Employee Management System 1.0 exposes the /changepassemp.php password-change endpoint to database manipulation by authenticated low-privilege users over the network. The CVSS 4.0 score of 2.1 reflects limited, non-cascading impact - partial confidentiality, integrity, and availability degradation confined to the vulnerable component with no downstream system scope change. A publicly available proof-of-concept exploit exists on GitHub, though the EPSS score of 0.03% (8th percentile) and SSVC 'automatable: no' classification indicate this is unlikely to see widespread opportunistic exploitation; no public exploit identified at time of analysis corroborating active KEV-level campaigns.
SQL injection in SourceCodester Indian Invoicing System 1.0 allows a remote, low-privileged authenticated attacker to manipulate database queries through the customer_name and category parameters in /Invoicing/IGST_Invoice.php. The vulnerability yields partial confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though the application is a niche, open-source invoicing tool with limited deployment footprint and no confirmed active exploitation in the wild.
Improper authorization in Sushmi-pal Invoice-System (up to commit a0a3faa16dee2621b231ae227333f5761607283b) enables authenticated low-privileged users to manipulate the `ID` parameter on the `/profile` endpoint to access or modify profile records belonging to other users - a classic horizontal privilege escalation pattern. The CVSS 4.0 score is 2.1 (Low), reflecting constrained integrity-only impact with no confidentiality or availability consequence, and a proof-of-concept exploit has been publicly disclosed on GitHub. No patch exists; the vendor did not respond to responsible disclosure, and no public exploit is confirmed in CISA KEV.
Improper authorization in Sushmi-pal Invoice-System exposes its User Management Handler to privilege escalation by authenticated remote attackers who manipulate the `role` argument on the `/user` endpoint. Affected instances include all code up to commit a0a3faa16dee2621b231ae227333f5761607283b; the project uses a rolling release model with no discrete versioning. A publicly available proof-of-concept exploit exists on GitHub, though EPSS sits at just 0.03% and SSVC rates the attack as non-automatable with only partial technical impact - no confirmed active exploitation (CISA KEV) has been identified.
Cross-site request forgery in SourceCodester Student Grades Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - such as modifying student grade records - by tricking authenticated users into visiting a malicious page. The CVSS 4.0 score of 2.1 reflects constrained impact: integrity loss is low (VI:L), and there is no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists on GitHub (corroborated by E:P in the CVSS vector), though EPSS at 0.02% (4th percentile) signals negligible observed exploitation activity and no public exploit identified at time of analysis has matured into confirmed active exploitation.
Command injection in Edimax BR-6675nD firmware 1.12 enables remote attackers with administrative credentials to execute arbitrary OS commands via the `command` argument in POST requests to the `/goform/mp` endpoint. Although a public exploit exists (referenced via a Notion-hosted POC), exploitation is constrained by the requirement for high-privilege authentication (CVSS PR:H), keeping the CVSS 4.0 score at 2.0 and EPSS at 0.23%. No vendor patch is available - the vendor did not respond to pre-disclosure contact - leaving devices persistently unmitigated at the firmware level.
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or compromised redirect target to capture Authorization, Cookie, and Proxy-Authorization headers forwarded verbatim by the HTTP/3 redirect handler. The hackney_h3.erl module, introduced for HTTP/3 support, omitted the cross-origin credential-stripping logic (maybe_strip_auth_on_redirect/2) that was added to the main hackney.erl module following CVE-2018-1000007, creating a feature-parity gap exploitable when clients use follow_redirect with HTTP/3 and credential headers. No active exploitation is confirmed (not in CISA KEV), but SSVC assessment confirms a proof-of-concept exists; EPSS is low at 0.04% (13th percentile), consistent with targeted rather than opportunistic exploitation.
Server-side request forgery in YunaiV yudao-cloud 2026.03 allows authenticated administrators to force the server to issue arbitrary HTTP requests via the IoT data sink creation endpoint. The vulnerability exists in the IotDataSinkHttpConfig function exposed at /admin-api/iot/data-sink/create, where attacker-controlled URL parameters are passed to an outbound HTTP client without adequate validation. A proof-of-concept exploit has been publicly disclosed on GitHub; however, the CVSS 4.0 base score of 2.0 and a 0.03% EPSS probability reflect the significant limiting factor of requiring high-privilege authentication, and no KEV listing indicates no confirmed active exploitation at time of analysis.
Cross-site scripting in SourceCodester Student Grades Management System 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the unvalidated 'Remarks' parameter in students.php, executing arbitrary scripts in the context of a victim's browser session upon passive viewing. A public proof-of-concept exists on GitHub; however, this CVE is not listed in the CISA KEV catalog and the EPSS score of 0.03% (9th percentile) reflects very low real-world exploitation probability. SSVC assessment corroborates this with 'Exploitation: none' and 'Automatable: no,' consistent with the required user-interaction constraint.
Cross-site scripting in yashpokharna2555's StudentManagementSystem (PHP) allows authenticated remote attackers to inject malicious client-side scripts via the FIRST_NAME parameter in /student.php, executing in victim browsers upon record viewing. The CVSS 4.0 score of 2.0 (Low) reflects the requirement for prior authentication (PR:L) and user interaction (UI:P), significantly constraining real-world impact. Publicly available exploit code exists via a GitHub issue report; no vendor patch has been issued and the maintainer has not responded to the disclosure.
Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the `customer_name` parameter in `/Invoicing/add_order.php`, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. Impact is limited to partial integrity on the vulnerable system with no confidentiality or availability consequences, consistent with the CVSS 4.0 score of 2.0.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows remote authenticated administrators to manipulate database queries via the ID parameter in /admin/edit_customer.php. The vulnerability is tagged CWE-89 and carries a CVSS 4.0 base score of 2.0, reflecting the high privilege requirement that significantly limits the attacker pool to those with existing admin access. Publicly available exploit code exists (hosted on GitHub Gist), though EPSS remains very low at 0.03% (8th percentile), and no CISA KEV listing is present - indicating no confirmed widespread exploitation at time of analysis.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 allows a remote, high-privileged (admin-level) attacker to manipulate database queries via the unsanitized 'ID' GET parameter in /admin/deleteproduct.php. Successful exploitation yields partial read, write, and availability impact on the underlying database. No public exploit identified at time of analysis is incorrect - publicly available exploit code exists (GitHub gist), though no confirmed active exploitation (KEV) has been observed, and the EPSS score of 0.03% reflects minimal real-world exploitation pressure.
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.