Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Command injection in FoundDream miniclawd's SkillsLoader component exposes systems to remote unauthenticated arbitrary command execution via unsanitized manipulation of the `requires.bins` argument in `/src/application/skills-loader.ts`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and SSVC classifies the attack as automatable with partial technical impact. A public exploit (POC) exists via GitHub issue tracker, the vendor has not responded to disclosure, and no patch has been released - leaving affected deployments with no official remediation path.
OS command injection in FoundDream miniclawd allows remote unauthenticated attackers to execute arbitrary system commands via the ExecTool.execute function in /src/tools/exec.ts. All versions up to commit 2d65665046e2222eeea76cafc8570ed546a8c125 are affected, and because the project uses no versioning scheme, the full exposure window cannot be bounded by a release number. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the project maintainer has not responded to the responsible disclosure, meaning no patch is available at time of analysis.
SQL injection in yashpokharna2555 StudentManagementSystem's /studentdel.php endpoint allows remote unauthenticated attackers to manipulate the ID parameter within the confirm_logged_in function, enabling arbitrary SQL query execution against the backend database. All commits up to cb2f558ddf8d19396de0f92abf2d224d46a0a203 of this PHP-based academic application are affected, with no patched release available due to its rolling-release model and vendor non-response. A public exploit exists per GitHub issue #5, and SSVC flags the attack as automatable, though the EPSS score of 0.03% reflects limited real-world scanning activity likely attributable to the application's narrow deployment footprint.
SQL injection in yashpokharna2555's StudentManagementSystem (commit cb2f558) exposes the confirm_logged_in function in student_trans.php to unauthenticated remote attackers who can manipulate FIRST_NAME, Last_Name, and EMAIL parameters to execute arbitrary SQL against the backend database. A public exploit has been disclosed via GitHub issue #3, confirming exploitability requires minimal skill; however, EPSS at 0.03% (9th percentile) indicates very low observed real-world exploitation activity, likely reflecting the narrow deployment footprint of this niche open-source PHP project rather than any technical barrier. No patch is available at time of analysis, as the maintainer has not responded to the coordinated disclosure.
SQL injection in the PHP-based yashpokharna2555/StudentManagementSystem exposes the /success.php endpoint to remote unauthenticated database attacks via the unsanitized 'User' argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position. A publicly available exploit exists via a GitHub issue report; the project maintainer has been notified but has not responded, and no patch has been released. Despite POC availability, EPSS sits at 0.03% (9th percentile), reflecting the niche, low-adoption nature of this project rather than a reduced technical severity.
SQL injection in SourceCodester Simple POS and Inventory System 1.0 exposes the application to unauthenticated remote data extraction and manipulation via the Name parameter in /user/search.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and a publicly available proof-of-concept exploit (GitHub gist) lowers the bar for exploitation. No active exploitation has been confirmed in CISA KEV, and the EPSS score of 0.03% (9th percentile) indicates limited real-world exploitation activity at time of analysis despite the public POC.
Weak password recovery in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes the `/rest/user/updateUserPassword` API endpoint to unauthenticated remote manipulation, enabling an attacker to interfere with the password update process and achieve unauthorized integrity impact on user credentials (CWE-640). The CVSS 4.0 vector confirms unauthenticated network access with no prerequisites, and a public exploit has been disclosed via Feishu documentation. Despite the public POC, EPSS sits at 0.03% (8th percentile), indicating no widespread automated exploitation has been observed; the vendor did not respond to coordinated disclosure, leaving the flaw unpatched.
Unauthenticated SQL injection in Tiandy Easy7 Integrated Management Platform 7.17.0 exposes database contents to remote attackers via the strTBName parameter of the GetDBDataEx.jsp web service endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code has been made publicly available, raising the operational risk despite a relatively low EPSS score of 0.03%. The vendor was notified prior to public disclosure but did not respond, and no vendor-released patch has been identified at time of analysis.
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CRLF injection in hackney (Erlang HTTP client, versions 2.0.0-4.0.1) enables header injection into outbound WebSocket upgrade requests when caller-supplied options - host, path, ExtraHeaders, or protocols - contain unsanitized user input. The vulnerable code in src/hackney_ws.erl splices these values verbatim via binary concatenation into a raw HTTP/1.1 upgrade request with no CR, LF, or NUL filtering at any of the four injection sites. No active exploitation is confirmed (not in CISA KEV), though SSVC assesses exploitation status as 'poc' and the fix commit includes a functional test that doubles as a proof-of-concept; EPSS remains very low at 0.05% (15th percentile), consistent with an indirect, application-mediated attack path rather than mass exploitation.
SSRF allowlist bypass in hackney (Erlang HTTP client) versions 0.13.0 through before 4.0.1 allows attackers who control URL input to circumvent application-level SSRF protections by supplying percent-encoded IP addresses as hostnames. The parser differential lies in hackney_url:normalize/2 decoding the host component post-parse: OTP's uri_string:parse/1 and inet:parse_address/1 see %31%36%39%2E%32%35%34%2E%31%36%39%2E%32%35%34 as a non-IP string (allowlist passes), while hackney then decodes it to 169.254.169.254 and establishes the TCP connection. A proof-of-concept exists per SSVC assessment; no active exploitation is confirmed in CISA KEV, and EPSS is very low at 0.01% (2nd percentile).
HTTP Request Splitting via CRLF injection in hackney, the Erlang/Elixir HTTP client library, allows an attacker who controls URL input to inject arbitrary HTTP headers or split HTTP/1.1 requests by embedding raw carriage return (\r) or line feed (\n) characters in the query string. The root cause is that hackney_url:make_url/3 passes the query binary directly into the HTTP/1.1 request target without percent-encoding RFC 3986-prohibited characters, violating the grammar defined in RFC 3986 §3.4. All hackney versions from 0 through 4.0.0 are affected; a proof-of-concept exists per SSVC assessment, though no active exploitation is confirmed and the EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability at time of analysis.
A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message (message type 0x03) to the pipe, causing the service to crash with exit code 1067 (ERROR_PROCESS_ABORTED). To mitigate this potential local service disruption, Acer requires users to update the software to the latest version.
SQL injection in Genetec Security Center's Access Manager role enables a remote attacker with high privileges to achieve full confidentiality, integrity, and availability impact against the underlying database. The vulnerability spans multiple major release branches (5.9 through 5.13) of this widely deployed physical security management platform, covering access control, video surveillance, and license plate recognition environments. Vendor-released patches are confirmed available for the 5.12 and 5.13 branches; no public exploit has been identified at time of analysis and SSVC assessment confirms no current exploitation activity.
Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Tarball unpacking in Rust's Cargo package manager fails to reject symlinks within downloaded crate archives, enabling a malicious crate hosted on a third-party registry to overwrite source files belonging to other crates in the victim's local registry cache. The attack requires no privileges on the attacker side (PR:N per CVSS 4.0) but passive user interaction (UI:P) - specifically, a developer running any Cargo command that triggers crate download and extraction. While crates.io users are explicitly unaffected (that registry enforces a server-side symlink prohibition), users of any third-party Cargo registry are at risk of supply chain source substitution; no public exploit has been identified at time of analysis, and EPSS is very low at 0.04%.
Server process termination in Mattermost is achievable by any authenticated user via a crafted outgoing webhook callback response that contains a null attachment entry - exploiting the server's failure to filter nil elements from attachment payloads before processing (CWE-754). Affected release trains span 10.11.x through 11.6.x, covering a wide installed base. No public exploit exists and EPSS is extremely low at 0.04% (12th percentile), but the availability impact is rated High by CVSS and the attack requires only low-privilege authentication over the network with no user interaction, making this a meaningful insider or compromised-account threat capable of triggering a full service outage.
Path traversal in Spring AI 1.1.0-1.1.x allows authenticated remote attackers to write arbitrary files outside the intended target directory by exploiting unsanitized LLM-influenced filenames in the Anthropic Skills API file-write workflow. The root cause is Spring AI passing filenames derived from LLM output directly to Path.resolve() without input sanitization, enabling directory escape via traversal sequences. No public exploit identified at time of analysis and EPSS is very low (0.04%, 11th percentile), though the high integrity impact (CVSS I:H) makes unauthorized file writes to restricted directories a meaningful concern in production deployments.
DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.
Stored cross-site scripting in the PickPlugins Team Showcase WordPress plugin (versions up to and including 1.22.28) enables authenticated low-privileged users to inject persistent malicious scripts that execute in the browsers of other site users who view the affected content. The CVSS Changed scope (S:C) reflects this cross-user impact boundary - typical of stored XSS in WordPress plugins where contributor-level accounts can craft content consumed by administrators or visitors. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) combined with SSVC exploitation status of 'none' indicates negligible active threat currently.
Remote image blocking in Roundcube Webmail 1.6.x and 1.7.x can be silently bypassed by embedding a crafted CSS var() expression in an HTML email, causing the victim's browser to fetch attacker-controlled external resources despite the privacy control being active. This leads to information disclosure - including IP address leakage and email-open tracking - and potential access-control bypass. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but SSVC rates this 'Automatable: yes,' making mass-scale email tracking campaigns feasible against unpatched Roundcube deployments.
Remote image blocking bypass in Roundcube Webmail allows unauthenticated network attackers to embed HTML email image tags pointing to local or private network destinations, causing the server to fetch those resources despite the 'block remote images' policy being active. Affected versions are 1.6.14 through 1.6.15 and 1.7.0, with vendor-released patches 1.6.16 and 1.7.1 available since May 2026 per the official advisory. No public exploit has been identified at time of analysis and EPSS is very low at 0.03%, though SSVC rates technical impact as total - a notable discrepancy that warrants attention for deployments where the mail server has internal network access.
Missing Authorization in the SePay Gateway WordPress plugin (versions through 1.1.20) permits any authenticated low-privileged user to retrieve embedded sensitive data without proper access checks. The flaw is classified under CWE-862 and carries a CVSS confidentiality impact of High, meaning payment or configuration secrets stored within the plugin can be exposed to unauthorized parties. No public exploit has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable risk, indicating limited active threat at present.
Cross-Site Request Forgery in the Recorp Export WP Page to Static HTML/CSS WordPress plugin (versions through 6.0.0) allows unauthenticated remote attackers to force authenticated WordPress administrators into executing unauthorized state-changing plugin actions by tricking them into visiting a malicious web page. The CVSS vector (PR:N/UI:R/I:H) confirms no attacker authentication is required but victim interaction is mandatory, resulting in high integrity impact with no confidentiality or availability loss. No public exploit has been identified at time of analysis, and EPSS at 0.01% (3rd percentile) alongside SSVC exploitation status of 'none' indicate minimal current threat activity.
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.
Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.
Credential leakage in the hackney Erlang HTTP client library (versions 3.1.1 through before 4.0.1) allows a malicious or compromised redirect target to capture Authorization, Cookie, and Proxy-Authorization headers forwarded verbatim by the HTTP/3 redirect handler. The hackney_h3.erl module, introduced for HTTP/3 support, omitted the cross-origin credential-stripping logic (maybe_strip_auth_on_redirect/2) that was added to the main hackney.erl module following CVE-2018-1000007, creating a feature-parity gap exploitable when clients use follow_redirect with HTTP/3 and credential headers. No active exploitation is confirmed (not in CISA KEV), but SSVC assessment confirms a proof-of-concept exists; EPSS is low at 0.04% (13th percentile), consistent with targeted rather than opportunistic exploitation.
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
Injection vulnerability in KLiK SocialMediaWebsite 1.0 allows remote unauthenticated attackers to submit crafted HTTP POST request parameters to the application's input handler, achieving partial compromise of confidentiality, integrity, and availability. Classified under CWE-74 and tagged as Code Injection, the flaw carries a CVSS 4.0 score of 5.5 (Medium) with confirmed proof-of-concept exploit code publicly available (E:P). Despite the POC, EPSS places exploitation probability at 0.04% (14th percentile), indicating low observed real-world exploitation activity and a narrow effective target base.
Unrestricted file upload in KLiK SocialMediaWebsite 1.0 exposes the application to unauthenticated remote exploitation via the `uniqid` function in `upload.inc.php`. The File Handler component fails to validate uploaded file types (CWE-434), allowing an attacker to upload PHP webshells or other executable files without any authentication - confirmed by the CVSS 4.0 vector PR:N/UI:N. Exploit code has been publicly disclosed (CVSS E:P, referenced via VulDB), though EPSS remains low at 0.04% and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Missing authorization in the NanoCare WordPress theme (Linethemes) before version 1.2.2 permits low-privileged authenticated users to exploit incorrectly configured access control levels, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms network-accessible exploitation requiring only a low-privilege account with no user interaction. No public exploit code exists and no active exploitation has been confirmed; EPSS at 0.04% (11th percentile) and SSVC exploitation status of 'none' indicate this is currently a theoretical rather than actively weaponized risk.
Missing Authorization in the Newses WordPress theme (Themeansar) through version 2.0.0.77 permits low-privileged authenticated users to exploit incorrectly configured access control security levels, resulting in partial integrity and availability impact. The flaw, reported by Patchstack and tracked under ENISA EUVD-2026-31747, allows an authenticated attacker to perform actions beyond their intended permission scope without proper authorization checks. No public exploit code or active exploitation has been identified at time of analysis, and all available signals - EPSS at 0.04%, SSVC exploitation status of 'none', and Automatable: no - indicate limited real-world threat at this time.
Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.
LDAP filter injection in Apache Airflow FAB Auth Manager (apache-airflow-providers-fab < 3.6.4) enables unauthenticated remote attackers to manipulate LDAP query logic by embedding special characters in login credentials, resulting in directory data exfiltration or authentication bypass. The vulnerability is confirmed by source code evidence: the `_search_ldap` and `_ldap_get_nested_groups` methods in `override.py` directly interpolated user-supplied input into LDAP filter strings without sanitization. No public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, but the SSVC framework marks it as automatable, meaning exploitation can be scripted at scale against exposed Airflow instances using LDAP auth.
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955
Missing authorization in the WP Search Analytics WordPress plugin (versions before 1.5.0) allows unauthenticated remote attackers to bypass access controls and perform unauthorized write operations against affected WordPress installations. Reported by Patchstack and tracked as EUVD-2026-31761, this broken access control issue (CWE-862) carries a medium CVSS score of 5.3 with no confidentiality or availability impact - only limited integrity impact. No public exploit has been identified and no active exploitation is confirmed, with EPSS placing exploitation probability at 0.03% (8th percentile), making this a low real-world priority despite being automatable per SSVC.
Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).
Missing authorization in the Auto Affiliate Links WordPress plugin (all versions through 6.8.8.3) allows unauthenticated remote attackers to bypass access control checks and perform unauthorized write operations against affiliate link configurations. The vulnerability is classified as broken access control (CWE-862) and was reported by Patchstack. No public exploit code exists and no active exploitation has been confirmed - EPSS sits at 0.03% (8th percentile) and SSVC exploitation status is 'none' - indicating negligible real-world threat activity at time of analysis despite the attack being fully automatable with no authentication required.
Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attackers to read restricted data by exploiting missing authorization checks on plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code or active exploitation has been identified at time of analysis, and an EPSS score of 0.03% (8th percentile) reflects low real-world exploitation probability.
This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie.
Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.
Malicious JEXL expression injection in Apache Syncope's Derived Schema feature enables privileged information disclosure across administrative roles. An administrator holding entitlements over Derived Schemas can embed a crafted JEXL expression that, when evaluated in the context of another administrator's User read operation, exposes security-sensitive User attributes that would not normally be accessible. Affected versions span three release lines (3.0.x through 3.0.16, 4.0.x through 4.0.5, and 4.1.0); no active exploitation is confirmed (no CISA KEV listing) and the EPSS score of 0.02% places this in the 4th percentile for exploitation probability.
A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network.
Stored XSS and HTML/CSS injection in Roundcube Webmail 1.6.x and 1.7.x allows an authenticated attacker to plant a malicious payload in a draft message's subject field, which then executes in the browsers of other users when they encounter the draft restore dialog on a shared mailbox. Fixed in versions 1.6.16 and 1.7.1 per vendor advisory published 2026-05-24. No public exploit identified at time of analysis, and EPSS sits at 0.03% (10th percentile), indicating minimal observed exploitation interest.