Remote code execution in Mirasvit Full Page Cache Warmer for Magento 2 before 1.11.12 allows unauthenticated attackers to execute arbitrary code by sending a crafted serialized PHP object in the CacheWarmer cookie. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and successful exploitation chains Magento and dependency gadget chains via an unsafe call to unserialize(). Despite a low EPSS score (0.10%), KEV listing and CVSS 9.3 indicate this is a high-priority patch for any Magento 2 store running the module.
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via crafted print job descriptions. The flaw stems from unescaped expansion of the client-controlled '%J' substitution token into the configured 'print command', enabling shell metacharacter injection. No public exploit has been identified at time of analysis, and EPSS scores exploitation probability at only 0.08%, but CVSS 9.0 with scope change reflects high potential impact on any Samba host exposing print services.
OS command injection in the Totolink N300RH router (firmware 6.1c.1353_B20190305) allows remote unauthenticated attackers to execute arbitrary operating system commands by manipulating the admpass argument sent to the setPasswordCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the SSVC framework rates technical impact as total with automatable exploitation, though EPSS remains low at 0.20%. The flaw is reachable over the network without authentication or user interaction, giving an attacker full control of the device.
Authenticated command injection in luci-app-https-dns-proxy through version 2025.12.29-5 allows a low-privileged LuCI user holding the luci.https-dns-proxy ACL permission to execute arbitrary commands as root on OpenWrt devices via shell metacharacters in the 'name' parameter of a ubus RPC call to setInitAction. Publicly available exploit code exists (Exploit-DB 52521, VulnCheck advisory), though EPSS remains low at 0.06% and the package is an optional community add-on not installed by default. Core OpenWrt installations are unaffected; only systems that explicitly opted into this LuCI add-on are at risk.
Remote code execution in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) allows authenticated administrators to execute arbitrary Java/BeanShell code via the /admin/Scripting endpoint using the action=Evaluate parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), though no active exploitation has been confirmed in CISA KEV; EPSS sits at 0.42% (62th percentile), reflecting moderate-but-not-widespread interest.
Authenticated SQL injection in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) lets administrative users execute arbitrary SQL against the application database through the /admin/DatabaseQuery endpoint's qs parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), enabling dumping of password hashes from OKM_USER, permission tampering, and data destruction. EPSS is very low (0.03%) and the bug requires high privileges (PR:H), so real-world risk is bounded but meaningful for any internet-facing OpenKM instance with weak admin credentials.
Hard-coded VNC password in the Eppendorf BioFlo 320 bioprocess control system allows any remote attacker who can reach the device on the network to take full control of its user interface without authentication. The flaw (CWE-259) is rated CVSS 9.3 and carries an SSVC technical impact of 'total' with automatable exploitation, though no public exploit has been identified at time of analysis and EPSS is low at 0.10%.
Path traversal in OpenKM's administrative scripting interface exposes arbitrary server-side files to authenticated administrators who supply attacker-controlled paths via the fsPath parameter at /admin/Scripting with action=Load. Both the Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) are affected, enabling exfiltration of /etc/passwd, database credential files, and JVM keystores accessible to the OpenKM process. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via Exploit-DB (52520) and Terra System Labs' GitHub repository, raising the realistic risk for environments where admin credentials are shared, weak, or previously compromised.
Denial of service in B&R Industrial Automation PPT30 Operating System versions before 1.8.0 allows unauthenticated network attackers to permanently disable the OPC-UA Server through resource exhaustion. The flaw stems from missing throttling on resource allocation (CWE-770) and carries a CVSS 4.0 score of 8.7 due to high availability impact via the network with no privileges or user interaction. EPSS is low at 0.04% and no public exploit has been identified at time of analysis, though SSVC marks the issue as automatable with partial technical impact.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.
Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtualization 4) allows a namespace-scoped OpenShift user with edit permissions to hijack the virt-handler's privileged Unix socket connection via a symlink swap on a virtual machine console socket. Successful exploitation leads to interaction with arbitrary host Unix sockets, including CRI-O, enabling node takeover and cluster compromise. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.12%, 30th percentile), but CVSS is 9.9 with a scope change reflecting the host/cluster blast radius.
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.
Remote code execution in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 allows unauthenticated network attackers to execute arbitrary code via a specially crafted HTTP request. The CVSS 9.8 rating reflects complete confidentiality, integrity, and availability impact with no authentication or user interaction required, though EPSS scores it at only 0.20% probability and CISA SSVC reports no current exploitation. No public exploit has been identified at time of analysis, but IBM has released a patch.
Unauthenticated authorization bypass in FACTION pentesting report framework prior to 1.8.3 allows remote attackers to read, modify, deactivate, and delete any boilerplate report template without credentials. The flaw stems from AccessControlInterceptor invoking actions without session validation, compounded by four BoilerPlateConfig action methods that perform no local auth check. No public exploit identified at time of analysis, though EPSS is low (0.15%) and SSVC rates exploitation as POC with total technical impact.
Remote code execution and denial of service in IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 stem from improper input validation (CWE-444 HTTP Request Smuggling). Unauthenticated network attackers can send crafted requests that desynchronize the plug-in's request parsing, potentially achieving full compromise of the application tier. No public exploit identified at time of analysis, and EPSS remains low (0.06%), but the vendor confirms a patch and CISA SSVC rates the technical impact as total with automatable exploitation.
Unauthenticated remote database access in Delta Electronics DIAView allows network-based attackers to reach configured project databases without credentials, bypassing the prior mitigation issued for CVE-2025-62582. The flaw carries a CVSS 9.8 rating with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the original CVE it incompletely patches has known prior research from Tenable.
Authorization bypass in IBM Engineering Lifecycle Management (ELM) 7.0.3, 7.1.0, and 7.2.0 allows unauthenticated remote attackers to modify server property files and gain unauthorized access to the application. The flaw carries a critical CVSS 9.8 score with full confidentiality, integrity, and availability impact, and IBM has released Interim Fixes addressing it. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.03%, 10th percentile).
Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.
Transport encryption downgrade in Joomla! CMS password and username reset workflows causes reset links to be generated with plain HTTP URLs instead of HTTPS when the 'Force SSL' configuration flag is not explicitly enabled. Affected installations span Joomla! 3.9.0 through 5.4.5 and 6.0.0 through 6.1.0, exposing reset tokens to network interception. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile) despite the 9.8 CVSS rating.
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 exposes arbitrary file system access through the `/SubstationWEBV2/app/..;/main/upfile` endpoint by manipulating the `path` argument. The vulnerability is remotely exploitable with no authentication or user interaction required (CVSS 4.0 AV:N/AC:L/AT:N/PR:N/UI:N), and a publicly available proof-of-concept exists. Although EPSS sits at 0.09% (25th percentile), SSVC classifies this as automatable, and the vendor has not responded to disclosure, leaving no official patch available.
Heap-based buffer overflow in GNU LibreDWG through version 0.13.4.8160 lets an attacker corrupt heap memory by getting the library to parse a malicious DWG file, specifically a 2004-format file with a crafted compressed section processed via the dwgbmp thumbnail-extraction utility. The flaw stems from missing bounds validation in the decompression routine and is reachable without authentication or user privileges per its CVSS vector; impact is rated low across confidentiality, integrity, and availability (CVSS 7.3). Publicly available exploit code exists (a proof-of-concept DWG sample), but the issue is not listed in CISA KEV, and an official upstream fix has been committed.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remote unauthenticated attackers to manipulate the `sort` parameter at the `/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree` endpoint, achieving partial read, write, and availability impact against the backend database. The `..;` path segment is a known Java servlet filter-bypass technique, suggesting the endpoint may circumvent URL-based access controls before reaching the vulnerable query handler. A public proof-of-concept exploit exists and the vendor did not respond to responsible disclosure, meaning no patch is currently available - leaving all deployments of this power infrastructure management platform exposed.
SQL injection in Das Parking Management System (停车场管理系统) 6.2.0 allows remote unauthenticated attackers to manipulate the Value argument of the Search API Endpoint, enabling unauthorized database read and write operations. The CVSS 4.0 vector confirms network-accessible, zero-complexity, no-privilege-required exploitation with partial impact across confidentiality, integrity, and availability. A public exploit has been released per VulDB (EUVD-2026-31829), and the vendor was unresponsive to disclosure - no patch exists at time of analysis.
SQL injection via the xp_cmdshell-invoked export endpoint in Das Parking Management System 6.2.0 allows unauthenticated remote attackers to manipulate database queries through the Value parameter of the ParkingRecord/ExportParkingRecords API endpoint. The specific reference to xp_cmdshell - a Microsoft SQL Server extended stored procedure capable of executing operating system commands - elevates the potential impact beyond typical data-layer SQL injection if that procedure is enabled on the target SQL Server instance, making this more consequential than the CVSS 5.5 score alone suggests. A publicly available proof-of-concept exploit exists and the vendor has not responded to disclosure, leaving version 6.2.0 without a vendor-issued patch.
SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.
Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.
SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.
Local privilege escalation in OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows unprivileged local users to execute arbitrary OS commands as root by abusing an exposed local IPC channel to the privileged background service. The flaw carries a CVSS 4.0 score of 9.4 with scope change (SC:H/SI:H/SA:H), and SSVC rates technical impact as total, though there is no public exploit identified at time of analysis and EPSS is only 0.04%.
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.
Server-Side Request Forgery in Google Cloud Apigee-X's SetIntegrationRequest policy enables remote attackers to coerce the API gateway into making attacker-controlled requests and exfiltrate service account access tokens from the underlying GCP metadata service. The flaw affects Apigee-X versions prior to 1.14.4, 1.15.2, and 1.16.1, but exploitation requires an administrator to have first deployed an API proxy with an insecure configuration. With no public exploit identified and a low EPSS score of 0.14%, the issue carries CVSS 9.2 severity primarily due to the high confidentiality and integrity impact on cloud credentials.
Symlink-based path traversal in the Perl module Archive::Tar before version 3.08 allows a malicious tar archive to write or point files outside the intended extraction directory. When an application extracts an attacker-supplied archive, symlink entries whose targets are absolute paths or contain '..' traversal sequences are followed without validation, letting an attacker place links that resolve to arbitrary filesystem locations. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the issue is rated CVSS 9.1 because Archive::Tar is widely embedded in automated server-side processing of untrusted archives.
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attackers to run arbitrary commands on the host by submitting a malicious Spindle extension whose package.json defines lifecycle scripts. The Spindle build pipeline invokes bun install before its static safety scan and without script execution disabled, so code runs at install time on the server rather than at runtime in any sandboxed bundle. No public exploit identified at time of analysis.
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. No public exploit identified at time of analysis, and the issue is not currently in CISA KEV.
NULL pointer dereference in Hitachi Energy RTU500 series CMU Firmware allows an adjacent low-privileged attacker to crash the IEC 60870-5-104 communication process by sending a specially crafted sequence of messages over time, resulting in a Denial of Service on the RTU device. Exploitation is gated behind a non-default configuration - only deployments with bidirectional communication interface (BCI) mode enabled are affected. No public exploit exists and EPSS places exploitation probability at 0.02% (7th percentile), consistent with the specialized OT/ICS context, adjacency requirement, and SSVC confirmation of no known active exploitation.