Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.
Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. No public exploit has been identified at time of analysis; SSVC rates exploitation as none and EPSS is 0.04%, though the RCE tag warrants scrutiny given the CVSS 4.0 score of only 2.3.
Improper access control in JeecgBoot versions up to 3.9.1 allows low-privileged authenticated remote users to interact with the /sys/comment/add endpoint beyond their assigned permission level, resulting in low-impact confidentiality, integrity, and availability effects. The CVSS 4.0 score of 2.1 reflects a narrow blast radius with no subsequent system compromise, but a publicly available proof-of-concept (E:P) elevates the likelihood of opportunistic exploitation on internet-facing deployments. No active exploitation has been confirmed by CISA KEV at time of analysis.
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.
Unauthenticated remote code execution in FUXA 1.3.0 (the fuxa-server npm package) lets any network-reachable attacker run arbitrary OS commands on the SCADA/HMI host when secureEnabled is true. The POST /api/runscript endpoint authorizes a request against a stored script's permission, but with test:true it instead compiles and runs attacker-supplied code via Node's Module._compile, so a guest who knows a valid script ID and name (leaked via the unauthenticated GET /api/project endpoint) can execute code with full Node runtime access. Publicly available exploit code exists in the vendor advisory; no CVSS, EPSS, or CISA KEV data is provided.
Unauthenticated disclosure of arbitrary industrial tag values in FUXA 1.3.0 lets remote actors read live process data through the /api/getTagValue endpoint. Per the vendor advisory (GHSA-fwcm-rqvw-j3p7), the API mints a signed 'guest' identity when no API key or access token is supplied, and the per-script authorization check fails open when the referenced sourceScriptName points to a non-existent script, so the guest request is treated as authorized. No CISA KEV listing and no weaponized public exploit code were identified, though the advisory documents the exact vulnerable code paths; the flaw is fixed in v1.3.1.
Pre-authentication remote code execution affects FUXA, an open-source web-based SCADA/HMI platform, in versions >= 1.2.11 and < 1.3.1 (the advisory references build v1.3.0-2706). The flaw is a path-confusion authentication bypass: the login middleware performs a substring match against the full request URL (including the query string), so appending a benign-looking parameter such as ?x=/socket.io to any administrative request causes the server to treat it as a public WebSocket handshake and skip the secureEnabled and nodeRedAuthMode checks entirely. When Node-RED is enabled with command-capable nodes, this reaches the /nodered/* admin interface and yields code execution in the container context (advisory states 'as root'). The GitHub Security Advisory (GHSA-p69w-mmfv-xrfj) discloses the exact bypass payload, so publicly available exploit details exist; there is no CISA KEV listing and no public report of active exploitation at time of analysis.
Path traversal in XWiki Platform's WebJars API enables a subwiki admin who can publish and install a malicious WebJar extension to write arbitrary files anywhere on the server filesystem. The affected Maven component `xwiki-platform-webjars-api` fails to validate that JAR entry paths extracted during extension installation remain within the intended export directory, allowing overwrite of configuration files or potential superadmin credential manipulation. No public exploit is identified and no CISA KEV listing exists; vendor-released patches are available across three version branches.