Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. A publicly available proof-of-concept exploit exists (GitHub gist), though EPSS remains very low at 0.07% (21st percentile) and this CVE is not listed in CISA KEV, suggesting no observed widespread exploitation at time of analysis.
OS command injection in Totolink CA750-PoE 6.2c.510 allows a low-privileged remote attacker to execute arbitrary operating system commands by manipulating the PIN argument passed to the setWiFiWpsConfig function within /cgi-bin/cstecgi.cgi. The attack requires no user interaction and is reachable over the network, making it a credible threat to any deployment exposing the device's management interface. A public proof-of-concept exploit has been published on GitHub, and EPSS places this at the 87th percentile of exploitation likelihood despite a low raw CVSS 4.0 score of 2.1 - a signal worth noting against the mismatch.
OS command injection in Totolink CA750-PoE firmware 6.2c.510 enables remote attackers with low-level credentials to execute arbitrary operating system commands via the fwUrl and magicid parameters of the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi. The firmware upgrade Setting Handler fails to sanitize user-supplied input before passing it to the underlying OS shell, exposing the device to command execution. A public proof-of-concept exploit is available on GitHub; while not yet listed in CISA KEV, the EPSS 87th-percentile ranking signals elevated real-world exploitation interest relative to the broader vulnerability landscape.
OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows authenticated remote attackers to execute arbitrary shell commands by manipulating the FileName argument passed to the setUploadUserData function within the /cgi-bin/cstecgi.cgi Setting Handler. A public proof-of-concept exploit is available on GitHub, meaningfully lowering the skill barrier for adversaries. While not listed in CISA KEV, the EPSS score of 2.95% at the 87th percentile signals real-world exploitation probability well above average, making this a higher practical risk than the CVSS 4.0 base score of 2.1 alone would suggest.
OS command injection in Totolink CA750-PoE firmware 6.2c.510 allows a network-adjacent authenticated attacker to execute arbitrary operating system commands by manipulating the FileName argument passed to the setUpgradeUboot function within the /cgi-bin/cstecgi.cgi Setting Handler. Publicly available exploit code exists, hosted on GitHub, making exploitation accessible to low-skilled attackers. No public exploit identified in CISA KEV at time of analysis, though the EPSS 87th percentile ranking signals elevated exploitation interest relative to the broader CVE population despite a low absolute probability of 2.95%.
OS command injection in haojing8312 WorkClaw up to version 0.6.4 allows a low-privileged remote attacker to bypass the application's blacklist-based command filter and execute arbitrary operating system commands. The flaw resides in the `is_dangerous` function within the Rust/Tauri agent's bash tool (`apps/runtime/src-tauri/src/agent/tools/bash.rs`), where an incomplete blacklist fails to block crafted payloads. A publicly available proof-of-concept exploit exists via a GitHub issue report; no vendor patch has been released as the project has not responded to the disclosure.
Cross-site scripting in Teable's authentication redirect flow (versions 1.0-1.9.x) allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by crafting a login URL with a malicious `redirect` parameter using javascript: or data: URI schemes. The vulnerable component is LoginPage.tsx in the Next.js frontend and the social auth controller adapter in the NestJS backend, neither of which validated the redirect destination before navigating. Publicly available exploit code exists (GitHub gist), but the vulnerability is not listed in CISA KEV and EPSS probability is very low at 0.04% (11th percentile), indicating no confirmed widespread exploitation.
Reflected cross-site scripting in itsourcecode Electronic Judging System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the `fname` parameter of `/admin/judges.php`, executing arbitrary JavaScript in the context of a victim's browser session. The CVSS 4.0 score of 2.1 reflects the low integrity impact and mandatory user interaction, consistent with a reflected XSS that requires a victim to follow a crafted URL. No public exploit identified at time of analysis as KEV-listed, but a publicly available proof-of-concept exists on GitHub, slightly elevating practical risk despite the EPSS score of 0.03% (10th percentile).
Stored cross-site scripting in hemant6488's CodeIgniter-StudentManagementSystem allows remote unauthenticated attackers to inject arbitrary JavaScript via the Name argument of the addStudent function in view_students.php. When a victim user views the student listing, the injected script executes in their browser context, enabling session hijacking, credential theft, or defacement. A publicly available proof-of-concept exists via GitHub issue report; however, this vulnerability is not listed in CISA KEV, and EPSS scoring places exploitation probability at 0.03%, indicating low real-world exploitation activity despite POC availability.
Information exposure via verbose SQL error messages in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables authenticated remote attackers to harvest internal database details by manipulating the /index.php SQL Handler endpoint. The application returns raw SQL error output rather than sanitized application-level messages, leaking schema structure, table names, or query internals. A public proof-of-concept exploit is available on GitHub; this CVE is not listed in the CISA KEV catalog, and the CVSS 4.0 score of 2.1 reflects the low-severity, confidentiality-only impact.
Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. Publicly available exploit code exists (GitHub Gist), though EPSS stands at 0.03% (9th percentile) indicating low observed exploitation probability, and it is not listed in CISA KEV. The vendor did not respond to responsible disclosure, meaning no patch has been released.
Reflected cross-site scripting in pingvin-share's sign-in auto-redirect feature allows remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the `redirect` query parameter. All releases from 1.0 through 1.13.0 (the full release history) are affected. A publicly available proof-of-concept exploit exists on GitHub, and the vendor has not responded to responsible disclosure — meaning no patch has been issued and no vendor advisory exists.
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate the `email_id` parameter in `/admin/add_staff.php`, enabling arbitrary SQL query manipulation against the underlying database. The CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - confidentiality, integrity, and availability are each rated Low with no lateral impact to subsequent systems - and EPSS at 0.03% (8th percentile) indicates negligible real-world exploitation probability despite a publicly available proof-of-concept on GitHub. No active exploitation has been confirmed and this CVE is not listed in the CISA KEV catalog.
Improper access control in JeecgBoot's AiragModelController (versions up to 3.9.1) permits any authenticated low-privilege user to invoke the list and queryById API endpoints without proper authorization checks, exposing AI RAG model configuration data restricted to higher-privileged roles. The CVSS vector (PR:L, C:L) confirms this is an authorization bypass rather than a full authentication bypass, limiting impact to confidentiality of AI model metadata. Publicly available exploit code exists (GitHub issue #9599, referenced in the exploit tag), though no CISA KEV listing indicates confirmed widespread active exploitation at time of analysis.
Cross-site request forgery in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to perform unauthorized state-changing actions by tricking an authenticated user into visiting a malicious page. The CVSS 4.0 vector (VI:L, SC:N/SI:N/SA:N) confirms impact is limited to low-level integrity degradation on the vulnerable system with no confidentiality or availability consequence. A publicly available exploit (PoC HTML page and advisory) has been released to GitHub by researcher NARKHEDE-VAIBHAV; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
Improper access control in JeecgBoot versions up to 3.9.1 allows authenticated low-privileged remote attackers to bypass authorization checks by manipulating the `userIdentity` argument in the SysUser component's `user.getUsername` function at the `/sys/user/login/setting/userEdit` endpoint. A publicly available proof-of-concept exploit exists via GitHub issue #9596, increasing practical risk for any multi-user JeecgBoot deployment where adversaries hold a low-privileged account. Vendor-released patch v3.9.2 is available and explicitly remediates this access control failure alongside several other high-severity issues including RCE and SSRF, indicating a broad security hardening effort in this release cycle.
Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. This is not listed in the CISA KEV catalog and SSVC classifies it as non-automatable with partial technical impact.
Memory leak in GPAC MP4Box up to version 2.4.0 allows a local, low-privileged attacker to exhaust process memory by supplying a crafted MP4 file that triggers the vulnerable `Media_GetSample` function in `src/isomedia/media.c`. The root cause is a missing zero-size guard before memory allocation when the `cat` argument is manipulated to produce a zero-sum of `data_size` and `padding_bytes`. A publicly available proof-of-concept exploit (poc.zip) exists, but the CVSS 4.0 score of 1.9, EPSS of 0.01% (2nd percentile), and strictly local attack vector collectively indicate very low real-world risk; no active exploitation has been identified.
Null pointer dereference in GPAC's MP4Box tool (versions 2.0 through 2.4.0) allows a local, low-privileged attacker to crash the application by supplying a crafted MP4 file with a malformed Protection System Header Box (PSSH). The vulnerability resides in the MergeFragment function, which fails to validate the private_data pointer before passing it to memmove, resulting in a denial-of-service impact limited to the MP4Box process. A public proof-of-concept exploit exists (hosted on GitHub), though EPSS sits at 0.01% (2nd percentile) and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, consistent with the low-severity, local-only nature of the issue.
Heap-based buffer overflow in Squirrel versions 3.0 through 3.2 allows a locally authenticated low-privilege attacker to corrupt heap memory by supplying a malicious Cnut file to the ReadObject function in sqobject.cpp. The impact is limited to partial confidentiality, integrity, and availability effects with no scope change, as confirmed by the CVSS 4.0 score of 1.9. A public proof-of-concept exploit exists on GitHub, but this vulnerability has not been confirmed actively exploited by CISA KEV, and EPSS places exploitation probability at just 0.01% (2nd percentile), indicating very low real-world exploitation activity.
Out-of-bounds read in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) affects all versions through 0.14, allowing a local low-privileged attacker to crash the dwgbmp utility or any LibreDWG-based application by supplying a crafted DWG 2004 file with manipulated section address or size fields. Impact is limited to availability (application crash) with no confirmed confidentiality or integrity exposure per the CVSS 4.0 vector. A publicly available proof-of-concept DWG file exists on GitHub, but EPSS at 0.01% (2nd percentile) and no CISA KEV listing confirm this is not currently subject to widespread exploitation.
Null pointer dereference in GNU LibreDWG's dwggrep utility crashes the application when processing a maliciously crafted DWG file. The vulnerability resides in the match_BLOCK_HEADER function within dwggrep.c and affects all tracked releases from version 0.1 through 0.14. A local authenticated attacker can exploit this to cause denial of service against the dwggrep utility; no publicly available exploit code exists for confidentiality or integrity compromise, consistent with the CVSS impact scores of VC:N/VI:N/VA:L. Publicly available exploit code exists (no KEV listing), though EPSS at 0.01% reflects negligible widespread exploitation probability.
Business logic abuse in ZTE ZXUniPOS NDS-LTE (versions V24.40.40 and V24.30.40CP02) allows a highly privileged authenticated network attacker to manipulate legitimate application functions in ways unintended by the designer, yielding limited integrity and availability degradation. The CVSS score of 3.8 (Low) combined with an EPSS exploitation probability of 0.03% (7th percentile) and SSVC exploitation status of 'none' collectively indicate minimal immediate real-world threat. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).
PIN lock bypass in Easyelife App Lock 1.9.2 for Android allows a local attacker with physical device access to reach applications that were supposedly secured behind a PIN. The root cause is architectural: the lock is implemented as a UI overlay rather than through Android's native secure authentication APIs (BiometricPrompt, KeyguardManager), meaning it can be circumvented by triggering advertisement or browser intents that cause the app to navigate cascading activity flows, effectively routing around the overlay. EPSS is very low at 0.05% (16th percentile), no public exploit is confirmed in CISA KEV, and a researcher disclosure with likely proof-of-concept steps is publicly available on GitHub.
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Physical-access PIN lock bypass in AppLockZ 4.2.11 for Android exposes protected applications to unauthorized access without valid credentials. The root cause is architectural: the lock mechanism is implemented as a UI overlay rather than through Android's secure authentication APIs, leaving it vulnerable to circumvention via exposed activity routes reachable through advertisement or browser intents. An attacker with physical possession of the device can navigate cascading interface flows to evade lockscreen verification and access apps protected by AppLockZ (e.g., Chrome), resulting in information disclosure. No active exploitation is confirmed in CISA KEV, and the EPSS score of 0.04% reflects minimal real-world exploitation probability at this time.
Resource quota bypass in Pterodactyl Panel prior to 1.12.3 allows authenticated users to exceed their assigned database allocation limits by exploiting a broken concurrency guard in the Client API. The `lockForUpdate()` call in `DatabaseController.php` is a non-terminating Laravel query builder call that never issues an actual SQL lock, making it a no-op that enables parallel requests to simultaneously pass the limit check. No public exploit has been identified at time of analysis; with EPSS at 0.04% (12th percentile) and no KEV listing, real-world exploitation risk is currently low but relevant to multi-tenant hosting deployments.
Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metacharacters into server-generated Docker Compose YAML files and MQTT publish commands via the /api/v1/provision endpoint's getGatewayDockerComposeFile and getMqttPublishCommand functions. Device credential fields - including clientId, userName, password, and credentialsId - are passed unsanitized into YAML and shell command construction, enabling injection of shell special characters such as $, backtick, and double-quote. No public exploit has been identified at time of analysis; SSVC rates exploitation as none and EPSS is 0.04%, though the RCE tag warrants scrutiny given the CVSS 4.0 score of only 2.3.
Improper access control in JeecgBoot versions up to 3.9.1 allows low-privileged authenticated remote users to interact with the /sys/comment/add endpoint beyond their assigned permission level, resulting in low-impact confidentiality, integrity, and availability effects. The CVSS 4.0 score of 2.1 reflects a narrow blast radius with no subsequent system compromise, but a publicly available proof-of-concept (E:P) elevates the likelihood of opportunistic exploitation on internet-facing deployments. No active exploitation has been confirmed by CISA KEV at time of analysis.
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.