Path traversal in OpenKM's administrative scripting interface exposes arbitrary server-side files to authenticated administrators who supply attacker-controlled paths via the fsPath parameter at /admin/Scripting with action=Load. Both the Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) are affected, enabling exfiltration of /etc/passwd, database credential files, and JVM keystores accessible to the OpenKM process. No public exploit identified at time of analysis as a KEV entry, but publicly available exploit code exists via Exploit-DB (52520) and Terra System Labs' GitHub repository, raising the realistic risk for environments where admin credentials are shared, weak, or previously compromised.
Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause `request.url.path` to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on `request.url` rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through `request.url` is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated path traversal in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 exposes arbitrary file system access through the `/SubstationWEBV2/app/..;/main/upfile` endpoint by manipulating the `path` argument. The vulnerability is remotely exploitable with no authentication or user interaction required (CVSS 4.0 AV:N/AC:L/AT:N/PR:N/UI:N), and a publicly available proof-of-concept exists. Although EPSS sits at 0.09% (25th percentile), SSVC classifies this as automatable, and the vendor has not responded to disclosure, leaving no official patch available.
Heap-based buffer overflow in GNU LibreDWG through version 0.13.4.8160 lets an attacker corrupt heap memory by getting the library to parse a malicious DWG file, specifically a 2004-format file with a crafted compressed section processed via the dwgbmp thumbnail-extraction utility. The flaw stems from missing bounds validation in the decompression routine and is reachable without authentication or user privileges per its CVSS vector; impact is rated low across confidentiality, integrity, and availability (CVSS 7.3). Publicly available exploit code exists (a proof-of-concept DWG sample), but the issue is not listed in CISA KEV, and an official upstream fix has been committed.
Denial of service in vllm 0.19.0's OpenAI-compatible serving path allows remote unauthenticated attackers to exhaust scheduler resources by submitting requests with unbounded logprob counts. The root cause, confirmed by PR diff analysis, is the absence of any per-batch logprob budget in the v1 scheduler: requests specifying logprobs=-1 (full vocabulary) multiplied across parallel sequences (n) generate massive compute and memory overhead with no cap, blocking or crashing the inference server. Publicly available exploit code exists (GitHub issue #37343); no confirmed active exploitation at time of analysis.
Improper access control in sambitraj's STUDENT-MANAGEMENT-SYSTEM exposes multiple Dashboard endpoints to unauthenticated remote attackers, enabling unauthorized read and write operations on student data. The vulnerability, tagged as an authentication bypass (CWE-284), affects all code up to and including commit 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5 and is confirmed by a publicly disclosed exploit via GitHub issue. No public exploit identified at time of analysis for active KEV-level exploitation, however publicly available exploit code exists and the maintainer has not responded to responsible disclosure, leaving the codebase unpatched.
Improper access control in hemant6488's CodeIgniter-StudentManagementSystem exposes the student addition endpoint at /index.php/students/addStudentView to unauthenticated remote manipulation, enabling read, write, and partial availability impact on student data without credentials. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required from any network, and a publicly available exploit (GitHub issue #5) has been documented. No vendor patch exists and the maintainer has not responded to the coordinated disclosure, leaving all deployed instances unmitigated.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the admin panel endpoint `/admin/modules/class/index.php?view=view` to remote unauthenticated database manipulation via the unsanitized `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, making this trivially reachable from the network. A public proof-of-concept exploit has been disclosed on GitHub, and SSVC flags this as automatable with partial technical impact - though EPSS at 0.03% (9th percentile) reflects limited observed in-the-wild activity; no public exploit identified at time of analysis reaching KEV status.
SQL injection in itsourcecode Student Transcript Processing System 1.0 allows remote unauthenticated attackers to manipulate backend database queries by supplying crafted values for the studentId or cid parameters in /admin/modules/student/trans.php. The CVSS 4.0 vector (PR:N, AC:L, UI:N) confirms exploitation requires no authentication and no user interaction, and a proof-of-concept is publicly available via a GitHub issue. No public KEV listing exists and EPSS sits at 0.03% (9th percentile), indicating limited threat-actor uptake thus far - likely due to the narrow deployment footprint of this niche educational PHP application.
SQL injection in itsourcecode Student Transcript Processing System 1.0 exposes the application to unauthenticated remote database manipulation via the studentId parameter in the admin student view endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no privileges or user interaction are required, and publicly available exploit code exists on GitHub. Despite the remote, unauthenticated attack surface and POC availability, EPSS sits at only 0.03% (9th percentile), indicating limited real-world exploitation uptake at time of analysis; no CISA KEV listing has been issued.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/delete_judge.php endpoint to remote unauthenticated attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required to reach the vulnerable parameter, and a publicly available proof-of-concept exploit exists on GitHub, corroborated by the CVSS 4.0 exploit maturity modifier E:P. Despite these factors, EPSS sits at 0.03% (9th percentile), indicating no public exploit has yet driven widespread opportunistic scanning; no KEV listing confirms active exploitation in the wild at time of analysis.
SQL injection in itsourcecode Electronic Judging System 1.0 allows remote unauthenticated attackers to manipulate the `num_id` parameter in `/admin/edit_team.php`, enabling unauthorized database read, write, and partial availability impact. The CVSS 4.0 vector confirms no authentication or user interaction is required (PR:N/UI:N), and publicly available exploit code exists on GitHub - though EPSS remains very low at 0.03% (9th percentile), suggesting limited real-world exploitation interest consistent with a niche, low-adoption PHP application. The vulnerability is not listed in CISA KEV, but the SSVC framework flags it as automatable, meaning opportunistic scanning tools could exploit it at scale against any internet-exposed deployment.
SQL injection in itsourcecode Electronic Judging System 1.0 exposes the /admin/edit_judge.php endpoint to unauthenticated remote attackers who can manipulate the judge_id parameter to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions. A public proof-of-concept exploit has been disclosed on GitHub, though EPSS at 0.03% (9th percentile) reflects the product's limited deployment footprint rather than low technical severity - no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV).
SQL injection in the Sixun Shanghui Group Business Management System 10 exposes the /api/Dinner/PayConfig endpoint to unauthenticated remote attackers who can manipulate the tableno parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special network position - only access to the endpoint. A public proof-of-concept exploit is available via a Feishu document, though EPSS remains very low at 0.03% (8th percentile), and no patch has been released as the vendor was unresponsive to coordinated disclosure.
SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 enables remote unauthenticated attackers to manipulate the `sort` parameter at the `/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree` endpoint, achieving partial read, write, and availability impact against the backend database. The `..;` path segment is a known Java servlet filter-bypass technique, suggesting the endpoint may circumvent URL-based access controls before reaching the vulnerable query handler. A public proof-of-concept exploit exists and the vendor did not respond to responsible disclosure, meaning no patch is currently available - leaving all deployments of this power infrastructure management platform exposed.
SQL injection in Das Parking Management System (停车场管理系统) 6.2.0 allows remote unauthenticated attackers to manipulate the Value argument of the Search API Endpoint, enabling unauthorized database read and write operations. The CVSS 4.0 vector confirms network-accessible, zero-complexity, no-privilege-required exploitation with partial impact across confidentiality, integrity, and availability. A public exploit has been released per VulDB (EUVD-2026-31829), and the vendor was unresponsive to disclosure - no patch exists at time of analysis.
SQL injection via the xp_cmdshell-invoked export endpoint in Das Parking Management System 6.2.0 allows unauthenticated remote attackers to manipulate database queries through the Value parameter of the ParkingRecord/ExportParkingRecords API endpoint. The specific reference to xp_cmdshell - a Microsoft SQL Server extended stored procedure capable of executing operating system commands - elevates the potential impact beyond typical data-layer SQL injection if that procedure is enabled on the target SQL Server instance, making this more consequential than the CVSS 5.5 score alone suggests. A publicly available proof-of-concept exploit exists and the vendor has not responded to disclosure, leaving version 6.2.0 without a vendor-issued patch.
SQL injection in itsourcecode Courier Management System 1.0 lets remote attackers manipulate the 'ID' parameter of /manage_user.php to inject arbitrary SQL into backend database queries. Per the CVSS vector (PR:N) no authentication is required, and publicly available exploit code exists, though the flaw is not listed in CISA KEV and carries only low (C:L/I:L/A:L) per-impact ratings.
Missing authorization in SourceCodester eDoc Doctor Appointment System 1.0 exposes the /admin/delete-session.php endpoint to unauthenticated remote attackers who can manipulate the ID parameter to delete arbitrary appointment sessions without any credential or privilege. The CVSS 4.0 vector confirms network-accessible, zero-complexity exploitation with no authentication required (PR:N), though impact is bounded to low integrity and availability degradation with no confidentiality loss. A publicly available exploit script (poc.sh) on GitHub confirms practical exploitability, though the vulnerability is not currently listed in CISA KEV.
SQL injection in code-projects Project Management System 1.0 allows remote unauthenticated attackers to manipulate database queries through the login handler (chk.php). The flaw stems from unsanitized input being passed into a SQL statement, enabling authentication-context query tampering and data disclosure. Publicly available exploit code exists, though the vulnerability is not listed in CISA KEV and no active exploitation is confirmed.
Improper access control in JeecgBoot through version 3.9.1 exposes the LoginController.selectDepart endpoint at /sys/selectDepart, allowing remote attackers to bypass authorization checks tied to department/tenant selection during login. Publicly available exploit code exists per VulDB disclosure, and the vendor has shipped a fix in v3.9.2. No active in-the-wild exploitation has been confirmed (not in CISA KEV), but the public POC and network-reachable attack surface make opportunistic abuse plausible.
NULL pointer dereference in Hitachi Energy RTU500 series CMU Firmware allows an adjacent low-privileged attacker to crash the IEC 60870-5-104 communication process by sending a specially crafted sequence of messages over time, resulting in a Denial of Service on the RTU device. Exploitation is gated behind a non-default configuration - only deployments with bidirectional communication interface (BCI) mode enabled are affected. No public exploit exists and EPSS places exploitation probability at 0.02% (7th percentile), consistent with the specialized OT/ICS context, adjacency requirement, and SSVC confirmation of no known active exploitation.
LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.
Cross-site scripting in Joomla! CMS's multilingual associations component (com_associations) allows an authenticated high-privilege attacker to inject malicious scripts that execute in another user's browser session, yielding high confidentiality impact on the vulnerable system. Affected installations span Joomla! CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0. SSVC assessment lists exploitation as none, EPSS is 0.04% (13th percentile), and no public exploit code or CISA KEV listing exists, indicating this is a low-urgency but genuine privilege-escalation-adjacent risk in multi-administrator Joomla environments.
Stored cross-site scripting in Joomla! CMS feed modules allows a high-privileged authenticated attacker to inject unsanitized content that executes in the browser context of a victim user who passively views the affected feed output. Affecting the broad version spans of 3.0.0 through 5.4.5 and 6.0.0 through 6.1.0, the root cause is a failure to apply output escaping before rendering feed module data. No public exploit has been identified at time of analysis, and SSVC confirms no current active exploitation.
Reflected or stored cross-site scripting in Joomla! CMS com_content component allows a high-privileged attacker to inject unescaped output into readmore links, executing arbitrary JavaScript in a victim's browser upon interaction. Affected releases span Joomla! CMS 4.0.0-5.4.5 and 6.0.0-6.1.0. No public exploit code has been identified and CISA KEV does not list this vulnerability, but a vendor security advisory has been published at the Joomla Security Centre.
Cross-site scripting in Joomla! CMS content history component (com_contenthistory) allows a high-privileged attacker to inject persistent malicious scripts due to missing output escaping, leading to confidentiality compromise of the vulnerable system when a victim views affected history entries. Confirmed affected versions span Joomla! CMS 3.0.0-5.4.5 and 6.0.0-6.1.0 across an exceptionally wide installed base. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; EPSS of 0.04% (13th percentile) confirms no observed widespread exploitation at time of analysis.
Silent cryptographic key failure in Netty's OHTTP codec exposes HPKE response encryption to full key prediction. When HKDF_expand or EVP_HPKE_CTX_export fails internally, the library returns a zero-filled byte array rather than propagating the error, and that all-zero material is consumed directly by OHttpCrypto.createResponseAEAD() without any validation. Any OHTTP response encrypted under a failure-induced all-zero AEAD key is fully decryptable by any attacker who knows this behavior exists - the key is deterministic and universal. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Blind SQL injection in the com_finder (Smart Search) component of Joomla! CMS allows authenticated high-privilege users to extract confidential data from the underlying database across versions 5.4.0-5.4.5 and 6.0.0-6.1.0. The vulnerability stems from improperly constructed SQL filter clauses in search queries that permit attacker-controlled input to alter query logic. No public exploit has been identified at time of analysis, CISA has not added this to the KEV catalog, and EPSS probability sits at 0.03%, signaling minimal observed exploitation pressure.
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all user credentials to trivial offline cracking upon any database compromise. All versions prior to 2.9.1 are affected (CPE: cpe:2.3:a:1panel-dev:maxkb). The CVSS 4.0 vector (AV:L/VC:H) confirms that while local or database-level access is a prerequisite, once hashes are obtained, full credential recovery is practically guaranteed using rainbow tables or GPU-accelerated tools such as hashcat - no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in the Joomla! Framework Filter package exposes applications to script injection through inadequately sanitized HTML attribute values in the checkAttribute methods. Authenticated users holding high-level privileges can inject malicious content that executes in the browser of any user who subsequently views the affected page. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% at the 0th percentile confirms minimal current exploitation interest across the security community.
Inadequate HTML attribute sanitization in the cleanattributes() function of the Joomla! Framework Filter package exposes a cross-site scripting (XSS) vector across versions 1.0.0-3.0.5 and 4.0.0-4.0.1. An attacker holding high-privileged (administrative) access can inject malicious script content through unfiltered HTML attributes; when a victim user passively views that content, the payload executes in their browser, yielding high confidentiality impact (VC:H) consistent with session token or credential theft. No public exploit code exists and this vulnerability is not listed in CISA KEV, placing real-world risk well below what the CVSS 6.9 base score might initially suggest.
Authenticated blind SQL injection in Joomla! CMS's com_tags component allows high-privileged attackers to exfiltrate database contents by supplying maliciously crafted ORDER BY clauses that are not properly validated. Affected versions span two distinct release trains: the 4.x/5.x line (4.0.0 through 5.4.5) and the 6.x line (6.0.0 through 6.1.0), meaning the vulnerability persists across both legacy and current major releases. No public exploit code has been identified at time of analysis, and the EPSS score of 0.00% indicates negligible automated exploitation probability, though the high-privilege requirement significantly limits the realistic attacker pool.
Pre-Account Takeover in Chatwoot's OmniAuth integration affects all releases from 2.14.0 through 4.12.x, allowing an attacker who pre-registers a victim's email address to retain persistent login access after the legitimate owner authenticates via Google OAuth. The OAuth callback controller failed to invalidate attacker-set password credentials when confirming a pre-existing unconfirmed account, leaving the attacker's session viable indefinitely. No public exploit identified at time of analysis and EPSS is 0.04% (12th percentile), consistent with SSVC's 'Exploitation: none' finding, though SSVC rates technical impact as 'total' given the attacker gains full workspace access including PII, API keys, and conversation history.
Out-of-bounds memory access in FastNetMon Community Edition through 1.2.9 allows an authenticated BGP peer to crash the monitoring process by sending a crafted UPDATE message. The parser in src/bgp_protocol.hpp correctly detects the RFC 4271 Extended Length flag but reads only one byte of the mandatory two-byte length field, silently truncating attribute lengths above 255 bytes and causing cascading misparse of subsequent BGP data. With CVSS availability impact rated High and SSVC confirming no known active exploitation, this is a targeted denial-of-service risk primarily affecting network operators using FastNetMon for DDoS detection - no public exploit code identified at time of analysis.
Missing authorization in Zyxel GS1200v3-series managed switches allows a LAN-based, unauthenticated attacker to read system configuration data from a log file by sending a crafted HTTP request to the device's web interface. All five GS1200v3 models are affected across their current firmware versions. No public exploit has been identified at time of analysis, and both EPSS (0.03%, 11th percentile) and SSVC exploitation status ('none') confirm no observed in-the-wild exploitation, placing this in the category of a real but low-urgency information disclosure risk confined to the local network segment.
Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 exposes network monitoring infrastructure to unauthenticated remote attack via malformed NetFlow v9 UDP packets. The vulnerability resides in the options template parser (process_netflow_v9_options_template()), where attacker-controlled length fields - option_scope_length and option_length - drive iteration loops with no bounds validation, enabling reads past the end of the UDP packet buffer. With a CVSS vector of AV:N/AC:L/PR:N/UI:N and SSVC automatable:yes, mass exploitation is technically feasible, though EPSS sits at 0.03% (9th percentile) and no public exploit or KEV listing has been identified at time of analysis.
Broken access control in e107 CMS prior to version 2.3.4 permits any low-privileged authenticated user to overwrite comments authored by other users, including administrators. The server-side updateComment() function in comment_class.php accepted a comment_id from the request and issued an UPDATE SQL query filtered only by that identifier, never verifying that the requesting user owned the targeted comment. A proof-of-concept exploit exists per SSVC data, though EPSS stands at a low 0.03% (8th percentile) and no active exploitation is confirmed in CISA KEV, indicating currently limited in-the-wild activity.
Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.
CSRF protection bypass in e107 CMS prior to 2.3.5 allows unauthenticated remote attackers to perform unauthorized comment moderation actions by tricking an authenticated user into visiting a malicious page. The root flaw is in session_handler::check(), which skips CSRF token validation entirely when no token is submitted, rather than rejecting the tokenless request - effectively making CSRF protection opt-in from the attacker's perspective. A proof-of-concept exists per SSVC data; the vulnerability is not listed in CISA KEV and carries a very low EPSS score of 0.01% (3rd percentile), indicating limited observed exploitation in the wild.
Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.
NVIDIA Display Driver for Linux exposes a denial-of-service condition in the Multi-Instance GPU (MIG) partition management subsystem, rooted in insecure default initialization of memory subsystem routing resources (CWE-1188). A local authenticated user - with low privileges on a Linux system running MIG-enabled Tesla, GeForce, RTX/Quadro/NVS, or Virtual GPU Manager driver branches - can trigger a hang or data corruption during partition reconfiguration, potentially disrupting all GPU workloads sharing the affected physical GPU. No public exploit code exists and this vulnerability is not in CISA KEV; EPSS sits at 0.01% (2nd percentile), indicating no observed mass exploitation at time of analysis.
Denial of service in NVIDIA Display Driver for Windows and Linux stems from improper lock management (CWE-667), where an attacker with local low-privilege access can leak held driver locks, potentially crashing or hanging the driver stack and denying GPU availability system-wide. Scope is changed (S:C), meaning the impact extends beyond the vulnerable component to the broader kernel or hypervisor layer. No public exploit identified at time of analysis and no CISA KEV listing; EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' consistently signal low near-term exploitation likelihood.
Out-of-bounds memory read in FastNetMon Community Edition through 1.2.9 exposes sensitive process memory and can crash the collector when processing crafted NetFlow v9 packets. The NetFlow v9 data flowset parser in src/netflow_plugin/netflow_v9_collector.cpp omits the per-iteration boundary check present in the sibling Options template branch, allowing a network-adjacent attacker who can deliver UDP NetFlow v9 packets to the collector to supply malicious template definitions that drive the parser past the end of the packet buffer. No public exploit code or confirmed active exploitation has been identified at time of analysis, but a security researcher blog post at lorikeetsecurity.com documents the code-level flaw, raising the disclosure surface.
Stored cross-site scripting in IBM Cognos Analytics and Cognos Transformer's Administration interface allows an authenticated low-privileged user to inject persistent JavaScript payloads into the Web UI, which then execute in the browser sessions of other users - including higher-privileged administrators - potentially leading to credential theft or session hijacking. Affected are Cognos Analytics versions 11.2.0, 12.0, and 12.1.0, and Cognos Transformer versions 11.2.4, 12.0, and 12.1.0. No public exploit identified at time of analysis, and the EPSS score of 0.03% (8th percentile) combined with SSVC exploitation status of 'none' indicates very low observed exploitation pressure.
Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.
Improper access control in Joomla! CMS com_scheduler component permits low-privileged authenticated backend users to modify the task types of existing scheduler tasks, an operation that should be restricted to higher-privileged administrators. Affected versions span Joomla! 4.1.0 through 5.4.5 and 6.0.0 through 6.1.0. While no public exploit code exists and CISA KEV has not confirmed active exploitation, the high subsequent-system impact scores (SC:H/SI:H/SA:H) in the CVSS 4.0 vector indicate that tampering with scheduler task types can produce significant integrity and availability consequences beyond the immediately vulnerable component.
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal network services by exploiting an URL parsing inconsistency at the OSS file fetch endpoint. The discrepancy between Python's urlparse validation logic and the requests HTTP client means a crafted URL can pass security checks yet still route to internal infrastructure when executed by the server. No public exploit or KEV listing exists at time of analysis; the vendor has confirmed and patched the issue in 2.8.1.