Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.
Heap buffer overflow in Tasmota IoT firmware (through version 15.3.0.3) lets a remote attacker corrupt heap memory by manipulating the Content-Length of a JPEG stream processed by the fetch_jpg() routine in the scripter driver. Because the length is stored in a 16-bit integer, values above 65535 wrap to a small number, so the firmware allocates an undersized buffer and then reads the full, larger payload into it. Publicly available exploit code exists (a dedicated GitHub repository), CISA's SSVC framework rates exploitation as proof-of-concept and automatable, but the issue is not in CISA KEV and no public active exploitation is identified.
Remote code execution in Tasmota firmware (v15.3.0.3 and all earlier releases) stems from an unbounded strcpy() into the fixed 40-byte jpg_task.boundary[40] buffer inside fetch_jpg() in the Scripter driver (xdrv_10_scripter.ino). A network attacker able to reach the device and trigger this code path can overflow the buffer and, per the vendor description, execute arbitrary code on the ESP-based device. Publicly available exploit code exists (a CVE-named GitHub repository), and CISA's SSVC framework rates exploitation as POC with the attack automatable; no active exploitation is confirmed.
Remote code execution in the affiliate-toolkit WordPress plugin ("Multi-Network Affiliate & Amazon Product Display") affects versions up to and including 3.8.5, letting authenticated users with Editor-level access or higher run arbitrary PHP on the host. The flaw stems from the bundled BladeOne template engine's runString() method, which compiles attacker-supplied template content into PHP and executes it through eval() with no sanitization or sandboxing. There is no public exploit identified at time of analysis and EPSS sits at a low 0.24%, but the technical impact is total because a successful injection yields full server-side code execution.
OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.
Stored cross-site scripting in the LiteSpeed Cache plugin for WordPress (all versions through 7.7) lets attackers persist arbitrary JavaScript into a site's frontend by abusing the unauthenticated /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST endpoints, which store QUIC.cloud-supplied CSS to disk and later render it inline without escaping. Exploitation is conditional: the endpoints are protected by IP-based access control that only becomes bypassable in certain reverse-proxy, load-balancer, or CDN deployments. No public exploit identified at time of analysis, and EPSS is low (0.07%, 20th percentile), consistent with CISA SSVC marking exploitation status as 'none' despite 'automatable: yes'.
Stored cross-site scripting in the HBook hotel booking plugin for WordPress (all versions through 2.1.6) lets unauthenticated attackers persist arbitrary JavaScript through the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' booking parameters. The payload is stored server-side and fires in the privileged context of the HBook Customers admin page, so a no-privilege injection escalates into the administrator's browser session (reflected in the Scope:Changed rating that drives the 7.2 score). There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%, 17th percentile).
IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Web application firewall body-inspection bypass in CrowdSec (the AppSec component, versions 1.5.0 through 1.7.7) lets unauthenticated remote attackers slip malicious payloads past every body-scanning WAF rule. When a request uses HTTP/1.1 'Transfer-Encoding: chunked' or HTTP/2 without a content-length, the parser treats the body as empty, so rules matching REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fail and the request is forwarded as 'allow' with no WAF log entry. There is no public exploit identified at time of analysis and no KEV listing, but the trigger is trivial - flipping a single framing header - making this a high-confidence protection-mechanism failure rather than a memory-safety bug.
Arbitrary file read in Agent Zero before version 1.15 lets remote unauthenticated attackers retrieve files outside the agent workspace through the image-serving API (api/image_get.py), which validates only the file extension while the directory-containment check is commented out. Any file readable by the process and bearing an allowed image extension can be disclosed, and symlinks can be abused to reach non-image targets because the path is never canonicalized. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Reflected cross-site scripting in the EventPress WordPress theme (all versions before 22.2) lets unauthenticated attackers inject arbitrary JavaScript by abusing the unsanitized 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler, which echoes the value back into the response without escaping. An attacker who lures a logged-in user (typically an administrator working in the Customizer/admin context) to a crafted link executes script in that user's session, enabling actions such as session/cookie theft or admin-context operations. EPSS exploitation probability is very low (0.05%, 17th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Themeisle's 'Disable Comments for Any Post Types (Remove comments)' WordPress plugin (slug comments-plus), versions through 1.3.0, lets a low-privileged user abuse the password-recovery channel as an alternate authentication path. Classified CWE-288, the flaw carries a CVSS 7.1 with high availability impact and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile), indicating no observed mass exploitation.
Denial of service in OpenStack Swift's s3api middleware allows an authenticated S3 API user to permanently hang proxy-server workers by sending a truncated aws-chunked PUT request body. Versions 2.36.0 through 2.36.1 and 2.37.0 through 2.37.1 are affected; the defect was introduced in 2.36.0 and fixed in 2.36.2 and 2.37.2. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the high availability impact and low attack complexity make this a credible operational threat to S3-compatible Swift deployments.
Denial of service in IBM Langflow OSS 1.0.0 through 1.9.0 lets a low-privileged, authenticated remote attacker drive uncontrolled resource consumption (CWE-400) to degrade or crash the service, with a high availability impact and a minor confidentiality exposure per the CVSS vector. The flaw is network-reachable, requires no user interaction, and needs only a low-privilege account. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was supplied.
Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated database user to crash or exhaust the database engine by submitting a specially crafted query when the autonomous transactions feature is enabled. The flaw (CWE-770, uncontrolled resource allocation) carries a CVSS 7.1 with high availability impact but no confidentiality or integrity loss. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating no observed activity to date.
SQL injection in the mbCONNECT24 and myREX24V2 industrial remote-access portals (all variants at or below version 2.20.0) lets a low-privileged remote attacker read arbitrary database contents through the user_alarmprofile view, which fails to neutralize special characters in a SQL SELECT statement (CWE-89). Reported to CERT@VDE and tracked as VDE-2026-044/EUVD-2026-32148, the flaw causes total loss of confidentiality but does not affect integrity or availability. There is no public exploit identified at time of analysis, and EPSS scores it at the 11th percentile (0.03%).
SQL injection in the tag view of MB connect line's mbCONNECT24 and myREX24 remote-maintenance platforms (all variants through 2.20.0) lets a remote attacker manipulate a SQL SELECT statement to read arbitrary database contents, yielding a total loss of confidentiality (VC:H, with no integrity or availability impact). The CVSS 4.0 vector requires low privileges (PR:L), yet the description labels the flaw 'unauthenticated' - a discrepancy defenders should resolve against the vendor advisory before scoping risk. No public exploit is identified at time of analysis, EPSS is very low (0.03%, 11th percentile), and CISA's SSVC framework marks current exploitation as none.
SQL injection in the system_tag view of the mbCONNECT24 family of industrial remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) versions 0.0.0 through 2.20.0 lets a remote attacker manipulate a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 7.1, VC:H). The CVSS vector indicates a low-privileged account is required (PR:L), though the description text describes the flaw as 'unauthenticated' - this discrepancy should be verified with the vendor. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), consistent with CISA SSVC scoring exploitation as 'none.'
SQL injection in MB connect line's mbCONNECT24/myREX24V2 industrial remote-maintenance portals (all versions up to and including 2.20.0) lets a low-privileged authenticated user read arbitrary database contents through the 'system view', where special characters are not neutralized inside a SQL SELECT command, yielding a total loss of confidentiality (CVSS 4.0 base 7.1). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; EPSS is very low at 0.03% (11th percentile), indicating limited near-term mass-exploitation likelihood. The flaw was reported by CERT@VDE and is tracked under advisory VDE-2026-044 and ENISA EUVD-2026-32145. Note the description calls it 'unauthenticated' while the CVSS vector specifies PR:L (low-privileged), a discrepancy that should be resolved with the vendor.
SQL injection in the devices_configuration view of MB connect line / Red Lion mbCONNECT24 and myREX24V2 remote-maintenance platforms (versions up to and including 2.20.0) lets a low-privileged remote user read arbitrary database contents. The CVSS 4.0 vector scores it 7.1 with high confidentiality impact and no integrity or availability impact, while EPSS rates exploitation probability at only 0.03% (11th percentile). No public exploit is identified at time of analysis and the issue is not in CISA KEV.
SQL injection in the dashboard view of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) lets a remote, low-privileged user inject crafted input into a SQL SELECT statement, yielding a total loss of confidentiality of the backend database. All versions up to and including 2.20.0 are affected. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the network-reachable, low-complexity nature of the flaw in internet-facing OT remote-access gateways warrants prompt remediation.
SQL injection in the alarming view of MB connect line's remote-maintenance platforms - mbCONNECT24, mymbCONNECT24, and the myREX24V2/myREX24V2.virtual portals up to and including version 2.20.0 - lets a remote, low-privileged user smuggle crafted input into a SQL SELECT statement and read arbitrary database contents, resulting in total loss of confidentiality. The CVSS 4.0 vector (PR:L) indicates a low-privileged account is required, even though the advisory text calls the flaw 'unauthenticated' - a discrepancy worth verifying. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), so this is a credible but not actively exploited issue.
SQL injection in MB connect line's remote-maintenance portals — mbCONNECT24, mymbCONNECT24, and the myREX24V2 / myREX24V2.virtual cloud variants (all versions up to and including 2.20.0) — lets a low-privileged remote attacker manipulate a SQL SELECT statement in the getWidgetTags function and read arbitrary database contents, causing a total loss of confidentiality. The flaw is confidentiality-only (no integrity or availability impact) and carries a CVSS 4.0 base score of 7.1. EPSS is very low (0.03%, 11th percentile) and CISA's SSVC framework rates exploitation as 'none'; there is no public exploit identified at time of analysis and it is not on CISA KEV.
SQL injection in the getProjectTags function of MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual appliance, all versions up to and including 2.20.0 - lets a remote attacker manipulate a backend SQL SELECT statement and read arbitrary database contents, causing a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H with no integrity or availability impact). The flaw was coordinated through CERT@VDE and catalogued in the ENISA EUVD; there is no public exploit identified at time of analysis and the EPSS probability is very low (0.03%, 11th percentile). Note a source conflict on access level: the description calls the attacker 'unauthenticated' while the CVSS vector specifies PR:L (low-privilege authenticated).
SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).
SQL injection in the getComponentScalings function of MB connect line's mbCONNECT24/myREX24V2 remote-maintenance platforms (all variants at version 2.20.0 and earlier) lets a remote attacker manipulate a backend SQL SELECT statement to read arbitrary database contents, causing a total loss of confidentiality. The flaw was reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32138) and the CVSS 4.0 vector indicates the attacker holds at least a low-privilege account (PR:L), although the description text confusingly also calls it 'unauthenticated.' No public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile), indicating no observed mass-exploitation interest.
SQL injection in the mbCONNECT24 industrial remote-access platform (and the sibling products myREX24V2, myREX24V2.virtual and mymbCONNECT24, all versions up to and including 2.20.0) lets a remote attacker abuse the getDeviceScalings function, where user input is concatenated into a SQL SELECT statement without proper neutralization (CWE-89). Successful injection yields a total loss of confidentiality, allowing extraction of arbitrary database contents, though integrity and availability are unaffected per the CVSS 4.0 vector (VC:H/VI:N/VA:N, score 7.1). There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile).
Confidential data disclosure via SQL injection affects the mbCONNECT24 industrial remote-maintenance platform and its related variants (mymbCONNECT24, myREX24V2, myREX24V2.virtual) at versions up to and including 2.20.0. The flaw lives in the getProjectScalings function, where attacker-controlled input reaches a SQL SELECT statement, allowing extraction of arbitrary database contents and a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H). The CVSS vector requires low-privilege access (PR:L), which conflicts with the description's claim of an 'unauthenticated' attack - a discrepancy defenders should resolve against the vendor advisory. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), with CISA SSVC rating exploitation as 'none'.
SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.
SQL injection in the MB connect line mbCONNECT24 / myREX24 family of industrial remote-maintenance gateways (all listed editions through 2.20.0) lets a low-privileged remote user feed crafted input into a SQL SELECT statement assembled by the saveObjectFromData function, exposing the full backend database for reading. Reported by CERT@VDE (advisory VDE-2026-044, EUVD-2026-32134), the issue is a confidentiality-only impact (CVSS 4.0 base 7.1, VC:H/VI:N/VA:N). No public exploit code and no CISA KEV listing exist at this time, and EPSS is very low (0.03%, 11th percentile), indicating no observed mass exploitation.
SQL injection in the saveDashboardLayout function of dash_layout.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-access platforms (all versions up to and including 2.20.0) lets a low-privileged remote attacker manipulate a SQL INSERT statement to read the entire backend database and write rows into a non-critical table. The flaw, reported by CERT@VDE (VDE-2026-044, EUVD-2026-32133), yields total loss of confidentiality and partial loss of integrity but no availability impact. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, so this is a serious data-exposure bug rather than a mass-exploitation threat.
SQL injection in the saveDashboardLayout function of dash.php affects the mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote-maintenance platforms in versions up to and including 2.20.0. Because user-supplied input is improperly neutralized inside a SQL INSERT statement, a remote attacker can read the entire backend database and write rows into a non-critical table, yielding full loss of confidentiality and partial loss of integrity. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
SQL injection in the getDevicegroups function of MB connect line / Red Lion industrial remote-access products (mbCONNECT24, myREX24V2 and their hosted mymbCONNECT24 / myREX24V2.virtual variants, all versions up to and including 2.20.0) lets a low-privileged remote user inject crafted input into a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H, VI:N, VA:N). The issue was reported by CERT@VDE and published as advisory VDE-2026-044 / EUVD-2026-32161; no public exploit has been identified and EPSS is very low (0.03%, 11th percentile), indicating no observed widespread exploitation. Note a source discrepancy: the description labels the flaw 'unauthenticated' while the CVSS vector requires low privileges (PR:L) - this should be verified with the vendor.
Information disclosure via SQL injection affects the Easy View feature of MB connect line's remote-maintenance portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) in versions up to and including 2.20.0. A remote attacker holding a low-privileged account can inject crafted input into a SQL SELECT statement to read arbitrary database contents, resulting in total loss of confidentiality. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 11th percentile), indicating no observed widespread exploitation activity.
DOM-based cross-site scripting in the VikBooking Hotel Booking Engine & PMS WordPress plugin (all versions up to and including 1.8.9) lets a remote, unauthenticated attacker run arbitrary JavaScript in a victim's browser when the victim is lured into interacting with a crafted link or page. Because the script executes client-side with changed scope (S:C), it can affect resources beyond the vulnerable component, such as the WordPress admin or booking sessions. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, so this is a real but lower-urgency client-side issue rather than a mass-exploitation threat.
Stored cross-site scripting in the Affiliate Super Assistent WordPress plugin (slug: amazonsimpleadmin, by Timo) affects all versions from initial release through 1.10.1, letting attackers persist malicious JavaScript that runs in the browser of any user who later loads the affected page. With a scope-changed CVSS of 7.1 (AV:N/AC:L/PR:N/UI:R), the payload can be planted without authentication but only fires when a victim views the rendered content. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis, consistent with CISA's SSVC rating of no observed exploitation.
Reflected cross-site scripting in the Favicon plugin by RealFaviconGenerator (phbernard) for WordPress affects all releases up to and including version 1.3.46, allowing unauthenticated attackers to deliver a crafted link that, when opened by a victim, executes attacker-controlled JavaScript in that user's browser session. The CVSS 3.1 base score is 7.1, driven largely by a scope change (S:C) that lets the injected script reach resources beyond the plugin itself, though exploitation requires user interaction. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; EPSS is very low at 0.03% (10th percentile), indicating little observed exploitation interest so far.
DOM-based cross-site scripting in the Advanced IP Blocker WordPress plugin (IniLerm) affects all versions from initial release through 8.10.7, letting an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser when that victim is lured into triggering crafted input. Because the CVSS scope is marked changed (S:C), the injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible at 0.03% (10th percentile).
Stored cross-site scripting in the Smart Online Order for Clover WordPress plugin by ZAYTECH (versions up to and including 1.6.0) lets attackers inject persistent JavaScript that executes when a victim - typically a store administrator - loads the affected page. Because the CVSS vector marks privileges as none (PR:N) but user interaction as required (UI:R), the malicious input can be planted without authentication and is triggered later when a privileged user views it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 10th percentile), indicating exploitation is not currently widespread.
Reflected cross-site scripting in the Geo Mashup WordPress plugin (Dylan Kuhn) affects all versions up to and including 1.13.19, letting an unauthenticated attacker inject script that executes in a victim's browser when they click a crafted link. The CVSS 3.1 base score is 7.1 with a changed scope, reflecting that injected script can affect resources beyond the vulnerable component, though confidentiality, integrity, and availability impacts are each rated low. EPSS is very low (0.03%, 10th percentile) and there is no public exploit identified at time of analysis.
DOM-Based cross-site scripting in RealMag777's WPCS (Currency Switcher) WordPress plugin affects all versions through 1.3.1 (EUVD-2026-32184), allowing remote unauthenticated attackers to inject script that executes in a victim's browser when the victim is lured into a crafted interaction. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) reflects network-reachable, no-privilege exploitation that requires user interaction but crosses a security scope boundary. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 10th percentile), indicating little observed real-world targeting.
DOM-based cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.2) lets a remote, unauthenticated attacker inject script that executes in a victim's browser when they interact with a crafted link or page element. Reported through Patchstack's audit program and tracked as EUVD-2026-32180, the flaw carries a CVSS 7.1 rating driven largely by its changed scope, but EPSS rates exploitation probability at just 0.03% (10th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the HT Contact Form 7 (ht-contactform) WordPress plugin by HT Plugins, affecting all versions up to and including 2.8.2, lets a remote unauthenticated attacker persist malicious script that later executes in the browser of a privileged user who views the stored data. The CVSS 3.1 base score is 7.1, elevated by a changed scope (S:C), but EPSS is only 0.03% (10th percentile) and there is no public exploit identified at time of analysis. Disclosed via Patchstack (audit@patchstack.com) and tracked as ENISA EUVD-2026-32186.
Reflected cross-site scripting in Jthemes' Themebox - Digital Products Ecommerce WordPress theme (versions through 1.4.2) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. With CVSS 7.1 (scope-changed, low impact across confidentiality, integrity and availability), successful exploitation can hijack session context or perform actions in the WordPress admin/store context, though it requires the victim to click an attacker-supplied URL. No public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), indicating minimal observed exploitation interest.
Reflected cross-site scripting in the RiceTheme Felan Framework WordPress plugin (all versions through 1.1.3) lets a remote unauthenticated attacker inject script that executes in a victim's browser when the victim follows a crafted link. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity, network-reachable flaw requiring user interaction with a changed scope, scored 7.1. There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (10th percentile), consistent with the CISA SSVC assessment of no observed exploitation.
Local privilege escalation and kernel memory corruption in the Linux kernel's Exynos DRM (drm/exynos) vidi driver allows a low-privileged local user to access arbitrary kernel memory by exploiting an unsafe user pointer dereference in vidi_connection_ioctl(). The flaw affects multiple kernel branches up to 6.18.14 and is fixed in stable releases 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.77, 6.18.14, 6.19.4, and 7.0. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile).
Out-of-bounds kernel heap read in the Linux kernel's RDMA/uverbs subsystem allows local low-privileged users with access to InfiniBand/RDMA device nodes to leak kernel memory or trigger a denial-of-service WARNING by submitting a crafted ib_uverbs_post_send command with an undersized or oversized wqe_size value. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees, so patched versions should be deployed where RDMA is exposed to untrusted local users.
Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.
Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).