Unauthenticated information disclosure in FUXA 1.3.0 (web-based SCADA/HMI server, npm package fuxa-server) lets remote attackers retrieve full project configuration from the GET /api/project endpoint even when secureEnabled is turned on. The exposed data includes server-side script source code, device connection details, HMI view layouts with tag bindings, and alarm definitions. Publicly available exploit code exists (a single unauthenticated curl request demonstrated in the GitHub advisory), and the CVSS vector confirms unauthenticated network exploitation rated 7.5 (confidentiality-only impact); there is no public exploit identified as actively exploited in CISA KEV.
Heap buffer overflow in libjxl 0.12.0 lets remote attackers corrupt heap memory by feeding a crafted PBM/PNM image to the jxl::extras::DecodeImagePNM routine, which writes decoded rows into an output buffer without first checking that the buffer is large enough for the header-declared dimensions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes unauthenticated, low-complexity exploitation with no user interaction, and CISA's SSVC framework rates it automatable with partial technical impact. Publicly available exploit code exists, though it is not listed in CISA KEV and no public exploit has been tied to active exploitation.
Unauthorized invocation of the database migration endpoint (/actions/app/migrate) in Craft CMS 5.9.5 and earlier lets remote, unauthenticated attackers reach functionality that should be gated behind administrative authorization. The flaw stems from a missing authorization check (CWE-862) rather than a credential bypass on the login flow, and publicly available exploit code exists, though it is not listed in CISA KEV. CVSS is 7.3 with Low impact across confidentiality, integrity, and availability, reflecting partial rather than total compromise.
Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run arbitrary PHP on the server. Because the plugin registers its 'wpcode' custom post type without a dedicated capability_type, WordPress falls back to standard post capabilities, so any author can create and publish PHP snippet posts via the XML-RPC wp.newPost method, which are later passed to eval() when rendered through the [wpcode] shortcode. EPSS is modest at 0.44% (63rd percentile) and there is no public exploit identified at time of analysis, but the low privilege bar and full CIA impact make this a high-priority patch for any multi-author site.
OS command injection in the @pensar/apex Node.js agent package (versions 0.0.58 and earlier) lets a remote, unauthenticated attacker run arbitrary operating-system commands by smuggling shell metacharacters into the smart_enumerate tool's url or extensions inputs. The vulnerable createSmartEnumerateTool() routine in src/core/agent/tools.ts builds a shell command string by concatenating those untrusted values and passes it to Node.js child_process.exec(), which spawns a shell that interprets the injected characters, executing them with the privileges of the agent process. CVSS is 8.8 (network vector, low complexity, no privileges, but user/agent interaction required); the source data shows no CISA KEV listing and no EPSS score, and a referenced researcher gist may contain proof-of-concept detail though exploit code is not confirmed in the structured input.
Unauthorized OS command execution in Tanium Connect allows an attacker holding low-privilege authenticated access to run arbitrary commands on the host, achieving full compromise of confidentiality, integrity, and availability. The CVSS 8.8 (network vector, low complexity, low privileges, no user interaction) reflects an authenticated remote code execution issue rooted in command injection (CWE-78). No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS data was not provided.
OS command injection in Tanium Connect lets an authenticated, low-privileged user execute arbitrary commands on the underlying host, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). The flaw affects Connect branches 5.26, 5.29, and 5.37 below their respective fixed builds and is tagged as RCE/Command Injection. There is no public exploit identified at time of analysis, and EPSS estimates exploitation probability at a low 0.07% (22nd percentile).
Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1) arises from a stack-based buffer overflow in the asperahttpd component. An authenticated user with network access can corrupt memory in this HTTP handling component to run code in the context of the service, fully compromising confidentiality, integrity, and availability (CVSS 8.8). No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.
Authentication/claim-validation bypass in Symfony's OidcTokenHandler (symfony/security-http 6.3.0–6.4.39, 7.4.0–7.4.11, 8.0.0–8.0.11) lets a validly-signed JWT that simply omits the aud, iss, and exp claims pass verification, because the handler never marks those claims as mandatory. Attackers holding such a token can be authenticated as a valid identity — for example a token issued for a different audience or one that should have expired is accepted. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile).
Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.
Remote code execution in RELATE LMS (the inducer/relate web courseware platform) stems from its Celery task queue being configured to accept and unpickle untrusted messages (CELERY_ACCEPT_CONTENT included "pickle"). Because the code-execution sandbox lacks network isolation, an authenticated student can reach the message broker and deliver a malicious pickle payload that the worker deserializes, yielding arbitrary command execution on the host. No public exploit identified at time of analysis; the issue is corrected in commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
Privilege escalation in the Firebase Support & Chat Management WordPress plugin (all versions up to and including 3.1.1) lets any authenticated Subscriber-level user take over any other account, including Administrator. The plugin's acb_firebase_auth AJAX handler logs the request in as whatever WordPress account matches the attacker-supplied user_email parameter, never verifying the accompanying Firebase ID token. No public exploit was identified at time of analysis and the EPSS probability is very low (0.04%, 13th percentile), but the bug is trivially exploitable wherever the plugin is active and a low-privilege account can be obtained.
Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.
Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.
Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.
Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded secret - a password or cryptographic key - that the product uses for inbound authentication, outbound communication, or encryption of internal data. Because the credential is the same across every deployment, an attacker who already holds low-level access (CVSS PR:L) can leverage it to gain full confidentiality, integrity, and availability impact (C:H/I:H/A:H) over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation via OS command injection in pam_usb before 0.8.7 lets a low-privileged local user execute arbitrary commands as root. The flaw lives in src/tmux.c, which reads the attacker-controllable $TMUX environment variable and interpolates its socket-path component, unsanitised, inside a double-quoted string passed to popen(); a value containing a double-quote breaks out of the quoting and injects shell syntax that runs in the root-context PAM stack. No public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied, but the CVSS 8.8 (scope-changed) rating reflects straightforward, low-complexity root compromise.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Race condition in the Linux kernel's Intel VT-d IOMMU driver allows a local low-privileged attacker to trigger inconsistent PASID table state during domain replacement, potentially producing spurious IOMMU faults and unpredictable DMA behavior with cross-scope impact. The flaw stems from non-atomic updates to 512-bit PASID entries while the Present bit is set, and no public exploit identified at time of analysis despite a high CVSS score driven by the scope-changed local attack surface.
SQL injection in Pimcore's admin-ui-classic-bundle (versions <= 2.3.5) allows an authenticated user holding only the translations-view permission to read arbitrary database contents by injecting into the translation grid's date filter. The user-controlled 'property' field of the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) expression at the POST /admin/translation/translations endpoint, behind only a trivially bypassable str_replace('--','') filter. A working proof-of-concept and publicly available exploit code exist; the reporter notes it can be chained with an unsafe-unserialize flaw (GM-249) to reach remote code execution. No EPSS score or CISA KEV listing was supplied.
Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.
Denial of service in the Symfony Yaml component (symfony/yaml and the monolithic symfony/symfony) allows remote attackers to hang the parser via catastrophic regular-expression backtracking in Parser::cleanup(). Supplying a YAML document with an oversized %YAML directive header, leading comment, or document-start/end marker forces the CPU to spin for an arbitrarily long time (CWE-1333), stalling any application that parses attacker-influenced YAML. No public weaponized exploit is identified, though the advisory and patch tests disclose the trigger payloads; EPSS is low at 0.08%, and the issue is not on CISA KEV.
Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.
Unauthenticated SQL injection in Pi.Alert (a WiFi/LAN intruder detection and web-service monitoring tool by leiweibau) lets remote attackers manipulate backend database queries through the public devices.php endpoint. The flaw affects builds from 2024-06-29 up to the 2026-05-07 fix, and the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms it is trivially reachable over the network with no authentication or user interaction, while the high-confidentiality / no-integrity / no-availability impact (VC:H/VI:N/VA:N) indicates the primary risk is database disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the source data.
Argument (option) injection in Symfony Mailer's SendmailTransport lets a dash-prefixed recipient address be interpreted as a sendmail command-line flag, allowing an attacker who controls a recipient value to manipulate how the local sendmail binary is invoked. It affects symfony/mailer (and the monolithic symfony/symfony) before 5.4.52, 6.4.40, 7.4.12 and 8.0.12 when the transport runs in `-t` mode. No public exploit identified at time of analysis; EPSS is low (0.06%, 20th percentile) and the issue is not in CISA KEV, but the NVD CVSS 4.0 score is 8.7 (High) driven by a high integrity impact.
Arbitrary root code execution in Phoenix Contact PLCnext Control devices (all firmware before 2026.0.3) is reachable by an authenticated low-privileged Engineer user who installs APP packages from the PLCnext Store through the Web-based Management (WBM) interface. Because the device never verifies the integrity or signature of the downloaded app (CWE-347, tagged JWT Attack), a tampered package runs as root and can compromise the integrity and availability of the controller. No public exploit is identified at time of analysis and EPSS is low (0.06%, 18th percentile), but the flaw is network-reachable with low attack complexity and a vendor patch (2026.0.3) is available.
XML External Entity (XXE) local file disclosure in Symfony's DomCrawler component allows remote attackers to read arbitrary server-side files when an application parses attacker-controlled XML via Crawler::addXmlContent(). The method explicitly set DOMDocument::$validateOnParse = true, which re-enabled libxml DTD subset processing and external entity resolution; because LIBXML_NONET only blocks network fetches and not file:// entities, an entity such as SYSTEM "file:///etc/passwd" is expanded and its contents exposed. EPSS is very low (0.05%, 17th percentile) and there is no public exploit identified at time of analysis, though the vendor commit ships a demonstrative test case.
Unauthenticated SQL injection in mbCONNECT24 and the related MB connect line / Helmholz remote-maintenance portals (myREX24V2, myREX24V2.virtual, mymbCONNECT24) version 2.20.0 and earlier lets a remote attacker reach the getAccountData function and inject crafted input into its SQL SELECT statement. Because authentication is not required, an attacker can read arbitrary database contents, resulting in total loss of confidentiality, though integrity and availability are unaffected. There is no public exploit identified at time of analysis and EPSS is very low (0.05%, 15th percentile), so widespread opportunistic exploitation has not yet materialized despite the high CVSS 4.0 base score of 8.7.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance platform (and the related myREX24V2, myREX24V2.virtual, and mymbCONNECT24 portals) at version 2.20.0 and earlier lets a remote attacker inject crafted SQL into a SELECT statement processed by the 'sync_data24' task, yielding a total loss of database confidentiality (CVSS 4.0 base 8.7). Because the CVSS vector confirms no privileges and no user interaction (PR:N/UI:N), any network-reachable client can attempt it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), so widespread automated exploitation is not currently indicated.
Unauthenticated SQL injection in the mbCONNECT24 remote-maintenance portal (and the related myREX24V2, myREX24V2.virtual and mymbCONNECT24 products, all versions up to and including 2.20.0) lets a remote attacker read arbitrary data from the backend database by abusing the _mb24confi_getDevice function. The flaw requires no credentials, no user interaction and low attack complexity over the network (CVSS 4.0 score 8.7), but its impact is confined to confidentiality. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed exploitation activity yet.
SQL injection in the mbCONNECT24 / myREX24V2 family of industrial remote-maintenance platforms (all editions at version 2.20.0 and earlier) lets unauthenticated remote attackers manipulate a SQL SELECT statement in the getAlarmProfiles function and read arbitrary database contents. The flaw (CWE-89) carries a CVSS 4.0 base score of 8.7 with a confidentiality-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed mass-exploitation pressure despite the high base score.
SQL injection in MB connect line's mbCONNECT24, mymbCONNECT24, and myREX24V2 remote-maintenance portals (all versions up to and including 2.20.0) lets an unauthenticated remote attacker inject crafted SQL through the _mb24confi_getTagAlarm function in mb24alarm.php, resulting in a total loss of database confidentiality. The CVSS 4.0 base score of 8.7 reflects network reach with no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), but impact is scoped to confidentiality only (VC:H, VI:N, VA:N) - an attacker can read data but cannot directly alter or disrupt the system through this flaw. No public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no observed broad exploitation activity despite the high base score.
Unauthenticated SQL injection in the mbCONNECT24/myREX24 industrial remote-maintenance platform (all variants up to and including 2.20.0) lets remote attackers extract database contents through the _mb24api_getUserAccount API function via a crafted SQL SELECT command (CWE-89). The CVSS 4.0 score of 8.7 reflects a confidentiality-only impact (VC:H, VI:N, VA:N) reachable over the network with no authentication and no user interaction. No public exploit has been identified at time of analysis and EPSS rates exploitation probability very low (0.05%, 15th percentile), but the no-auth, network-reachable design makes credential and account-data theft a credible concern.
SQL injection in MB connect line's mbCONNECT24 remote-maintenance platform (and the related myREX24V2, mymbCONNECT24 and myREX24V2.virtual products through version 2.20.0) lets unauthenticated remote attackers read arbitrary database contents. The flaw lives in the _mb24confi_getTagAlarm function of dataapi.php, where attacker-controlled input is concatenated into a SQL SELECT statement, yielding a total loss of confidentiality. There is no public exploit identified at time of analysis, the EPSS probability is very low (0.05%), and the issue is not on CISA KEV; it was reported by CERT@VDE (advisory VDE-2026-044).
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.
Unauthenticated SQL injection in MB connect line's mbCONNECT24 and myREX24V2 industrial remote-maintenance portals (all editions through 2.20.0) lets remote attackers inject SQL through the 'sn' parameter of the getLiveValues function, producing a total loss of confidentiality. Disclosed via CERT@VDE advisory VDE-2026-044 and tracked as EUVD-2026-32112, the flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication or user interaction, though it has no integrity or availability impact. No public exploit is identified at time of analysis and EPSS rates near-term exploitation probability low at 0.05% (15th percentile).
Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.
SQL injection in the MB connect line / Red Lion remote-maintenance platform (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual, all versions up to and including 2.20.0) lets a remote, unauthenticated attacker inject crafted SQL into the userinfo endpoint, resulting in total loss of confidentiality of the backing database. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and tracked in the ENISA EUVD as EUVD-2026-32110. There is no public exploit identified at time of analysis and EPSS is very low (0.05%), but the CVSS 4.0 base score is 8.7 and CISA's SSVC framework rates the issue as automatable.
Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.
Local privilege escalation in Phoenix Contact PLCnext controllers (AXC F 1152/1252/2152/3152, AXC F 2000 EA, RFC 4072R/4072S, EPC 1522, BPC 9102S, VL3 UPC 2440 EDGE) and the virtual PLCnext Control 500/1000/2000/3000 product lines before firmware 2026.0.3 allows a low-privileged local user to plant or modify configuration and application files in user-writable filesystem locations that a privileged service later consumes, gaining elevated privileges. The flaw (CWE-427) is rated CVSS 4.0 8.7 (High) but carries a very low EPSS of 0.03% (9th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in Nocturne Memory before 2.4.1 lets any network-adjacent client gain unauthenticated read/write/delete access to the full Knowledge-Graph API when operators deploy the default Docker configuration without setting API_TOKEN. Because the server binds to 0.0.0.0 with CORS allow_origins=["*"] and the BearerTokenAuthMiddleware silently disables auth on an empty token, an attacker on the same LAN can tamper with memory entries such as system://boot and core://* that auto-load into downstream MCP agent sessions, enabling persistent prompt-injection. There is no public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the source data.
Predictable secure-key generation in Slican telephone exchanges (IPx, CCT-1668, MAC-6400, and CXS-0424 series) lets a remote unauthenticated attacker reconstruct the device's secure key from exchange properties that are readable without credentials, then derive administrator credentials. The flaw is network-reachable with low attack complexity and no authentication (CVSS 4.0 base 8.7), and while fixed firmware is available for supported lines, discontinued 4.xx and earlier units remain permanently exposed. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config permission inject arbitrary SQL through the custom-report column-config endpoint, which concatenates user-supplied 'sql', 'from', and 'where' fields directly into a query executed via Doctrine's fetchAssociative(). Because the controller returns raw database error messages in its JSON response, attackers can perform error-based extraction (e.g. EXTRACTVALUE) to read credentials and arbitrary tables, and can bypass the keyword denylist using inline /**/ comments to reach UPDATE/INSERT/DELETE - compromising confidentiality and integrity. Publicly available exploit code exists (a full PoC is published in the GitHub advisory); no CISA KEV listing or EPSS score is present in the provided data.
Path traversal in the VikBooking Hotel Booking Engine & PMS WordPress plugin (e4jvikwp) through version 1.8.9 allows remote unauthenticated attackers to delete arbitrary files on the host. The CVSS vector (A:H only, with C:N/I:N) and the Patchstack reference title both indicate the concrete impact is arbitrary file deletion rather than data disclosure, which can corrupt or take down the WordPress site. No public exploit has been identified and the EPSS score is very low (0.05%, 15th percentile), indicating this is not yet being broadly exploited despite the high 8.6 CVSS rating.
Arbitrary file disclosure in Synology Active Backup for Business (DSM add-on package, versions before 2.7.1-3234) lets unauthenticated remote attackers read sensitive files on the host via a SQL injection flaw (CWE-89). The vulnerability scores CVSS 8.6 with a changed scope and high confidentiality impact, but EPSS estimates only a 0.04% (14th percentile) exploitation probability, and there is no public exploit identified at time of analysis nor any CISA KEV listing. Synology, who self-reported the issue, has released a fixed package.
Authenticated command injection in TP-Link Archer BE450 v1 and BE7200 v1 routers lets an admin-level user run arbitrary OS commands with elevated privileges via the web management interface. The flaw stems from improper input validation (CWE-20): crafted input supplied through the management UI is passed to backend system commands without adequate sanitization, enabling full device compromise. There is no public exploit identified at time of analysis, and the CVSS 4.0 vector scopes exploitation to the adjacent network by an already-authenticated administrator.
Blind SQL injection in the Stylemix MasterStudy LMS WordPress plugin (all versions through 3.7.29) lets authenticated low-privilege users inject crafted SQL into a backend database query, enabling extraction of arbitrary database contents including user credentials and configuration secrets. The CVSS 8.5 (scope-changed) rating reflects that a successful injection can reach data beyond the plugin's own scope, i.e. the entire shared WordPress database. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 9th percentile), but the network-reachable, low-complexity nature of the flaw makes it a meaningful risk for sites that grant accounts to students or instructors.
Server-side request forgery in Budibase before 3.39.0 lets a builder-level user coerce the server into sending POST requests to arbitrary internal or external destinations. The flaw lives in the OAuth2 SDK's fetchToken function, which issues outbound requests via plain node-fetch and bypasses the blacklist.isBlacklisted guard that every other outbound path enforces, while the Joi validation on the OAuth2 token URL imposes no scheme or host restriction. No public exploit identified at time of analysis, and the issue is fixed in 3.39.0.
Blind SQL injection in the WordPress plugin Duplicate Page and Post (by Arjun Thakur) through version 2.9.5 lets authenticated low-privilege users inject crafted SQL into a database query, enabling extraction of arbitrary database contents including WordPress user hashes and secrets. The CVSS:3.1 base score is 8.5 with a changed scope, reflecting impact beyond the plugin into the shared WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through the Patchstack research program.