The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Free MP3 CD Ripper 2.8 contains a stack-based buffer overflow vulnerability in WMA file processing that allows local attackers to bypass DEP protection via structured exception handling manipulation. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Hardcoded administrative credentials in Jinan USR IOT (PUSR) USR-W610 RS232/485-to-Wi-Fi/Ethernet serial converter firmware allow remote unauthenticated attackers to gain full administrative control of affected industrial gateway devices. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against an OT/ICS device class typically deployed in serial-to-IP bridging roles, and no public exploit identified at time of analysis, though credential recovery via firmware extraction is straightforward for any researcher.
Stack-based buffer overflow in TRENDnet TEW-432BRP wireless router firmware 3.10B20 allows authenticated remote attackers to corrupt memory via the peerPin parameter handled by the formWPS function in /goform/formWPS, potentially leading to arbitrary code execution or device crash. Publicly available exploit code exists, and the vendor has explicitly declined to issue a fix as the device has been end-of-life since 2009. No CISA KEV listing or EPSS score is provided, but the combination of public POC and unpatchable status materially elevates real-world risk for any device still deployed.
Stack-based buffer overflow in TRENDnet TEW-432BRP router firmware 3.10B20 allows authenticated remote attackers to corrupt memory by sending crafted ip, mask, or gateway parameters to the formSetRoute handler at /goform/formSetRoute, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and because the product has been end-of-life since 2009 the vendor has explicitly declined to issue a fix. No active exploitation has been confirmed via CISA KEV at time of analysis.
Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated BLE access to the Fourth Frontier X2 wearable cardiac monitor allows attackers within radio range to read and write critical GATT characteristics without pairing, enabling control of device functions and injection of fabricated health telemetry. The companion Frontier X Android and iOS applications additionally fail to authenticate paired devices, letting an attacker impersonate a legitimate X2 and feed falsified heart rate, breathing rate, and strain data into a victim's mobile app. No public exploit identified at time of analysis, and the issue is tracked under CISA ICS-MA-26-148-01.
Authentication bypass via hard-coded credentials in Danelec MacGregor Voyage Data Recorder (VDR) G4e allows attackers with adjacent-network access to log in using undocumented default accounts and gain high-impact access to confidentiality and integrity of recorded voyage data. The flaw was disclosed via CISA ICS-CERT advisory ICSA-26-148-01 and carries a CVSS v4.0 score of 8.7, with no public exploit identified at time of analysis and no CISA KEV listing.
Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored cross-site scripting in CP Plus 1xxx series Network Video Recorder (NVR) devices, specifically the CP-UNR-108F1 hardware/web/system components, allows authenticated high-privileged attackers to inject persistent JavaScript payloads into backend storage that execute in administrators' browsers on page load. With CVSS 8.4 and a Scope:Changed vector, successful exploitation enables session hijacking, unauthorized administrative actions against the video surveillance device, and theft of footage or credentials. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Remote unauthenticated command injection in the Acer Predator Connect W6x router enables root-level code execution via crafted MQTT messages, scoring a maximum 10.0 CVSS v4.0 across all impact metrics including subsequent system impact. The flaw was disclosed by Acer and tracked in the ENISA EUVD as EUVD-2026-33269, but no public exploit identified at time of analysis. Affects firmware W6x_GBL_2.00.000005 and earlier, with no special authentication or user interaction required.
Remote code execution in the vm2 Node.js sandbox library (versions <= 3.11.3) allows sandboxed JavaScript to escape isolation and execute arbitrary commands on the host. The flaw stems from a missing resetPromiseSpecies call in the localPromise swallow tail, letting a sandbox subclass hijack Promise species resolution and capture a raw host-realm RangeError that exposes the host Function constructor. Publicly available exploit code exists (POC published in the advisory), though no public exploit identified at time of analysis as actively exploited in the wild; given vm2's heavy use as an untrusted-code sandbox in SaaS, CI, and serverless platforms, this is a top-priority issue.
Sandbox escape in vm2 (npm package, versions <= 3.11.3) allows full remote code execution by bypassing the GHSA-8hg8-63c5-gwmx (CVE-2023-37903) patch through omission of the require option when nesting:true is set. Publicly available exploit code exists in the GHSA advisory itself, and with a CVSS of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) any application passing untrusted code to a NodeVM configured this way is trivially compromised on the host.
Sandbox escape leading to remote code execution in vm2 NodeVM versions 3.11.3 and earlier allows attackers running untrusted JavaScript inside the sandbox to break out via two missing entries in the dangerous-builtin denylist: `process` (whose `getBuiltinModule()` reloads any core module, including `child_process`) and `inspector/promises` (whose `Session().post('Runtime.evaluate', ...)` evaluates code in the host realm). The flaw is exploitable only when the embedder allows `process`, `inspector/promises`, or wildcard `*` in `require.builtin`. Publicly available exploit code exists (PoC published with the advisory), and a patch is available in vm2 3.11.4; no public exploit identified at time of analysis as actively used in the wild.
Sandbox escape in the vm2 Node.js sandbox library (versions <= 3.11.3) allows untrusted JavaScript executed inside a vm2 VM to reach the host realm and achieve arbitrary code execution. By chaining Buffer.call.call indirection with __lookupGetter__/__lookupSetter__ to obtain host Object.prototype.__proto__ accessors and using a WebAssembly.compileStreaming rejection to surface a host TypeError, an attacker severs a host prototype chain, causing the bridge's proto-walk to return the raw host error unwrapped - yielding e.constructor.constructor as host Function and full RCE. Publicly available exploit code exists (advisory ships a working PoC); CVSS is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.
Credential disclosure in the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) exposes the acer_cgi.log file over the web interface without authentication, leaking cleartext web and Telnet login credentials to any network-reachable attacker. With CVSS 4.0 of 10.0 and a vector indicating no privileges or user interaction, exploitation enables full device takeover; no public exploit identified at time of analysis, but the trivial nature of fetching a log file makes weaponization straightforward.
Authentication bypass in Acer Predator Connect W6x routers (firmware W6x_GBL_2.00.000005 and earlier) allows remote unauthenticated attackers to reach app-facing web endpoints by sending an HTTP Authorization header whose Base64 payload is intentionally malformed, because the endpoint treats a decoding failure as a pass rather than a rejection. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high confidentiality, integrity, availability impact on both vulnerable and subsequent systems) reflects full takeover potential against an internet-reachable consumer/SOHO router, though no public exploit identified at time of analysis.
Hardcoded AES encryption key in the upload.cgi binary of the Acer Wave 7 router (firmware T7c_GBL_1.01.000055 and earlier) allows remote unauthenticated attackers to decrypt, tamper with, and re-encrypt device backup files, enabling persistent backdoor injection on affected devices. The CVSS 4.0 score of 10.0 reflects full compromise of confidentiality, integrity, and availability across both the vulnerable component and downstream subsequent systems. No public exploit identified at time of analysis, and CISA SSVC reports exploitation status as 'none', though the issue is flagged as automatable with total technical impact.
Unauthenticated backup file disclosure in Suprema BioStar 2 server (versions 2.9.3 through 2.9.11) allows remote attackers to download sensitive backup ZIP archives directly via predictable '/download/' URLs when the administrator places the backup path inside the NGINX webroot. The exposed archives can contain database credentials and cryptographic material enabling server impersonation, database compromise, and lateral movement. No public exploit identified at time of analysis, but SSVC rates the flaw as automatable with total technical impact and CVSS 4.0 scores it 10.0.
Path traversal in Remote Spark SparkView before build 1127 enables remote attackers to read and write arbitrary files as root through the RDP drive redirection component, leading to full remote code execution. CVSS 4.0 scores this 10.0 with no public exploit identified at time of analysis, though SSVC marks it automatable with total technical impact. Depending on the deployment, exploitation can be performed without authentication, making vulnerable internet-facing instances a high-priority patching target.
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.
Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.
Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permissions to execute arbitrary code on the host. Because the platform renders uploaded Twig templates without a sandbox or strict function allowlist, an attacker who already holds theme-management rights can pivot from administrative content control to full server compromise, including reads of restricted system files and configuration. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.
Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.
Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operating system commands on the host through the Jinja2-based prompt generator (rag/prompts/generator.py). Because RAGFlow installations commonly permit open self-registration, the practical barrier is minimal: an attacker registers an account, builds a Canvas workflow chaining a DuckDuckGo retrieval node with an LLM node, and triggers the SSTI to break out of the Jinja2 sandbox. No public exploit identified at time of analysis, but the vendor security advisory describes the chain explicitly.
Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.
HTTP response/header injection in cpp-httplib server versions prior to 0.44.0 allows remote unauthenticated attackers to smuggle CRLF sequences into stored header values, because the is_field_value validity check runs before percent-decoding lets %0D%0A through and expand to literal \r\n. The CVSS 9.9 score with Scope:Changed reflects the ability to influence downstream HTTP components, but no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.
Privilege escalation in Shopper headless e-commerce admin panel prior to version 2.8.0 allows any low-privilege authenticated panel user to seize full administrator control by chaining two distinct broken-authorization defects in the team settings module. By combining an unprotected Settings/Team/Index mount with a RolePermission write path that only checks the read-only view_users permission, an attacker can mint new roles, grant themselves manage_users and edit_orders, and delete legitimate administrators. No public exploit identified at time of analysis, but the bugs are straightforward to weaponize once panel credentials are obtained.