Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Buffer overflow in the Edimax BR-6478AC 1.23 router's web management interface allows remote attackers with low-level credentials to corrupt memory by sending an oversized selSSID parameter to the /goform/formQoS endpoint. Publicly available exploit code exists per VulDB, raising the practical risk despite the CVSS 4.0 base score of 7.4, though there is no public exploit identified at time of analysis in CISA KEV. The flaw threatens the confidentiality, integrity, and availability of affected SOHO routers and could lead to arbitrary code execution or device takeover.
Stack-based buffer overflow in Shibby Tomato router firmware (versions up to 1.28) allows remote attackers to corrupt memory in the ripd daemon via the rip_zebra_read_ipv4 function in the Zserv Handler component. Publicly available exploit code exists, and the project is end-of-life - superseded by FreshTomato - so no vendor patch will be released. CVSS 4.0 score of 7.4 reflects network attack vector with low complexity but requires low-privilege access (PR:L) per the vector.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router firmware allows authenticated remote attackers to corrupt memory via the formSetDomainFilter handler at /goform/formSetDomainFilter by manipulating the blocked_domain, permitted_domain, blocked_domain_list, or permitted_domain_list parameters. Publicly available exploit code exists, and the vendor has stated the device has been end-of-life since 2009 and will not receive a fix, leaving any internet-exposed unit permanently vulnerable. No CISA KEV listing or EPSS data was provided, but the combination of public PoC and abandoned hardware materially elevates real-world risk.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 routers allows authenticated remote attackers to corrupt memory and likely execute arbitrary code by sending a crafted protocol_name argument to the formSetProtocolFilter handler at /goform/formSetProtocolFilter. Publicly available exploit code exists on GitHub, and the vendor has confirmed the device has been end-of-life since 2009 and will not receive a fix, leaving deployed units permanently vulnerable.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router firmware allows remote authenticated attackers to corrupt memory and likely execute arbitrary code by sending crafted keyword_list or keyword parameters to the /goform/formSetUrlFilter endpoint. Publicly available exploit code exists on GitHub, and the vendor has explicitly refused to issue a fix because the device has been end-of-life since 2009. No CISA KEV listing at this time, but the combination of public PoC, network reachability, and unpatched status makes any internet-exposed device a standing target.
Stack-based buffer overflow in the TRENDnet TEW-432BRP wireless router (firmware 3.10B20) allows remote authenticated attackers to corrupt memory by manipulating the firewall_name parameter sent to /goform/formSetFirewallRule, potentially leading to arbitrary code execution on the device. Publicly available exploit code exists for this issue, and because the product has been end-of-life since 2009 the vendor has explicitly refused to release a fix, leaving any still-deployed devices permanently vulnerable.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router firmware allows authenticated remote attackers to corrupt memory via the filter_name parameter of the formSetMACFilter handler at /goform/formSetMACFilter, potentially leading to arbitrary code execution or device compromise. Publicly available exploit code exists (published via GitHub), and the vendor has explicitly stated they will not patch because the device reached end-of-life in 2009. Despite a CVSS 4.0 score of 7.4, no CISA KEV listing or EPSS data is provided in the source intelligence.
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in sambitraj's Student Management System 1.0 exposes the login page to unauthenticated remote exploitation via a crafted email parameter, enabling attackers to manipulate backend database queries. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special conditions are required for exploitation. A public proof-of-concept exploit exists via a published GitHub issue, and the vendor has not responded to responsible disclosure - no patch is available at time of analysis.
SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.
Remote code execution in the Spectra Gutenberg Blocks WordPress plugin (versions up to and including 2.19.25) allows authenticated users with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the plugin's block rendering logic. The flaw stems from the plugin trusting attacker-controlled block attributes to register a fake uagb/-prefixed block type with an arbitrary render_callback, which is then invoked via call_user_func() when a second block of the same type is rendered in the same request. No public exploit identified at time of analysis, but the low privilege bar (Contributor is commonly granted to untrusted guest authors) makes this a high-priority issue for sites with open registration.
Local privilege escalation in the Linux kernel eventpoll (epoll) subsystem stems from a use-after-free in ep_remove() where file->f_ep is cleared but the file pointer continues to be used inside the f_lock critical section, allowing a concurrent __fput() to free the underlying struct eventpoll and struct file. Successful exploitation yields an attacker-controllable kmem_cache_free() against the wrong slab cache, enabling memory corruption that can lead to high-integrity, high-confidentiality, and high-availability impact (CVSS 7.8). EPSS is very low (0.02%), no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in the Zephyr RTOS SocketCAN implementation lets a local userspace application leak adjacent memory or crash the system by submitting a truncated CAN frame through the sendto syscall. The zcan_sendto_ctx() path guards the user-supplied buffer length only with a NET_ASSERT, which is compiled out of production builds, so socketcan_to_can_frame() then dereferences fields past the end of the buffer. All Zephyr versions up to and including 4.3 are affected; there is no public exploit identified at time of analysis and EPSS is negligible (0.01%, 2nd percentile).
SQL injection in the GEO my WP WordPress plugin (versions ≤4.5.5) allows unauthenticated remote attackers to append arbitrary SQL via the 'swlatlng' and 'nelatlng' query-string parameters, enabling extraction of sensitive database contents. The flaw stems from reading parameters directly from $_SERVER['QUERY_STRING'] with parse_str(), bypassing WordPress's wp_magic_quotes sanitization. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but exploitation requires only a public page hosting the Posts Locator results shortcode.
Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.
Stack-based buffer overflow in the Edimax BR-6478AC wireless router (firmware 1.23) allows remote attackers with low-privilege access to corrupt memory via a crafted pppUserName parameter sent to the formPPPoESetup handler at /goform/formPPPoESetup. Publicly available exploit code exists per VulDB, and the CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation with authentication, yielding high impact to confidentiality, integrity, and availability of the device. No active in-the-wild exploitation has been confirmed in CISA KEV at time of analysis.
Path traversal in the org.apache.sshd:sshd-git component of Apache MINA SSHD allows authenticated remote attackers to read files outside the intended Git repository directory by supplying crafted path references over SSH. The flaw was disclosed pre-NVD on the oss-security mailing list on 2026-05-30 by Apache maintainer Thomas Wolf, with no public exploit identified at time of analysis and no CISA KEV listing.
Authenticated command injection in Edimax BR-6478AC 1.23 firmware allows network-adjacent attackers with low-privilege credentials to execute arbitrary OS commands via the rootAPmac parameter in the formStaDrvSetup POST handler at /goform/formStaDrvSetup. The CVSS temporal vector confirms a public proof-of-concept (E:P) with reasonable confidence in the report (RC:R), while remediation level remains undefined (RL:X), indicating no vendor patch has been publicly acknowledged. No public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but publicly available exploit code exists, elevating practical risk for deployed devices.
Resource amplification in Text::LineFold (Unicode-LineBreak Perl distribution, versions through 2019.001) causes output to be duplicated proportionally to the number of Unicode special line break characters present in the input string. The fold() method incorrectly passes the entire input string to the break() function on each segment iteration, rather than passing only the current segment, producing amplified output that grows with each VT, FF, or similar line break character encountered. No public exploit has been identified at time of analysis and EPSS sits at the 0th percentile, but any application accepting untrusted input and passing it through fold() is exposed to potential denial of service.
Timer pool exhaustion in Open5GS up to 2.7.7 allows an authenticated remote attacker with low privileges to crash the UE authentication service via rapid HTTP/2 stream resets against the ue-authentications SBI endpoint. The root cause is CWE-404: response timers for outbound SBI transactions are not released when the originating inbound HTTP/2 stream closes prematurely (via RST_STREAM or connection drop), causing the timer pool to exhaust when a peer resets streams rapidly while upstream network functions are slow or unresponsive. No public exploit identified at time of analysis as KEV status, but a publicly available exploit code exists via GitHub issue #4473, and an upstream fix is available in PR #4578.
Denial-of-service via reachable assertion in Open5GS NRF (Network Repository Function) up to version 2.7.7 allows an authenticated low-privilege network peer to crash the NRF process with SIGABRT by submitting a crafted NFProfile registration payload with oversized inner-list arrays in SMF or AMF info sections. The NRF is a critical singleton service registry in 5G Service-Based Architecture - crashing it disrupts NF discovery for the entire 5G core, making the practical operational impact greater than the A:L CVSS impact rating alone suggests. Publicly available exploit code exists (GitHub issue #4469 and CVSS temporal E:P), though no confirmed active exploitation via CISA KEV has been recorded at time of analysis.
Denial of service in Open5GS NRF (Network Repository Function) through version 2.7.7 allows an authenticated network peer to crash the NRF process with SIGABRT by submitting a crafted SMF or AMF NF-profile registration containing oversized inner-loop arrays. The NRF's shared NF-profile parser in lib/sbi/nnrf-handler.c used reachable ogs_assert() calls - rather than graceful bounds checks - to enforce limits on DNN entries per S-NSSAI slice and TAC range entries per TAI range, making them triggerable by peer-supplied payloads. Publicly available exploit code exists (GitHub issue #4467); the CVSSv4 score of 2.1 reflects scoped low-availability impact but understates operational risk given the NRF's central role in 5G core service discovery.
Denial of service in Open5GS up to version 2.7.7 is triggerable by a low-privileged remote attacker via the `ogs_pool_id_calloc` function in the SBI nghttp2-server library, causing availability degradation of 5G core network functions. The CVSS temporal modifiers confirm both a public proof-of-concept (E:P) and an official remedy (RL:O). No public exploit identified at time of analysis as confirmed by CISA KEV, but the publicly available PoC on GitHub (issue #4474) materially lowers the exploitation barrier for actors with access to SBI endpoints.
Out-of-bounds write in Open5GS versions up to 2.7.7 allows a remote, low-privileged attacker to crash the NRF (Network Repository Function) component by sending a malformed SCP info payload, resulting in a denial-of-service condition. The vulnerability resides in the handle_scp_info function within the Shared NF-profile Parser (lib/sbi/nnrf-handler.c), a critical parsing path for 5G service-based interface communication. A public proof-of-concept exploit has been disclosed via the project's GitHub issue tracker, materially lowering the bar for exploitation against unpatched deployments.
Improper access control in TaleLin lin-cms-spring-boot through version 0.2.1 allows authenticated remote attackers to bypass authorization enforcement on the book API endpoint, gaining unauthorized read, write, and functional access to book resources. The flaw is rooted in BookController.java and tagged as an authentication bypass, suggesting privilege escalation beyond what the standard CVSS PR:L signal alone implies. A publicly available exploit exists via GitHub issue #336, no vendor patch has been released, and the maintainer has not responded to responsible disclosure - conditions that collectively elevate operational urgency despite the medium CVSS score of 6.3.
Reflected cross-site scripting in westboy CicadasCMS allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser via the unvalidated 's' search parameter in the Search function. All code up to and including commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab is affected, with no patch released as of analysis - the vendor has not responded to the responsible disclosure. A publicly available exploit exists (CVSS E:P confirmed), elevating the urgency despite the moderate CVSS base score of 4.3.
Cross-site scripting in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 allows a high-privileged authenticated attacker to inject malicious script into the Name argument on the Dashboard Page, which executes in the browser of any user who subsequently views the affected page. The vulnerability requires both elevated privileges and victim interaction, placing real-world impact firmly in the low-to-negligible range despite network reachability. No public exploit identified at time of analysis as actively weaponized (no CISA KEV listing), though publicly available exploit code exists via a GitHub issue disclosure.
Uninitialized stack memory disclosure in Exim 4.88 through 4.99.3 allows remote unauthenticated attackers to read arbitrary stack memory contents by sending specially crafted short payloads to proxy-enabled SMTP listeners. The vulnerability is constrained to proxy configurations but requires no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially reachable against exposed instances. No public exploit code or CISA KEV listing exists at time of analysis, and a vendor-released fix is available in Exim 4.99.4.
Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.