Stack-based buffer overflow in the Totolink N300RH router (firmware 6.1c.1353_B20190305) allows remote attackers to corrupt memory via the KeyStr argument processed by the setWiFiBasicConfig function in wireless.so, reachable through the Web Management Interface. Publicly available exploit code exists, and the CVSS 4.0 vector indicates network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability. No CISA KEV listing has been published, so exploitation is not confirmed in the wild despite the public PoC.
SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. The CVSS 4.0 base score of 8.4 reflects high confidentiality impact with a subsequent-system scope change, though exploitation requires a valid low-privileged account.
Stack-based buffer overflow in Tenda W12 firmware 3.0.0.7(4763) allows remote attackers to corrupt memory in the embedded HTTP daemon by supplying a crafted Time argument to the set_local_time_0 function in /bin/httpd. Publicly available exploit code exists, and the CVSS 4.0 base score of 7.4 reflects high impact to confidentiality, integrity, and availability with low-privilege network access. No CISA KEV listing or EPSS score is provided, so widespread opportunistic exploitation is not confirmed at this time.
Stack-based buffer overflow in Tenda W12 firmware 3.0.0.7(4763) allows remote authenticated attackers to corrupt memory in the embedded HTTP daemon by supplying an oversized wifiMacFilterSet.macList.mac parameter to the cgiWifiMacFilterSet handler in /bin/httpd. Publicly available exploit code exists, raising the practical risk of device compromise, denial of service, or potential code execution on affected access points, though no CISA KEV listing or active exploitation has been confirmed.
Stack-based buffer overflow in Tenda W12 firmware 3.0.0.7(4763) allows authenticated remote attackers to corrupt memory in the embedded HTTP daemon via the 'sec' parameter of the cgiSysTimeInfoSet handler. Publicly available exploit code exists for this issue, raising the practical risk for exposed management interfaces despite no public exploit identified at time of analysis in the CISA KEV catalog.
Stack-based buffer overflow in Tenda W12 firmware 3.0.0.7(4763) allows remote attackers with low privileges to corrupt memory via the staMac parameter processed by the cgistaKickOff function in /bin/httpd. Publicly available exploit code exists (hosted at cdn2.v50to.cc), elevating practical risk despite no current CISA KEV listing. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact achievable over the network against this enterprise wireless access point.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router allows remote attackers with low privileges to corrupt memory via the enrollee parameter in the formWlanSetup handler at /goform/formWlanSetup. Publicly available exploit code exists, and the vendor has explicitly declined to patch because the device reached end-of-life in 2009. No CISA KEV listing is present, but the combination of public PoC, network-reachable attack surface, and permanent unpatched status makes any internet-exposed unit a standing risk.
Stack-based buffer overflow in TRENDnet TEW-432BRP wireless router firmware 3.10B20 allows remote authenticated attackers to corrupt memory via a crafted submit-url argument to the formSysCmd handler at /goform/formSysCmd. Publicly available exploit code exists per VulDB submission and a GitHub PoC, while the device has been end-of-life since 2009 and the vendor has explicitly stated they will not issue a fix. No CISA KEV listing or EPSS score was provided, but the combination of public PoC and abandoned product status makes any exposed device a concrete target.
Stack-based buffer overflow in the Edimax BR-6478AC 1.23 wireless router enables authenticated remote attackers to corrupt memory by sending a crafted pppUserName parameter to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists (published via VulDB and a Notion writeup), elevating this from a theoretical issue to a practical threat, though no CISA KEV listing or active exploitation has been confirmed. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact on the device itself, with exploitation requiring only low-level authentication.
Remote buffer overflow in the Edimax BR-6478AC 1.23 wireless router allows authenticated attackers to corrupt memory via the formUSBFolder POST handler by supplying oversized ShareName or SelectName arguments. Publicly available exploit code exists (hosted on a Notion page referenced by VulDB), and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact on the device with low privileges required. No CISA KEV listing, so this is best treated as a publicly weaponizable bug awaiting a vendor response.
Buffer overflow in the Edimax BR-6478AC v1.23 wireless router allows authenticated remote attackers to corrupt memory by sending oversized UserName or Password values to the /goform/formUSBAccount endpoint. Publicly available exploit code exists for this issue, raising the practical risk despite the requirement for low-level credentials, though no active exploitation has been confirmed via CISA KEV.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 router firmware allows authenticated remote attackers to corrupt memory via the webpage parameter in the formSetPassword handler at /goform/formSetPassword, with publicly available exploit code increasing risk. The vendor has formally declined to patch this end-of-life device (EOL since 2009), making any deployment permanently vulnerable. CVSS 4.0 rates this 7.4 (High) with proven exploit maturity, though no CISA KEV listing exists at this time.
Stack-based buffer overflow in TRENDnet TEW-432BRP router (firmware 3.10B20) allows authenticated remote attackers to corrupt memory via the status_statistic parameter in the /goform/formResetStatistic endpoint, potentially leading to code execution or device compromise. Publicly available exploit code exists on GitHub, and the vendor has confirmed the product is end-of-life (EOL since 2009) and will not be patched. No CISA KEV listing or EPSS data is provided in the input, so widespread exploitation status is unconfirmed.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 wireless router allows authenticated remote attackers to corrupt memory via the start_wizard parameter in the /goform/formSetEnableWizard endpoint. Publicly available exploit code exists, and the vendor has confirmed they will not issue a fix because the device has been end-of-life since 2009. EPSS data was not provided, and the CVE is not listed in CISA KEV, but the combination of trivial exploitability and no forthcoming patch makes this a permanent risk for any still-deployed units.
Stack-based buffer overflow in the TRENDnet TEW-432BRP wireless router (firmware 3.10B20) allows authenticated remote attackers to corrupt memory via the current_page parameter handled by the formSysLog function at /goform/formSysLog, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists, and the vendor has explicitly declined to issue a fix because the product has been end-of-life since 2009. Affected deployments are unsupported legacy hardware with no remediation path other than replacement.
Stack-based buffer overflow in the TRENDnet TEW-432BRP 3.10B20 wireless router's web interface allows authenticated remote attackers to corrupt memory by sending a crafted server_name parameter to the formPortFw handler at /goform/formPortFw, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists, and the vendor has explicitly refused to issue a fix because the product has been end-of-life since 2009.
Denial of service in Tenda W12 firmware 3.0.0.7(4763) allows a low-privileged remote attacker to crash the web management daemon by sending a crafted value for the 'web_over_time' argument to the cgiSysWebTimeoutSet handler in /bin/httpd. The availability impact is rated High (A:H), meaning successful exploitation renders the router's management interface - and potentially the device itself - unresponsive. A proof-of-concept exploit archive has been publicly released, lowering the barrier to exploitation, though this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.
Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.
Server-side template injection in Apache Airflow versions 3.0.0 through 3.2.1 allows low-privilege authenticated users to inject Jinja2 expressions via dag_run.conf parameters that are unsafely interpolated into BashOperator commands, leading to arbitrary command execution in the worker context. The flaw carries a 9.1 CVSS but EPSS sits at just 0.03% (9th percentile), and there is no public exploit identified at time of analysis despite a vendor patch being available. Disclosure occurred via the oss-security mailing list on 2026-05-31 alongside several other Airflow advisories.
Authenticated remote code execution in Apache Airflow 3.2.0 through 3.2.1 allows users with permission to update XCom entries to achieve code execution by submitting reserved deserialization metadata keys (e.g. __classname__, __type, __data__, __var) to the PATCH XCom endpoint. The XComUpdateBody datamodel omitted the FORBIDDEN_XCOM_KEYS validator that XComCreateBody enforced, letting attackers smuggle a malicious typed payload that is later deserialized into an arbitrary Python class. No public exploit identified at time of analysis and EPSS risk is negligible (0.02%), but a vendor fix has shipped and the root cause is a classic CWE-502 untrusted deserialization.
Sensitive information disclosure in Apache Airflow versions prior to 3.2.2 exposes JWT authentication tokens via KubernetesExecutor command-line arguments, allowing low-privileged users with process listing access on worker pods to harvest credentials and impersonate workers against the Execution API. The flaw, addressed in PR #60108 alongside a redesign of workload/execution token lifetimes, carries a CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit has been identified at time of analysis and EPSS sits at 0.02%, suggesting limited mass-exploitation activity.
SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap out-of-bounds read in Sereal::Decoder for Perl before version 5.005 allows remote attackers to leak up to 31 bytes of adjacent heap memory when a victim application decodes attacker-controlled Sereal-encoded data. The flaw lives in COPY tag handling within srl_read_object() and srl_read_hash(), where a crafted COPY offset can redirect the decoder to mid-value bytes that are then re-interpreted as a SHORT_BINARY tag without bounds checking against the COPY tag's own offset. No public exploit identified at time of analysis, and EPSS is 0.01%, but a vendor patch is available in Sereal-Decoder 5.005.
API authorization bypass in Apache Airflow 3.2.0 through versions before 3.2.2 allows authenticated users with access to one DAG to mutate TaskInstances belonging to other DAGs they should not control, via the bulk TaskInstances PUT/DELETE endpoints. The flaw stems from the bulk handler omitting per-DAG authorization checks, enabling cross-DAG state tampering with high integrity impact (CVSS 7.5, vector AV:N/AC:L/PR:N/UI:N/I:H). No public exploit identified at time of analysis and EPSS probability is low at 0.01%.
Stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 wireless router allows authenticated remote attackers to corrupt memory and likely achieve code execution by manipulating the 'webpage' argument in the formSetWlanEncrypt handler at /goform/formSetWlanEncrypt. Publicly available exploit code exists per the VulDB submission, and the vendor has explicitly refused to patch because the device has been end-of-life since 2009, making any deployed units permanently vulnerable.
Arbitrary Python module import in Apache Airflow versions prior to 3.2.2 occurs when the scheduler deserializes custom DeadlineReference objects, because the prior implementation called import_string() directly on an attacker-controllable __class_path field. Rated CVSS 7.3 with low confidentiality/integrity/availability impact, this issue has no public exploit identified at time of analysis and EPSS estimates exploitation probability at 0.02% (6th percentile).
Open redirect bypass in Apache Airflow 3.0.0 through 3.2.1 allows remote unauthenticated attackers to craft URLs that evade the `is_safe_url` host check by using triple-slash (`///`), backslash, or URL-encoded backslash prefixes, redirecting victims to attacker-controlled domains. The flaw stems from a parsing inconsistency between WHATWG URL semantics and Python's urllib. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at only 0.01% (4th percentile).
Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.
Arbitrary file read in Apache Airflow's FileTaskHandler allows authenticated users to read files outside the designated log directory by placing symlinks within the log folder tree. Versions prior to 3.2.2 are affected. Because FileTaskHandler._read_from_local() resolved glob matches without first verifying that a symlink's real path stays within the configured base log folder, a low-privileged Airflow user could exfiltrate sensitive server-side files - credentials, keys, or configuration - by directing log reads through a crafted symlink. No public exploit code exists and the vulnerability is not in CISA KEV, though the CVSS C:H rating reflects genuine confidentiality risk.
The SecretsMasker component in Apache Airflow prior to 3.2.2 returns cleartext sensitive values when those values are stored under recognized sensitive key names (password, token, secret, api_key) nested deeper than five dict levels in structured payloads. Authenticated low-privilege users can craft dag_run.conf or XCom payloads exceeding this depth threshold, causing secrets to surface in task logs, rendered templates, and API responses. No public exploit code exists and EPSS is 0.02% at the 5th percentile - this is not confirmed actively exploited (not in CISA KEV) - but the CVSS confidentiality impact is rated High given that the bypass can expose real credentials to any user who can review logs.
Rendered template field serialization in Apache Airflow before 3.2.2 exposes nested secrets in cleartext when template field values exceed the configured max_templated_field_length threshold. Authenticated low-privilege users with access to rendered template views can read values stored under documented sensitive keys (password, token, secret, api_key) embedded in nested dictionaries - the pre-fix code stringified the structured object before invoking the secrets masker, destroying the nested key context required for recursive redaction. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), and this CVE is not listed in the CISA KEV catalog.
JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 enables remote attackers with low-privilege credentials to execute arbitrary OS commands by injecting shell metacharacters into the sysCmd parameter of the /goform/formSysCmd endpoint. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. The vendor has confirmed no patch will be released - the device has been end-of-life since 2009 - meaning any remaining deployed units are permanently unpatched.
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows remote low-privileged attackers to execute arbitrary OS commands by manipulating the `enrollee` parameter in the `/goform/formWlanSetup` wireless configuration handler. The product reached end-of-life in 2009, and TRENDnet has formally and explicitly declined to issue a patch, leaving all deployed units permanently unpatched with no vendor remediation path. Publicly available exploit code exists on GitHub, materially lowering the exploitation barrier, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Command injection in Edimax BR-6478AC firmware 1.23 allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the `rootAPmac` parameter in a POST request to the `/goform/formWlbasic` endpoint. The vulnerable function `formWlbasic` passes unsanitized input directly to a system-level command, a pattern common in consumer embedded router firmware. A public proof-of-concept exploit has been disclosed, lowering the technical bar for exploitation; no vendor-released patch has been identified at time of analysis.
Protection mechanism failure in Aider-AI Aider 0.86.3 exposes git pre-commit hook bypass via manipulation of the `git-commit-verify` argument in `aider/args.py`, allowing authenticated remote attackers to commit code without triggering pre-commit security controls. The CVSS temporal score includes E:P (proof-of-concept exploit publicly available, linked to GitHub issue #5057), and the vendor has not yet responded to the responsible disclosure. No public KEV listing exists, and the report confidence (RC:R) remains at 'Reasonable' rather than 'Confirmed', indicating the vendor has not acknowledged the finding.
Code injection in Aider-AI Aider 0.86.3 Architect Mode enables authenticated remote attackers to execute arbitrary code via the `editor_coder.run` function in `auth.py`. A public proof-of-concept exploit is available via GitHub issue #5058, lowering the barrier to exploitation. No vendor patch exists as the project has not responded to the responsible disclosure, leaving all users of the affected version exposed with no official remediation path.
Server-side request forgery in Aider-AI Aider 0.86.3 allows authenticated remote attackers to make the application issue arbitrary HTTP requests to internal network resources, including cloud infrastructure metadata endpoints such as the AWS EC2 instance metadata service at 169.254.169.254. The URL scraping component accepts user-supplied URLs without validating whether the destination resolves to private RFC1918 or link-local address space, enabling an attacker to proxy requests through the Aider host. No public exploit identified at time of analysis meets KEV criteria, but publicly available exploit code exists via GitHub issue #5075, and the upstream fix (PR #5137) awaits formal acceptance into a release.
Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
SQL injection in Aider-AI Aider 0.86.3's Code Generation Workflow component allows authenticated remote attackers with low privileges to manipulate internal SQL queries, resulting in partial compromise of confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists via GitHub issue #5077, raising near-term exploitation risk despite the medium CVSS score of 6.3. The vendor has not yet responded to the responsible disclosure and no patch has been released, leaving users without an official remediation path.
SQL injection in OFCMS versions up to 1.1.3 allows remote low-privileged attackers to inject arbitrary SQL through the `system.user.query` argument within the `ComnController.Query` function, achieving partial compromise of confidentiality, integrity, and availability against the underlying database. Publicly available exploit code exists - referenced via Gitee issue IJLFCA - elevating practical risk above what the moderate CVSS base score of 6.3 alone suggests. No vendor patch has been released; the project maintainer has not responded to the responsible disclosure report, leaving all 1.1.3-and-below deployments unmitigated.
SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.
SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.
Heap-based buffer overflow in Assimp's glTF 4x4 Matrix Parser (versions up to 6.0.4) can be triggered by a local, low-privileged attacker supplying crafted input to the `glTFCommon::CopyValue` function in `glTFCommon.h`, resulting in partial confidentiality, integrity, and availability impact. A public proof-of-concept exploit archive has been published on GitHub, confirmed by the CVSS temporal modifier E:P (proof-of-concept). No active exploitation has been confirmed (not in CISA KEV), and the CVSS remediation level RL:X indicates no official patch has been defined as of this analysis.
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local attacker to crash any application embedding the library by supplying a malformed glTF2 asset. The vulnerable function `ImportEmbeddedTextures` performs pointer arithmetic on the return value of `strchr()` before checking for null, meaning a glTF2 embedded texture with a MIME type lacking a '/' character triggers undefined behavior and a process crash. A public POC is available; no active exploitation has been confirmed by CISA KEV. CVSS 4.0 scores this at 1.9, reflecting the local-only, availability-only impact.
Null pointer dereference in Assimp's glTF mesh importer (versions up to and including 6.0.4) allows a locally authenticated attacker with low privileges to crash any application that uses the library to process a crafted 3D model file. The flaw resides specifically in the Assimp::glTFImporter::ImportMeshes function within glTFImporter.cpp, meaning only applications that invoke the glTF import pipeline are exposed. A publicly available proof-of-concept exploit (poc.zip) has been released, though no active exploitation has been confirmed and the CVSS score of 3.3 (Low) reflects the constrained local-only, availability-only impact.