Weak password recovery in the BrinaryBrains School Student Management System (OUSL-GROUP-BrinaryBrains) exposes its Forgot Password endpoint to remote manipulation of the email argument, enabling attackers to abuse the flawed recovery mechanism and achieve limited unauthorized account integrity impact. The CVSS 4.0 score of 2.9 reflects high attack complexity (AC:H), constraining real-world exploitability despite publicly available exploit code (E:P). No active exploitation has been confirmed via CISA KEV, and the vendor has not responded to the coordinated disclosure as of the time of reporting.
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 enables remote attackers with low-privilege credentials to execute arbitrary OS commands by injecting shell metacharacters into the sysCmd parameter of the /goform/formSysCmd endpoint. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. The vendor has confirmed no patch will be released - the device has been end-of-life since 2009 - meaning any remaining deployed units are permanently unpatched.
Command injection in TRENDnet TEW-432BRP firmware 3.10B20 allows remote low-privileged attackers to execute arbitrary OS commands by manipulating the `enrollee` parameter in the `/goform/formWlanSetup` wireless configuration handler. The product reached end-of-life in 2009, and TRENDnet has formally and explicitly declined to issue a patch, leaving all deployed units permanently unpatched with no vendor remediation path. Publicly available exploit code exists on GitHub, materially lowering the exploitation barrier, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Command injection in Edimax BR-6478AC firmware 1.23 allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the `rootAPmac` parameter in a POST request to the `/goform/formWlbasic` endpoint. The vulnerable function `formWlbasic` passes unsanitized input directly to a system-level command, a pattern common in consumer embedded router firmware. A public proof-of-concept exploit has been disclosed, lowering the technical bar for exploitation; no vendor-released patch has been identified at time of analysis.
Protection mechanism failure in Aider-AI Aider 0.86.3 exposes git pre-commit hook bypass via manipulation of the `git-commit-verify` argument in `aider/args.py`, allowing authenticated remote attackers to commit code without triggering pre-commit security controls. The CVSS temporal score includes E:P (proof-of-concept exploit publicly available, linked to GitHub issue #5057), and the vendor has not yet responded to the responsible disclosure. No public KEV listing exists, and the report confidence (RC:R) remains at 'Reasonable' rather than 'Confirmed', indicating the vendor has not acknowledged the finding.
Code injection in Aider-AI Aider 0.86.3 Architect Mode enables authenticated remote attackers to execute arbitrary code via the `editor_coder.run` function in `auth.py`. A public proof-of-concept exploit is available via GitHub issue #5058, lowering the barrier to exploitation. No vendor patch exists as the project has not responded to the responsible disclosure, leaving all users of the affected version exposed with no official remediation path.
Server-side request forgery in Aider-AI Aider 0.86.3 allows authenticated remote attackers to make the application issue arbitrary HTTP requests to internal network resources, including cloud infrastructure metadata endpoints such as the AWS EC2 instance metadata service at 169.254.169.254. The URL scraping component accepts user-supplied URLs without validating whether the destination resolves to private RFC1918 or link-local address space, enabling an attacker to proxy requests through the Aider host. No public exploit identified at time of analysis meets KEV criteria, but publicly available exploit code exists via GitHub issue #5075, and the upstream fix (PR #5137) awaits formal acceptance into a release.
Resource injection in the OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated remote attackers to manipulate the param1 argument in the marks function of Parents.php, improperly controlling resource identifiers to access unauthorized academic records. The CVSS 4.0 score is 2.1, reflecting low-privilege authentication requirements (PR:L) and limited scope impact; a publicly available proof-of-concept exploit has been disclosed via a GitHub issue. No vendor patch exists - the project uses continuous delivery rolling releases and has not responded to the responsible disclosure report.
Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized `remote-source` query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. Publicly available exploit code exists per VulDB and a referenced GitHub issue, and an upstream patch commit has been issued, though no officially tagged patched release has been independently confirmed from the canonical repository.
Unrestricted file upload in Bdtask Multi-Store Inventory Management System 1.0 enables authenticated remote attackers to upload arbitrary file types - including PHP webshells - through the Component Module's Upload function, leading to potential remote code execution on the host server. The vulnerability resides in application/modules/dashboard/controllers/Module.php where the Upload function performs insufficient file type validation. A public proof-of-concept exploit has been released on GitHub, elevating the practical risk beyond the moderate CVSS 6.3 score. No vendor patch has been identified at time of analysis.
SQL injection in Aider-AI Aider 0.86.3's Code Generation Workflow component allows authenticated remote attackers with low privileges to manipulate internal SQL queries, resulting in partial compromise of confidentiality, integrity, and availability. A publicly available proof-of-concept exploit exists via GitHub issue #5077, raising near-term exploitation risk despite the medium CVSS score of 6.3. The vendor has not yet responded to the responsible disclosure and no patch has been released, leaving users without an official remediation path.
SQL injection in OFCMS versions up to 1.1.3 allows remote low-privileged attackers to inject arbitrary SQL through the `system.user.query` argument within the `ComnController.Query` function, achieving partial compromise of confidentiality, integrity, and availability against the underlying database. Publicly available exploit code exists - referenced via Gitee issue IJLFCA - elevating practical risk above what the moderate CVSS base score of 6.3 alone suggests. No vendor patch has been released; the project maintainer has not responded to the responsible disclosure report, leaving all 1.1.3-and-below deployments unmitigated.
SQL injection in code-projects Visitor Management System 1.0 exposes the `/vms/php/phone_0.php` endpoint to database manipulation via the unsanitized `phone` parameter, exploitable by authenticated remote attackers. A publicly available exploit chain on GitHub (by Xmyronn) explicitly demonstrates escalation from this SQL injection to remote code execution, elevating the real-world severity beyond the CVSS 6.3 base score. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), but the published RCE chain makes this a meaningful risk for any internet-exposed deployment.
SQL injection in code-projects Online Music Site 1.0 exposes the administrator backend endpoint /Administrator/PHP/AdminUpdateAlbum.php to database manipulation via an unsanitized ID parameter. Exploitation requires high-privilege (administrator) credentials per CVSS PR:H, meaning only authenticated admins - or attackers who have already compromised an admin account - can trigger the flaw. A public proof-of-concept has been disclosed via GitHub, but no CISA KEV listing exists, and no public exploitation activity has been confirmed at this time.
Heap-based buffer overflow in Assimp's glTF 4x4 Matrix Parser (versions up to 6.0.4) can be triggered by a local, low-privileged attacker supplying crafted input to the `glTFCommon::CopyValue` function in `glTFCommon.h`, resulting in partial confidentiality, integrity, and availability impact. A public proof-of-concept exploit archive has been published on GitHub, confirmed by the CVSS temporal modifier E:P (proof-of-concept). No active exploitation has been confirmed (not in CISA KEV), and the CVSS remediation level RL:X indicates no official patch has been defined as of this analysis.
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local attacker to crash any application embedding the library by supplying a malformed glTF2 asset. The vulnerable function `ImportEmbeddedTextures` performs pointer arithmetic on the return value of `strchr()` before checking for null, meaning a glTF2 embedded texture with a MIME type lacking a '/' character triggers undefined behavior and a process crash. A public POC is available; no active exploitation has been confirmed by CISA KEV. CVSS 4.0 scores this at 1.9, reflecting the local-only, availability-only impact.
Null pointer dereference in Assimp's glTF mesh importer (versions up to and including 6.0.4) allows a locally authenticated attacker with low privileges to crash any application that uses the library to process a crafted 3D model file. The flaw resides specifically in the Assimp::glTFImporter::ImportMeshes function within glTFImporter.cpp, meaning only applications that invoke the glTF import pipeline are exposed. A publicly available proof-of-concept exploit (poc.zip) has been released, though no active exploitation has been confirmed and the CVSS score of 3.3 (Low) reflects the constrained local-only, availability-only impact.
Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local low-privileged attacker to crash any application that processes attacker-supplied 3D model files via the library. The flaw resides in the `ImportAnimations()` function, where `glTF2::LazyDict::operator[]` is invoked with animation channel node indices that are never validated for validity before dereferencing, producing a CWE-476 null pointer dereference and denial-of-service. A public proof-of-concept exploit (poc.zip) has been disclosed and an upstream patch commit is available, though no active exploitation is confirmed by CISA KEV.
{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.
Uncontrolled resource consumption in Open5GS up to version 2.7.7 allows remote low-privileged attackers to degrade availability of the NRF (Network Repository Function) component by sending crafted requests to the nf-instances SBI endpoint. The vulnerability triggers runaway resource allocation through the nf_info_pool argument in the handle_amf_info function, resulting in a denial-of-service condition against the NRF's NF instance registration and discovery services. A publicly available proof-of-concept exploit exists (E:P in CVSS 4.0 vector), though no public exploit identified at time of analysis has been confirmed by CISA KEV; the upstream issue is flagged as already-fixed.
SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.