Denial of service in Tenda W12 firmware 3.0.0.7(4763) allows a low-privileged remote attacker to crash the web management daemon by sending a crafted value for the 'web_over_time' argument to the cgiSysWebTimeoutSet handler in /bin/httpd. The availability impact is rated High (A:H), meaning successful exploitation renders the router's management interface - and potentially the device itself - unresponsive. A proof-of-concept exploit archive has been publicly released, lowering the barrier to exploitation, though this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Authentication bypass in Open5GS versions up to 2.7.6 allows remote attackers to manipulate UE security capabilities through the AMF's NGAP PathSwitchRequest message handler in src/amf/ngap-handler.c. The flaw stems from the AMF blindly overwriting locally stored UE 5G security capabilities with values received from a target gNB during a path switch, violating 3GPP TS 33.501 6.7.3.1, and publicly available exploit code exists though no public exploit identified as actively exploited at time of analysis.
Authentication bypass in OUSL-GROUP-BrinaryBrains School Student Management System allows unauthenticated remote attackers to manipulate the 'role' argument in the sign_auth_cookie function, forging or escalating authentication cookies without valid credentials. All commits up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6 are affected, publicly available exploit code exists (confirmed by CVSS E:P and a public GitHub issue), and no patch is available as the project has not responded to disclosure. Despite a moderate CVSS 4.0 score of 5.5, the combination of zero-barrier remote exploitation and absent vendor remediation represents material unmitigated risk for any organization running this system.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. The vulnerability carries a CVSS 7.3 score reflecting low complexity and no authentication requirement, but only partial CIA impact.
Arbitrary file read in Apache Airflow's FileTaskHandler allows authenticated users to read files outside the designated log directory by placing symlinks within the log folder tree. Versions prior to 3.2.2 are affected. Because FileTaskHandler._read_from_local() resolved glob matches without first verifying that a symlink's real path stays within the configured base log folder, a low-privileged Airflow user could exfiltrate sensitive server-side files - credentials, keys, or configuration - by directing log reads through a crafted symlink. No public exploit code exists and the vulnerability is not in CISA KEV, though the CVSS C:H rating reflects genuine confidentiality risk.
The SecretsMasker component in Apache Airflow prior to 3.2.2 returns cleartext sensitive values when those values are stored under recognized sensitive key names (password, token, secret, api_key) nested deeper than five dict levels in structured payloads. Authenticated low-privilege users can craft dag_run.conf or XCom payloads exceeding this depth threshold, causing secrets to surface in task logs, rendered templates, and API responses. No public exploit code exists and EPSS is 0.02% at the 5th percentile - this is not confirmed actively exploited (not in CISA KEV) - but the CVSS confidentiality impact is rated High given that the bypass can expose real credentials to any user who can review logs.
Rendered template field serialization in Apache Airflow before 3.2.2 exposes nested secrets in cleartext when template field values exceed the configured max_templated_field_length threshold. Authenticated low-privilege users with access to rendered template views can read values stored under documented sensitive keys (password, token, secret, api_key) embedded in nested dictionaries - the pre-fix code stringified the structured object before invoking the secrets masker, destroying the nested key context required for recursive redaction. No public exploit is identified at time of analysis; EPSS is 0.02% (5th percentile), and this CVE is not listed in the CISA KEV catalog.
JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.
JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.
Missing certificate validation during SMTP STARTTLS negotiation in Apache Airflow 2.0.0 through 3.2.1 exposes email traffic to man-in-the-middle interception. Both the core email utility (airflow.utils.email.send_email) and the SMTP provider hook (SmtpHook.get_conn, SmtpHook.aget_conn) called starttls() without an SSL context, causing Python's smtplib to accept any server certificate unconditionally. An unauthenticated network-adjacent attacker who can intercept traffic between the Airflow instance and its configured SMTP relay can present a fraudulent TLS certificate, successfully complete the upgrade handshake, and read all outbound email content in cleartext. No public exploit identified at time of analysis and EPSS is 0.01%, but the impact class is high confidentiality loss per CVSS.
Unintended internal ticket data exposure in OTRS 2026.3.1 occurs because the ticket article forwarding feature enforces the 'Is visible for customer' flag by default and provides no UI control to override it. Authenticated agents who forward ticket articles will inadvertently expose internal communications or notes to customers through the External Frontend without any warning or opt-out. No public exploit code exists and this is not listed in CISA KEV, but the high confidentiality impact (C:H in CVSS) makes this a meaningful data-leak risk for organizations handling sensitive support workflows.
SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.
Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.
Heap-based buffer overflow in OFFIS DCMTK 3.7.0's dcmqrscp component allows remote low-privileged attackers to trigger memory corruption via the deleteOldestImages function in the DICOM Query/Retrieve database backend. Exploitation requires authenticated network access with low complexity and results in partial confidentiality, integrity, and availability impact without crossing privilege boundaries. No public exploit identified at time of analysis; an upstream git commit patch is confirmed available, though a formally tagged release version incorporating the fix has not been independently verified.
The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.
Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.