Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 is possible via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, a component of Android's UndefinedBehaviorSanitizer runtime. Network-accessible, low-privileged attackers (CVSS PR:L, AV:N, AC:L) can crash affected devices without requiring user interaction, resulting in availability loss with no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Persistent denial of service in Google Android's UBSAN throwing runtime allows a remote low-privileged attacker to crash affected devices via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. Affected versions span Android 14, 15, 16-qpr2, and 16, indicating broad exposure across the current supported Android ecosystem. No public exploit code or active exploitation has been identified at time of analysis; patches are available via the June 2026 Android Security Bulletin.
Remote denial-of-service in Google Android's UBSan runtime (ubsan_throwing_runtime.cpp) allows a low-privileged network attacker to crash the system across Android 14, 15, 16, and 16-qpr2. The flaw stems from improper input validation in multiple functions of the Undefined Behavior Sanitizer throwing runtime, a component integrated into Android's native code execution layer. No user interaction is required and no public exploit has been identified at time of analysis; the vulnerability is addressed in the June 2026 Android Security Bulletin.
SVG content injection in OTRS ticket article rendering enables unauthenticated remote attackers to deliver browser-side denial of service against agents and customers who open affected tickets. Specially crafted SVG payloads submitted via inbound email trigger uncontrolled resource exhaustion during rendering, without requiring JavaScript execution, and the attack vector is not blocked by the application's configured Content Security Policy - making CSP-based mitigations ineffective. No public exploit code or active exploitation has been identified at time of analysis, but the low-complexity, no-authentication-required delivery mechanism (via email) lowers the barrier to abuse significantly.
Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated users who possess a valid share token. Affecting versions 32.0.0-32.0.9 and 33.0.0-33.0.3 of Nextcloud Server (with broader version ranges for Enterprise), an attacker authenticated to the Nextcloud instance can retrieve attachments from password-protected or download-restricted link shares by supplying a documentId they own alongside a known share token-circumventing the intended access controls entirely. No public exploit has been identified at time of analysis, and no CISA KEV listing exists; however, the CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates straightforward network exploitation by any authenticated user.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modify form resources owned by other users without authorization. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the vulnerability rooted in missing server-side ownership validation on resource identifiers in the Secure Data Forms module. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; however, the low attack complexity and network accessibility make it a realistic lateral-privilege abuse path in multi-tenant Kiteworks environments.
Insecure Direct Object Reference in Kiteworks Secure Data Forms (all versions prior to 9.3.0) allows any authenticated low-privileged user to tamper with internal approval flow configurations belonging to other users by substituting resource identifiers in API requests. The root cause is missing server-side ownership validation on form configuration endpoints, meaning the application does not verify whether the requesting user owns the referenced resource. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, but the low attack complexity and lack of user interaction requirement make this straightforward to exploit once authenticated.
Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing permissions to force the platform to distribute restricted files to approval workflow participants. By invoking the approval request flow with the createShares flag enabled, a user can bypass the system's file-sharing authorization controls entirely, causing files marked as non-shareable to be shared with designated approvers. No public exploit has been identified at time of analysis, but a vendor-confirmed patch and upstream PR diff are available.
Sensitive device configuration is exposed to adjacent network attackers during factory reset operations conducted through the powerline interface on Qualcomm Snapdragon chipsets. An unauthenticated attacker present on the same powerline network segment can intercept unprotected configuration data at the moment of reset, gaining unauthorized access to potentially sensitive device parameters such as credentials or network settings. No public exploit has been identified at time of analysis, and Qualcomm addressed this vulnerability in its June 2026 Security Bulletin.
{connection_id}) allows any authenticated user holding the Connection-read permission to retrieve plaintext secrets stored in a Connection's extra JSON blob, provided those credential field names - such as slack_webhook_url, bearer, dsn, auth_header, and service_key - were absent from the DEFAULT_SENSITIVE_FIELDS redaction allowlist prior to version 3.2.2. All Airflow deployments before 3.2.2 that store credentials inline in Connection extra fields and grant Connection-read access to more than one user are exposed to lateral credential theft within the platform. No public exploit code or active exploitation has been identified at time of analysis; however, the network-accessible vector and high confidentiality impact make this a meaningful priority in shared or multi-tenant Airflow environments.
Unauthorized access to form submissions in Nextcloud Forms prior to version 5.2.6 allows any authenticated user to read survey or form responses submitted by other users. The root cause is a missing authorization check in the `getSubmission` API endpoint (`ApiController.php`), which failed to verify whether the requesting user held the PERMISSION_RESULTS privilege or was the original submitter. With a CVSS score of 6.5 (Medium) and no public exploit identified at time of analysis, real-world risk is bounded by the requirement for an authenticated session, but the confidentiality impact is rated High given unrestricted access to potentially sensitive form response data.
Missing authorization in the GeoDirectory WordPress plugin (through v2.8.157) permits unauthenticated remote attackers to invoke privileged plugin operations without any credential requirement, resulting in partial integrity and availability impact on directory listings. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, network-accessible exploitation requiring no user interaction, reported by Patchstack under the 'Authentication Bypass' tag. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority patch tier for any WordPress deployment running a public-facing GeoDirectory instance.
Stored XSS in the myCred WordPress plugin (versions through 3.0.4) enables authenticated low-privileged attackers to persistently inject malicious scripts into web pages served by the application. When a victim - such as an administrator - subsequently visits an affected page, the stored payload executes within their browser session in the context of the WordPress origin, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Path traversal in the Classified Listing WordPress plugin (versions through 5.3.8) enables authenticated low-privileged users to download arbitrary files from the server filesystem. The vulnerability, reported by Patchstack as an arbitrary file download flaw, exposes full confidentiality impact (C:H) with no integrity or availability consequence, meaning attackers can exfiltrate sensitive server files - including wp-config.php, credentials, or private data - but cannot modify or destroy them. No active exploitation is confirmed and no public exploit code has been identified at time of analysis.
{workspace_id} endpoint. The CVSS vector (PR:L/AC:L/AV:N/UI:N/I:H) confirms this is a low-complexity network attack requiring only member-tier credentials, and the integrity impact is rated High because the settings field can be used as a configuration-injection primitive - redirecting LLM provider URLs, webhook endpoints, or invite flows to attacker-controlled infrastructure. No public exploit identified at time of analysis, though the exploit chain is trivially reproducible from the published GitHub Security Advisory GHSA-rcmc-q9rj-4wmq.
Path traversal in SOPlanning 1.55 and below exposes backup endpoints to arbitrary file read and execution, allowing a high-privilege authenticated attacker to construct payloads that traverse directories and interact with files previously stored via the backup functionality. The standalone vulnerability's PR:H authentication barrier is critically undermined by a companion flaw, CVE-2026-40543 (Missing Authorization), which removes authorization enforcement on backup file access entirely - enabling any unauthenticated user to read backup files. The combined exploit chain elevates practical risk well above what the standalone CVSS 6.4 score implies, with downstream High impacts across Confidentiality, Integrity, and Availability. No public exploit or CISA KEV listing has been identified at time of analysis.
Unrestricted file upload in SOPlanning's backup import functionality (versions 1.55 and below) allows an authenticated high-privilege attacker to smuggle a malicious PHP script inside a crafted ZIP archive alongside a legitimate user.csv file, bypassing extension validation entirely. This vulnerability is materially escalated when chained with CVE-2026-40547 (Path Traversal in the same product), which redirects extraction to a web-accessible directory, converting an upload flaw into full server-side remote code execution. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the exploitation chain is technically straightforward once administrative credentials are held.
Nextcloud's Circles (Teams) sharing feature silently generates unauthenticated public access links when folders are shared with a Team containing external email-only members, links which are never surfaced in the sharing UI and cannot be revoked by the folder owner. Affected are Nextcloud versions 32.0.0-32.0.8 and 33.0.0-33.0.2 with the Circles app in use. Any party who receives or intercepts the emailed link obtains full read, write, delete, reshare, and download access to the shared folder without a Nextcloud account, and the folder owner has no visibility or revocation path through normal interfaces. No public exploit identified at time of analysis; the issue was disclosed via HackerOne.
Local privilege escalation in MediaTek's GenieZone hypervisor component affects 36 distinct chipsets via a race condition-induced out-of-bounds write. An attacker who has already obtained System-level privilege on an affected Android device can exploit the TOCTOU flaw to escalate further - likely to kernel or hypervisor-level execution - achieving full confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and no KEV listing exists; however, the wide chipset footprint spanning flagship to budget SoCs significantly broadens the potential attack surface.
Memory corruption in Qualcomm Snapdragon affects the IOCTL request processing path, exploitable by a local attacker with high privileges who can win a race condition between API version validation and user-space buffer consumption. Successful exploitation yields high-impact confidentiality, integrity, and availability compromise despite the moderate overall CVSS score of 6.4, which is suppressed by the high attack complexity and privilege requirements. No public exploit code and no CISA KEV listing have been identified at time of analysis, limiting immediate widespread risk.
Hard-coded cryptographic secret in PDBM.exe (by Trac d.o.o.) enables authenticated local attackers to decrypt administrative credentials stored in the product's configuration file. The static secret, constant across all PDBM installations, is embedded directly in the application binary and is used as the key for the credential encryption routine. Because the affected version configures the stored account with full administrative privileges, a successful extraction yields unrestricted access to PDBM's management interface and all underlying operational functions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Nextcloud Server's files_lock application failed to enforce file ownership during WebDAV DAV lock and unlock operations, allowing any authenticated low-privilege account to lock or unlock files belonging to other users by referencing their absolute WebDAV paths. Affected releases span Nextcloud Server 32.0.0-32.0.1 and 33.0.0, plus Nextcloud Enterprise Server in the 31.0.x, 32.x, and 33.x lines prior to their respective patches. Compounding the flaw, lock tokens were leaked in server error responses, enabling an attacker to silently remove token-based locks placed by legitimate sync clients - disrupting collaborative workflows without direct file access. No public exploit code or CISA KEV listing exists at time of analysis.
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Unauthorized chunking upload access in Nextcloud Server allows an authenticated share recipient to read temporary part files during another user's active file upload. Affecting versions 32.0.0-32.0.8 and 33.0.0-33.0.2, the flaw stems from the WebDAV chunking upload collection failing to restrict directory listing or GET requests on intermediate upload objects when accessed via a share token - a boundary the fix explicitly closes by blocking reads on FutureFile and UploadFile node types. No public exploit has been identified and no CISA KEV listing exists at time of analysis, but the high confidentiality impact (CVSS C:H) means sensitive in-transit file contents are fully exposed to any malicious share recipient who times access during an active upload.
Path traversal in Android's PackageInstallerService allows a local, unprivileged attacker to redirect a Device Policy Controller (DPC) installation into an unintended filesystem directory via a crafted install session, enabling local escalation of privilege on Android 14 through Android 16. No public exploit code has been identified at time of analysis, and EPSS at 0.01% (1st percentile) reflects minimal observed exploitation probability. The local attack vector (AV:L) constrains real-world exposure to scenarios where the attacker already has physical or application-level access to the device, materially limiting the attack surface compared to network-exploitable flaws.
Tapjacking via the InputInterceptor component in Android's Letterbox.java enables a locally-installed malicious app to silently capture unintended permission grants on Android 14, 15, and 16, resulting in local privilege escalation with high confidentiality impact. The vulnerability requires no elevated privileges on the part of the attacking application and is reported by Google as needing no user interaction for exploitation - a claim that is in notable tension with the tapjacking mechanism described, which inherently involves intercepting user touch events. No public exploit code exists and no active exploitation has been confirmed (EPSS 0.01%, percentile 1%), but the ease of local attack (AV:L/AC:L) and breadth of affected Android versions make patch deployment a priority for enterprise and consumer device fleets.
Path traversal in AstrBot 4.23.6 allows authenticated remote attackers to manipulate the Name parameter of the /api/skills/delete API endpoint to escape the intended directory boundary, enabling unauthorized deletion or corruption of arbitrary files on the host system. The CVSS vector (C:N/I:L/A:L) confirms no confidentiality exposure but meaningful integrity and availability impact. A public proof-of-concept exploit is available on GitHub; the vendor did not respond to responsible disclosure, and no patch has been released at time of analysis.
Injection vulnerability in NousResearch hermes-agent's `_scan_memory_content` function exposes authenticated low-privileged remote users to partial confidentiality, integrity, and availability compromise across all versions through 2026.4.30. The flaw originates in `tools/memory_tool.py`, where user-controlled input is insufficiently neutralized before being passed to downstream components. No public exploit identified at time of analysis is incorrect - a public proof-of-concept exploit exists (GitHub gist), and the vendor has not responded to responsible disclosure, meaning no patch has been released.
Injection in AstrBot 4.23.6 allows authenticated remote attackers to manipulate input through the `_sanitize_prompt_description` function in `astrbot/core/skills/skill_manager.py`, bypassing sanitization and achieving partial impact on confidentiality, integrity, and availability. A publicly available exploit (POC) exists on GitHub, and the vendor did not respond to responsible disclosure, meaning no official patch has been released. No public exploit identified as confirmed actively exploited (CISA KEV), though the public POC and low-privilege entry point lower the barrier for exploitation.
Improper authorization in GoClaw (nextlevelbuilder/goclaw) up to version 3.11.3 allows a remote low-privileged attacker to bypass authorization controls via the `auth` function in `internal/http/evolution_handlers.go`. The CVSS 4.0 score is 2.1 with limited integrity and availability impact and no confidentiality exposure. A public proof-of-concept exploit has been disclosed via a GitHub issue, though the project has not been confirmed as actively exploited in the wild per CISA KEV.
Improper privilege management in nextlevelbuilder GoClaw up to version 3.11.3 allows authenticated low-privileged users to escalate privileges via the handleSave function of the RoleAdmin Gateway component (internal/http/tts_config.go). The vulnerability is remotely exploitable over the network with no user interaction required, though a low-privilege authenticated session is a prerequisite per the CVSS:4.0 vector (PR:L). A publicly available proof-of-concept exists (published via GitHub issue #1118), but this CVE has not been added to the CISA KEV catalog. The CVSS 4.0 base score of 2.1 (LOW) reflects constrained confidentiality, integrity, and availability impact with no scope change to downstream systems.
Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in `checkUserAccessToObject` within `api_holidays.class.php` (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. No active exploitation is confirmed in CISA KEV, but the public POC and low attack complexity make this a realistic insider or multi-tenant threat requiring prompt patching.
Authorization bypass in AstrBotDevs AstrBot 4.24.2 enables remote low-privilege authenticated attackers to manipulate the session_id argument within the astr_main_agent function to access or control sessions belonging to other users. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the server fails to verify that the requesting user owns the supplied session_id. A publicly available exploit exists via GitHub gist, no vendor patch has been released, and the vendor did not respond to disclosure - elevating practical risk above what the CVSS 6.3 Medium score alone implies.
Incorrect authorization in AstrBot 4.23.6 allows remote low-privileged attackers to bypass filesystem path restrictions via the `_normalize_rw_path` function in `astrbot/core/tools/computer_tools/fs.py`, resulting in unauthorized read, write, or access to files outside the intended scope. The vulnerability stems from improper path normalization logic that fails to enforce access controls correctly, enabling authenticated users to escape sandboxed file boundaries. A public proof-of-concept exploit exists on GitHub, and the vendor was unresponsive to coordinated disclosure, leaving no official patch available at time of analysis.
Unrestricted file upload in Metasoft MetaCRM 6.4.0 allows low-privileged authenticated remote attackers to upload arbitrary files via the softlogo upload endpoint at develop/systparam/softlogo/upload.jsp, potentially enabling server-side code execution or persistent backdoor installation. A publicly available proof-of-concept exploit exists, referenced via a Feishu document, and the vendor did not respond to coordinated disclosure. No KEV listing at time of analysis, but the combination of a public POC, low attack complexity, and an unresponsive vendor elevates practical risk beyond what the 6.3 CVSS score alone suggests.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes authenticated remote attackers a direct path to database manipulation through the unsanitized `txt_search_category` parameter in `/Ingredients-Stock/stock_manager.php`. The CVSS vector (PR:L) confirms that low-privilege authentication is required, partially limiting exposure, but a publicly available proof-of-concept on GitHub significantly lowers the exploitation barrier. No confirmed active exploitation (CISA KEV) has been reported; however, the combination of low complexity, network accessibility, and public exploit code makes this a realistic threat against any internet-facing deployment where attacker credential acquisition is feasible.
SQL injection in code-projects Online Hospital Management System 1.0 exposes backend database contents via the `editid` parameter in `appointmentdetail.php`. A low-privilege authenticated attacker can remotely manipulate SQL queries to read, modify, or corrupt patient and appointment records. A proof-of-concept exploit is publicly available per the GitHub reference, raising the likelihood of opportunistic exploitation against internet-facing deployments of this PHP application.
HTTP response header injection in Apache ActiveMQ's web console MessageServlet exposes users to security header override and cross-site scripting attacks. The servlet copies every JMS message property directly into HTTP response headers without sanitization, meaning an attacker who can publish crafted JMS messages to a broker queue can override headers such as Content-Security-Policy or X-Frame-Options when a web console user views those messages. No public exploit has been identified at time of analysis, and EPSS of 0.03% (9th percentile) reflects low observed exploitation probability, though the no-privilege-required CVSS vector and Scope:Changed score signal meaningful impact on browser security posture if exploited.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /manage_course.php endpoint to database manipulation via an unsanitized ID parameter, reachable by any low-privileged authenticated user over the network. The CVSS 6.3 medium score reflects limited impact scope (C:L/I:L/A:L), but the availability of public proof-of-concept exploit code materially elevates operational risk for internet-facing deployments. No public exploit identified at time of analysis maps to CISA KEV; however, the E:P CVSS modifier confirms exploit code is circulating.
SQL injection in itsourcecode Fees Management System 1.0 exposes the /ajax.php endpoint to database manipulation via the Username parameter, allowing authenticated remote attackers with low-privilege credentials to read, modify, or corrupt application data. The CVSS vector (AV:N/AC:L/PR:L) confirms this is network-exploitable at low complexity with a low-privilege account requirement. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal modifier E:P and a GitHub disclosure), though no active exploitation has been confirmed by CISA KEV at the time of analysis.
Improper authorization in PackageKit up to 1.3.5 allows a low-privileged authenticated remote attacker to bypass access controls via manipulation of the frontend-socket argument in the g_file_test function within pk-transaction.c, resulting in unauthorized confidentiality exposure (C:L). The vulnerability is tagged as an authentication bypass and publicly available exploit code exists, disclosed via GitHub issue #969 against the PackageKit project. No CISA KEV listing is present, but the combination of a publicly known proof-of-concept and low attack complexity (AC:L) elevates practical risk beyond what the base CVSS score of 4.3 alone suggests.
Cross-site scripting in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to inject and execute arbitrary JavaScript by manipulating the name, email, people, or number parameters submitted to /ht/tour.php. The POC repository title ('Stored-XSS') strongly suggests this is a persistent (stored) XSS variant, meaning injected payloads survive in the application and execute in the browsers of subsequent users who view the affected reservation data - not merely the attacker's own session. Publicly available exploit code exists; this CVE has not been added to the CISA KEV catalog at time of analysis.
SQL injection in CodeAstro Payroll System 1.0 allows remote authenticated attackers with low-privilege credentials to manipulate database queries via the emp_id parameter in /home_employee.php. Exploitation can result in unauthorized read access to confidential payroll records, limited data manipulation, and potential availability impact against the underlying database. Publicly available exploit code exists (referenced via GitHub), elevating real-world risk beyond the moderate CVSS score of 6.3; no public patch is available at time of analysis.
OS command injection in wezterm-mcp 0.1.0 allows a remotely authenticated attacker with low privileges to execute arbitrary shell commands by supplying a crafted pane_id argument to the switch_pane or write_to_specific_pane MCP tool handlers. The unsanitized parameter is passed directly to a shell invocation in src/wezterm_executor.ts, giving an MCP client - such as an AI assistant or automation pipeline - the ability to break out of intended terminal pane management and run arbitrary commands in the host user's context. Publicly available exploit code exists per a GitHub issue report; no patch has been released as the vendor has not responded to the disclosure.
Path traversal in ishayoyo excel-mcp (all versions through 1.0.2) allows remote low-privileged attackers to read or write arbitrary files on the host system by manipulating the filePath or outputPath arguments passed to the read_file and write_file MCP tool handlers in src/index.ts. The CVSS 4.0 score is 2.1 (Low), but a publicly available proof-of-concept exploit exists via a GitHub issue disclosure, and no vendor patch has been released - the maintainer has not responded to the responsible disclosure report. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis.
Path traversal via improper access control in mcp-google-workspace's MCP Gmail Tool (all pre-patch commits through 831790e) allows an authenticated low-privileged MCP client to write files to arbitrary filesystem locations by supplying crafted relative paths containing directory traversal sequences to the saveToDisk function. Publicly available exploit code exists (GitHub issue #19), though the attack requires an active MCP session (CVSS PR:L). No public exploitation has been confirmed by CISA KEV, but the MCP deployment context introduces prompt-injection as a realistic delivery vector - a malicious email or document processed by an AI assistant could trigger the vulnerable tool without direct human interaction beyond the initial session setup.
Server-side request forgery (SSRF) in hekmon8/Jenkins-server-mcp 0.1.0 allows a remote, low-privileged attacker to forge outbound HTTP requests from the server by manipulating the jobPath parameter across the get_build_status, get_build_log, and trigger_build functions in src/index.ts. The flaw stems from absent or insufficient validation of user-supplied job path values before they are used to construct server-side requests to Jenkins. Publicly available exploit code exists (disclosed via GitHub issue #4); no vendor patch has been released and the maintainer has not responded to the disclosure.
Server-side request forgery in indrasishbanerjee aem-mcp-server allows authenticated remote attackers with low privileges to manipulate the assetPath argument of the getAssetMetadata function, causing the server's Axios HTTP client to issue arbitrary outbound requests. All code up to commit b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 is affected; the project uses no versioning scheme, making version-based scoping impossible. Publicly available exploit code exists (GitHub issue #3), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of only 2.1 due to limited impact scope and an authentication prerequisite.
Execution After Redirect (EAR) in a4m4's Student-Management-System exposes admin/ endpoints to unauthorized data access via manipulation of the uid parameter, allowing server-side PHP logic to execute and return sensitive output despite issuing an HTTP redirect response. The CVSS vector (PR:N) confirms no authentication is required, and the exploit has been publicly published via a GitHub issue, making this trivially reproducible. No patch exists and the project maintainer has not responded to disclosure, leaving all deployed instances exposed with no vendor remediation timeline.
SQL injection in itsourcecode Content Management System 1.0 allows remote authenticated attackers to manipulate the backend database via the topic_id parameter in /admin/add_sub_topic.php. The CVSS vector (PR:L) confirms exploitation requires low-privilege authentication, limiting opportunistic attack surface but not eliminating risk in multi-tenant or shared-admin environments. Publicly available exploit code exists, elevating practical risk above what the moderate CVSS score of 6.3 alone suggests.