Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from an integer overflow (CWE-190) that can be triggered without user interaction to achieve code execution. With CVSS 8.4 and SSVC technical impact rated 'total,' a local attacker on the device can elevate privileges across security boundaries without additional execution rights. No public exploit identified at time of analysis and SSVC reports exploitation status as 'none.'
Arbitrary file write in F5-TTS through 1.1.20 allows unauthenticated remote attackers to create directories and write attacker-controlled JSON anywhere the server process has write access by abusing unsanitized project_name parameters in the finetune Gradio interface. The flaw stems from passing user input directly to os.path.join() - supplying an absolute path bypasses the intended base directory entirely. Publicly available exploit code exists, and an upstream patch has been merged via PR #1294.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
Path traversal in Banana Slides through 0.4.0 allows unauthenticated remote attackers to read arbitrary image-format files outside the uploads directory via the generate_image() function in the AI service backend. The flaw stems from an incomplete prefix check using os.path.startswith() without a trailing separator, letting sibling directories whose names share the uploads folder prefix bypass containment. Publicly available exploit code exists (GitHub issue #429), and a vendor patch has been released in commit e8bc490.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
launch-editor allows users to open files with line numbers in editor from Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Denial of service in lwext4 1.0.0 allows remote attackers to crash applications by supplying a malformed EXT4 filesystem image that triggers a NULL pointer dereference in ext4_dir_en_get_name_len during directory iteration. The flaw affects the 2016-era lwext4 codebase commonly embedded in IoT, bootloaders, and forensic tools that mount untrusted EXT4 images. Publicly available exploit code exists, though EPSS rates real-world exploitation probability as very low (0.02%, 4th percentile).
Stack-based buffer overflow in D-Link DI-7001 MINI routers (firmware up to 19.09.19A1) allows authenticated remote attackers to corrupt memory via the Time parameter passed to the sprintf function in /httpd_debug.asp. Publicly available exploit code exists on GitHub, and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privilege requirement and no user interaction. The vulnerability targets an embedded networking appliance commonly deployed at SMB and branch-office perimeters, increasing exposure risk where the management interface is reachable.
Stack-based buffer overflow in D-Link DI-8400 routers through firmware 16.07.26A1 allows authenticated remote attackers to corrupt memory by manipulating the 'str' parameter in /dbsrv.asp, potentially achieving code execution on the device. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges per the CVSS 4.0 vector. The original researcher advisory notes contradictory parameter names, introducing some uncertainty about the exact trigger field.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware up to 2.5.3-170306) allows authenticated remote attackers to corrupt memory via the Profile parameter in the /goform/formFireWall endpoint, where unsafe strcpy usage processes the input. Publicly available exploit code exists, increasing the realistic risk of attempted compromise against exposed management interfaces. No CISA KEV listing has been published, so exploitation is not yet confirmed active in the wild.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware versions up to 2.5.3-170306) allows remote authenticated attackers to corrupt memory via the strcpy function in the /goform/formTaskEdit endpoint. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges. No KEV listing or EPSS data is provided in the input, so widespread automated exploitation has not been confirmed.
No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation to administrative access in Ivanti Neurons for ITSM (both cloud and on-premises deployments) allows a remote authenticated attacker to bypass access controls and obtain admin-level permissions. The flaw carries a CVSS 8.8 rating with low attack complexity, and Ivanti has published a security advisory; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Remote code execution in IBM i Access Client Solutions (ACS) versions 1.1.5.0 through 1.1.9.12 allows authenticated attackers to execute arbitrary code on systems where ACS is configured to listen for requests from IBM i Navigator. The flaw, rated CVSS 8.8 with high impact across confidentiality, integrity, and availability, requires low privileges and no user interaction, making it a serious threat in enterprise IBM i environments. There is no public exploit identified at time of analysis and the CVE is not currently in CISA KEV.
Unauthenticated information disclosure in SOPlanning version 1.55 and below allows remote attackers to download backup archives and configuration files directly from backup endpoints without any authentication, exposing the user database with password hashes and sensitive configuration data. The CVSS 4.0 score of 8.8 reflects high confidentiality impact over the network with no privileges or user interaction required, and no public exploit identified at time of analysis. Disclosure was coordinated through CERT.PL, indicating a vetted advisory rather than opportunistic discovery.
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2.6) allows authenticated attackers to bypass the CVE-2026-34197 fix using non-parenthesized discovery wrappers such as `masterslave:vm://...` and `static:vm://...`, which incorrectly pass validation and trigger the VM transport's brokerConfig parameter to load a remote Spring XML application context. The flaw abuses the Jolokia JMX-HTTP bridge at /api/jolokia/ to invoke BrokerService.addNetworkConnector/addConnector MBean operations, resulting in arbitrary code execution on the broker JVM. EPSS is low at 0.06% (19th percentile) and no public exploit identified at time of analysis, but the patch bypass nature and prior in-the-wild interest in ActiveMQ RCE chains warrant urgent patching.
Improper certificate hostname validation in the Apache Directory LDAP API client allows network-positioned attackers to impersonate LDAP servers and intercept authenticated directory traffic. The flaw was disclosed via the oss-security mailing list on 2026-06-01 and is tracked under CWE-297; no public exploit identified at time of analysis. With a CVSS 4.0 score of 8.8 and high confidentiality/integrity impact, the issue is significant for applications that rely on this library to connect to LDAP/LDAPS endpoints.
Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer overflow that crosses a security boundary (scope changed) and compromises confidentiality, integrity, and availability of the device. The flaw is reported directly by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 8.8 with no public exploit identified at time of analysis. Strongbox is the hardware-backed keystore used to protect cryptographic material, so successful exploitation undermines a core trust component of Snapdragon-based mobile platforms.
Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox trusted execution component, where a missing bounds check enables memory corruption from a low-privileged context. A successful exploit crosses a trust boundary (CVSS scope=Changed) and yields high impact to confidentiality, integrity, and availability on the affected device. No public exploit identified at time of analysis, and EPSS data was not provided alongside this advisory.
Privilege escalation in Apache ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5 allows authenticated low-privilege web-login users to invoke administrative Jolokia operations such as addQueue and removeQueue due to overly permissive default authorization settings. The CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.01% and no public exploit identified at time of analysis. The flaw effectively collapses the broker's privilege boundary between normal web users and administrators.
Stored cross-site scripting in Dassault Systèmes DELMIA Service Process Engineer (Process Experience Studio component) across releases 3DEXPERIENCE R2024x through R2026x allows an authenticated low-privilege attacker to inject persistent script payloads that execute in another user's browser session. With a CVSS 3.1 base of 8.7 driven by scope change and high confidentiality/integrity impact, successful exploitation can compromise the victim's 3DEXPERIENCE session data and authority across trust boundaries. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in SOPlanning 1.55 and earlier allows authenticated low-privileged users to inject arbitrary SQL commands across multiple endpoints and parameters, potentially leading to full database compromise. The flaw was reported by CERT Polska and carries a CVSS 4.0 score of 8.7, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Credential exposure in Kamsoft KS-SOMED medical software allowed remote unauthenticated attackers to authenticate to the FTP server hosting application update packages by extracting hard-coded credentials from the KSPLUPDFTP.exe and ANEKSKLIENT.EXE modules. While the vendor states the exposed credentials ultimately had only read-only access, the original threat model included an attacker uploading a malicious update file that would propagate to client machines as a legitimate update. No public exploit identified at time of analysis.
Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in OpenAirInterface5G 2.4.0 (nr-softmodem) allows unauthenticated remote attackers to crash an entire 5G base station by triggering a divide-by-zero in the E2SM-KPM RAN Function's PRB utilization calculation. By flooding E42 subscription requests through the FlexRIC iApp on port 36422/SCTP, an attacker forces consecutive identical PRB aggregate samples that produce a zero divisor, raising SIGFPE and interrupting service for all connected UEs. No public exploit identified at time of analysis, and EPSS probability is very low at 0.03%, but the unauthenticated network vector and total cell outage make this a high-impact availability flaw.
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Remote code execution in IBM WebSphere Application Server 9.0 and 8.5 allows authenticated attackers to abuse unsafe Java deserialization in the SAML Web Single Sign-On component to run arbitrary code via a crafted HTTP request combined with a gadget chain. The flaw carries a CVSS 8.5 with scope change, and while no public exploit has been identified at time of analysis, deserialization gadget chains for WebSphere are historically well-researched. IBM has released a patch via support advisory node/7274733.
Local privilege escalation in Fujitsu ServerView Agents for Windows V11.60.04 and earlier enables an authenticated low-privileged user to chain privileges and obtain SYSTEM-level access on the host. The flaw was reported by JPCERT/CC and is documented in JVN advisory JVN67883085 and FSAS Technologies advisory 0529; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Fujitsu ServerView Agents for Windows version 11.60.04 and earlier allows an authenticated low-privileged user on the host to obtain SYSTEM-level privileges through incorrect permission assignment on a critical resource. The flaw is reported by JPCERT/CC under JVN#67883085 with a CVSS 4.0 score of 8.5; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read, modify, or delete issues belonging to other tenants by supplying a known issue UUID against their own workspace path. The issue CRUD endpoints validate workspace membership but never verify that the targeted issue actually belongs to that workspace, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the vulnerability is source-verified end-to-end with an upstream fix released as version 0.1.4.
Resource exhaustion and stale-state accumulation in FlexRIC v2.0.0 allows unauthenticated remote attackers to bind multiple xApp identifiers to a single SCTP connection via repeated E42_SETUP_REQUEST messages, where only the first xapp_id is cleaned up on disconnect. The remaining orphaned registrations and their subscriptions persist in the iApp, enabling progressive memory/state corruption that maps to the CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) high-availability impact. No public exploit identified at time of analysis and EPSS is very low (0.05%, 17th percentile), but the unauthenticated network reachability of the E2 termination makes this a meaningful availability risk for O-RAN testbeds running this build.
Cross-site scripting via sanitizer bypass affects DOMPurify 3.4.4, the widely used npm HTML sanitization library maintained by cure53. The flaw stems from `<selectedcontent>` being permitted by default, allowing attackers to leverage browser re-cloning behavior so that an XSS payload is reinjected into a subtree DOMPurify has already walked. No public exploit identified at time of analysis in the form of in-the-wild attacks, but a fully working PoC is published in the GHSA advisory and active exploitation status is not listed in CISA KEV.
Reflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after the victim is lured into clicking a crafted link. The CVSS 8.2 score is elevated by a changed scope (S:C) and high confidentiality impact, reflecting potential session theft or pivoting against the Kiteworks Private Data Network; no public exploit identified at time of analysis and not present in CISA KEV.
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted link. The flaw carries a CVSS 8.2 due to scope change (S:C) and high confidentiality impact, but exploitation requires user interaction. At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitrary SQL queries against the backend database via a stored injection vector. Although a 20-byte length limit is imposed on the injected payload, carefully crafted input can break out of this restriction, enabling data extraction and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Cleartext session cookie exposure in CodexBar (a macOS menu bar AI provider client) prior to 0.32.0 allows network-positioned attackers to intercept imported browser session cookies for Amp and Ollama providers. The client failed to enforce HTTPS before reattaching imported cookies when a provider-controlled redirect pointed to a cleartext HTTP endpoint inside the same provider domain, leaking authentication material in plaintext. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Bootloader integrity bypass in Qualcomm Snapdragon platforms allows a high-privileged local attacker to write to a specific partition and load a customized (unsigned or tampered) bootloader, breaking the device's chain of trust. The flaw, reported by Qualcomm itself in its June 2026 security bulletin, carries a CVSS of 8.2 with scope change due to its impact on trusted firmware boundaries, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Hardcoded credentials in Apache Solr 9.4.0 through 9.10.1 and 10.0.0 allow remote attackers to obtain full administrative access to clusters that bootstrapped Basic Authentication via the bin/solr auth enable tool. The setup script silently installs template accounts (superadmin, admin, search, index) with publicly known default passwords alongside the user-specified account, and no public exploit identified at time of analysis though the credentials are documented and trivially reusable.
Authenticated remote code execution in Apache ActiveMQ Classic (versions before 5.19.7 and 6.0.0 through 6.2.5) is achievable via the Jolokia JMX-HTTP bridge exposed at /api/jolokia/ on the web console. An authenticated attacker can invoke BrokerService.addNetworkConnector with a crafted masterslave:// discovery URI that loads a Spring XML application context, instantiating attacker-controlled singleton beans (e.g., Runtime.exec()) on the broker JVM. No public exploit identified at time of analysis and EPSS is low (0.06%), but the vendor-released patches and CVSS 8.1 score reflect a significant risk to message brokers exposing the web console.
Privilege escalation in Cloud Foundry smb-volume-release (prior to v3.60.0) and CF Deployment (prior to v56.0.0) lets a low-privileged CF space developer smuggle arbitrary CIFS mount options past the mount-option allowlist, gaining kernel-level mount control on shared Diego cells. The flaw maps to CWE-88 (argument injection) and carries CVSS 8.1 with low-privilege network exploitation; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's principal URL to gain full read/write access to that user's calendar in versions 32.0.0 to before 32.0.9 and 33.0.0 to before 33.0.3. The flaw was reported via HackerOne (report 3545964) and patched in PR 59962 by introducing dedicated ProxyRead/ProxyWrite ACL-aware classes; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicious ID4me authority to impersonate arbitrary users due to missing JWT signature verification in the ID4me login flow. The flaw stems from a literal 'TODO: VALIATE SIGNATURE!' code comment that left ID tokens accepted without cryptographic validation, enabling identity spoofing once a victim is redirected through the attacker-controlled authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
{id} request. The DELETE endpoint enforces only member-level authorization instead of owner-level, and the destructive action is silent, immediate, and without recovery path. No public exploit identified at time of analysis, but source-level analysis confirms the gap and a vendor patch is available.
Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.