Remote code execution in BrowserStack Runner through version 0.9.5 allows network-adjacent unauthenticated attackers to execute arbitrary code on the host system by sending crafted JSON to the /_log HTTP handler. The flaw stems from unsafe use of vm.runInNewContext() combined with eval(), and a known sandbox-escape technique via util.format and this.constructor.constructor enables full host compromise. No public exploit identified at time of analysis, but the technique is well-documented and the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability.
Remote code execution in React Router 7.0.0 through 7.14.1 affects applications running in Framework Mode by chaining an application-level prototype pollution flaw with router internals to achieve unauthenticated RCE on the server. Applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are unaffected. No public exploit identified at time of analysis; CVSS 8.1 reflects high impact tempered by high attack complexity due to the prerequisite prototype pollution gadget.
Two-factor authentication bypass in the Really Simple Security WordPress plugin before 9.5.10.1 allows attackers who already possess a valid username and password to hijack a fully authenticated WordPress session without completing the email OTP challenge. Two REST endpoints in the plugin's 2FA flow fail to enforce the second-factor challenge, effectively neutralizing the MFA protection the plugin is marketed to provide. Publicly available exploit code exists (WPScan), and a vendor patch has been released.
Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.
Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.
Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.
Arbitrary file disclosure in BrowserStack Runner versions through 0.9.5 allows unauthenticated network-adjacent attackers to read sensitive files outside the project root by abusing a path traversal flaw in the default HTTP handler of lib/server.js. Because the embedded test server binds on all interfaces by default, any attacker on the same network segment (Wi-Fi, VLAN, or shared LAN) can retrieve source code, credentials, or environment files. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-8rpw-6cqh-2v9h) has been published.
Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with `//`, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to `redirect()` without validating the path prefix. No public exploit identified at time of analysis - CVSS 4.0 supplemental metric E:U (Unreported) confirms no known active exploitation - but the technique is trivially constructible from the advisory description alone, and patched releases 7.14.1 and 6.30.4 are available.
Stored XSS in Appsmith's SQL query editor autocomplete allows an authenticated Developer-role user to inject persistent malicious JavaScript via crafted database table or column names that are rendered unsanitized through innerHTML. When other workspace members interact with the same datasource's query editor, the injected script executes in their browser session, enabling session token theft and unauthorized actions with high confidentiality impact (CVSS C:H). A public proof-of-concept exploit exists (Stuub/Appsmith-1.98-Stored-XSS-Exploit on GitHub), and the vulnerability was reported by CERT/CC, materially elevating practical exploitation risk above what the CVSS 6.3 Medium score alone implies.
Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.
Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.
Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote unauthenticated attackers to circumvent the Source stage by submitting an empty POST request. With a CVSS score of 9.8 and CWE-287 (Improper Authentication), this flaw effectively defeats a core identity verification control; no public exploit identified at time of analysis, though the trivial trigger condition makes weaponization straightforward once details are widely studied.
HTTP response header injection in CrowCpp Crow through v1.3.1 allows remote attackers to inject arbitrary CR/LF sequences into response headers when application code passes unvalidated input to header-setting APIs. The flaw stems from the framework not stripping \r\n characters in header keys or values, enabling CRLF injection that can lead to response splitting, cache poisoning, or XSS depending on how the embedding application uses user input. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix in PR #1167 confirms the issue and provides a sanitization routine.
Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.
Privilege escalation in Themeisle Masteriyo LMS PRO (WordPress plugin) up to and including version 2.20.0 allows remote unauthenticated attackers to gain elevated privileges through incorrect privilege assignment (CWE-266). The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis, but the Patchstack advisory confirms the flaw class and affected version range.
Account takeover in the Kirki Freeform Page Builder WordPress plugin (versions 6.0.0 through 6.0.6) allows unauthenticated remote attackers to hijack any registered account, including administrators, by redirecting password reset links to attacker-controlled email addresses. The flaw stems from the plugin honoring an arbitrary email value supplied alongside a valid username in password reset requests, breaking the trust binding between account and recovery destination. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's published advisory make weaponization straightforward.
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.
Authentication bypass in sayan365's Student Management System exposes multiple protected endpoints to remote unauthenticated attackers, allowing unauthorized access to application functionality across the entire codebase up to commit 7f3c9ce7d410332335c2affac93a385485051800. The CVSS 4.0 vector confirms trivial, unauthenticated network exploitation (AV:N/AC:L/AT:N/PR:N/UI:N), and publicly available exploit code exists per the E:P maturity modifier and GitHub issue #4. The maintainer has not responded to responsible disclosure, leaving no patch available and the exploit window open indefinitely.
Missing authentication in GoClaw's Webhook Verification Handler allows unauthenticated remote attackers to interact with webhook endpoints without valid credentials, affecting all versions up to and including 3.11.3. The flaw resides in the `resolveAuth` function within `internal/http/auth.go`, where the authentication check can be bypassed entirely. A publicly available exploit has been disclosed (GitHub issue #1134), and the project acknowledges the issue as a bug; no confirmed patched release has been identified at time of analysis.
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.
SQL injection in code-projects Student Admission System 1.0 allows remote unauthenticated attackers to manipulate the 'eid' and 'did' parameters in /index.php to inject arbitrary SQL queries. Publicly available exploit code exists (referenced via GitHub issue tracker), increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability carries a CVSS 3.1 base score of 7.3, with low impact across confidentiality, integrity, and availability, but no special prerequisites for exploitation.
Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated network attackers to execute arbitrary commands via Server-Side Template Injection in the redirectToUrl endpoint's redirectUrlParameter. The CVSS 4.0 base score of 9.3 reflects no authentication, no user interaction, and high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Disclosure originated from CERT-PL, indicating a vetted advisory channel for this Polish academic management product.
Remote code execution in OpenMed before 1.5.2 allows unauthenticated attackers to execute arbitrary Python code on the OpenMed service by abusing broad substring matching in the PII privacy-filter model dispatcher to load attacker-controlled Hugging Face repositories with trust_remote_code=True. The flaw, reported by VulnCheck and tracked as CWE-94 (Code Injection), carries a CVSS 4.0 score of 9.3 and a vendor-released patch is available; no public exploit identified at time of analysis.
Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to execute arbitrary JavaScript in a victim's browser by abusing the AutosubmitStage within the Simple Flow Executor (SFE). With a CVSS of 9.3 reflecting scope change and high impact to confidentiality/integrity, exploitation enables session hijacking against an identity provider, but no public exploit identified at time of analysis.
Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.
Unauthenticated remote code execution in Spacelabs Healthcare Sentinel (versions 10.5.x and 11.x prior to 11.6.0) allows network attackers to drop ASPX webshells into the IIS wwwroot via a legacy .NET Remoting HTTP channel on TCP/8989. The flaw stems from missing authentication (CWE-306) on a deprecated Microsoft remoting endpoint, and while a vendor patch is available, no public exploit identified at time of analysis. Exploitation requires that port 8989 has been deliberately exposed to the network, since it is not reachable in default Sentinel deployments.
Remote code execution in the Content Visibility for Divi Builder WordPress plugin (versions ≤ 4.02) allows authenticated attackers with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the 'cvdb_content_visibility_check' parameter of the 'et_pb_text' shortcode. The flaw is a CWE-94 code injection issue disclosed by Wordfence and carries a CVSS 3.1 score of 8.8. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows authenticated attackers to gain root-level command execution by triggering a buffer overflow in the /cgi-bin/admin/eventtask.cgi admin endpoint. Publicly available exploit code exists in a GitHub research repository, though EPSS scoring (0.09%, 25th percentile) suggests low observed exploitation activity and the CVE is not listed in CISA KEV.
Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Authenticated remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows attackers with valid admin-interface credentials to overflow a buffer in the /cgi-bin/dido/setdo.cgi endpoint and execute arbitrary code as root. No public exploit identified at time of analysis, though a vulnerability research repository on GitHub describes the issue, and EPSS estimates exploitation probability at 0.05% (17th percentile), suggesting low broad-scale exploitation interest despite the high CVSS 8.8 score.
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.
Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-privileged attacker who can modify a source connection and holds an account in one of the configured external sources to log into any account on the system. The flaw (CWE-287) carries a CVSS 8.8 rating with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission to create or modify Route resources to inject controlled directives into the cluster ingress configuration via the spec.path field. No public exploit identified at time of analysis, but the CVSS 8.8 score with scope change (S:C) reflects the ability to break out of the tenant boundary and impact the shared HAProxy router serving the entire cluster.
Default credential exposure in Roche Diagnostics navify Digital Pathology (versions 2.0.0 through 2.4.0) lets remote unauthenticated attackers log into the embedded RabbitMQ Management interface using factory-shipped usernames and passwords. CVSS 4.0 rates the issue 8.8 with network attack vector and no privileges required, and no public exploit identified at time of analysis. Successful access exposes message-broker administration, enabling data interception, queue manipulation, and downstream tampering with pathology workflows.
Privilege-bound arbitrary code execution in ThimPress Thim Core (WordPress plugin) versions through 2.3.3 allows authenticated low-privilege users to bypass authorization checks and execute arbitrary code on affected sites, per Patchstack's advisory tagging this as an authentication bypass leading to RCE. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with low attack complexity over the network. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted,. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.
Arbitrary command execution in Amazon Kiro IDE versions prior to 0.11 allows remote attackers to plant malicious task definitions (e.g., .vscode/tasks.json) via the IDE's file write tool, which then auto-execute when a developer opens the affected workspace folder. The CVSS 4.0 score of 8.6 reflects network-reachable abuse with high confidentiality, integrity, and availability impact contingent on a single user action (folder open). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.
Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Local privilege escalation in National Instruments NI-PAL versions 26.3.0 and earlier on Windows and Linux allows authenticated low-privileged users to read arbitrary system memory through improper input validation, potentially leading to full privilege escalation. CVSS 4.0 base score is 8.4 (High) reflecting the local attack vector but high confidentiality and integrity impact. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.
Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.
Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity.
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_otp=true, allowing attackers with valid LDAP (or other plugin) credentials to skip the mandatory second factor. Because the plugin-driven login establishes the session during the AppController beforeFilter phase, an attacker can authenticate, ignore the /users/otp challenge page, and browse directly to any authorized application URL as the victim. No public exploit identified at time of analysis, though the upstream commit clearly documents the bypass technique.
Denial-of-service in SolarWinds Web Help Desk allows remote unauthenticated attackers to crash the server by exhausting available memory. The flaw is network-reachable with low attack complexity and requires no privileges or user interaction (CVSS 8.2), and no public exploit identified at time of analysis. The issue was reported by SolarWinds and addressed in the Web Help Desk 2026.2 release.
Authentication bypass in Collibra Platform's REST API allows remote unauthenticated attackers to reach privileged functionality through exposed '/rest/*' endpoints across multiple SaaS and on-premises release trains. The flaw carries a CVSS 8.2 (high) score reflecting network-reachable, no-privilege exploitation with high confidentiality impact, and no public exploit identified at time of analysis. A vendor patch has been issued across all affected branches, and reporting via CERT/CC (VU#873170) indicates coordinated disclosure rather than active exploitation.