Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.
Credential leakage in elixir-tesla (Tesla HTTP client for Elixir) versions 1.4.0 through 1.18.2 allows Authorization and Host headers to be forwarded to attacker-controlled origins during cross-origin HTTP redirects. The Tesla.Middleware.FollowRedirects component compares header names case-sensitively against a lowercase filter list, so headers using the RFC 7235 canonical casing (e.g., 'Authorization') bypass stripping and reach the redirect target. No public exploit identified at time of analysis, but the upstream fix is committed and a patched release (1.18.3) is available.
Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adapter allows remote attackers to crash the entire BEAM VM by exhausting the atom table. Each request whose URL scheme is attacker-controlled mints a fresh, never-garbage-collected atom via String.to_atom/1, and after roughly 1,048,576 such requests the VM terminates. No public exploit identified at time of analysis, but the upstream fix and a regression test that asserts no atoms are minted for unknown schemes are both publicly visible on GitHub.
Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.
Denial of service in Docker Desktop versions 4.33.0 through 4.75.x allows a local low-privileged user inside a container to crash the underlying Linux VM by triggering unbounded recursion in the grpcfuse kernel module. The flaw is exercised by creating deeply nested directories on a bind-mounted host folder and forcing a dentry invalidation event, which panics the virtualization layer that backs the entire Docker engine. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information disclosure in AWS Graph Explorer before v3.0.1 occurs because the bundled proxy server silently falls back to plaintext HTTP when its TLS certificate files cannot be loaded, causing requests intended for HTTPS to traverse the network unencrypted. Network-positioned attackers can intercept these requests and harvest sensitive graph queries, headers, or credentials. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.
Path traversal in Jupyter Server 2.17.0 allows authenticated users to read and write files in sibling directories outside the configured root, via a flawed startswith() boundary check in _get_os_path() combined with to_os_path() failing to strip '..' sequences. With CVSS 8.1 (high confidentiality and integrity impact) and a publicly available proof-of-concept disclosed through huntr, the issue is particularly dangerous in shared/multi-tenant hosting where multiple Jupyter instances share a parent directory. EPSS is currently low (0.05%), and there is no public exploit identified at time of analysis beyond the huntr POC reference.
PHP object injection in the Elated-Themes Askka WordPress theme through version 1.3.1 allows remote attackers to deserialize untrusted data, potentially leading to arbitrary code execution, file manipulation, or full site compromise depending on available gadget chains. The CVSS score of 8.1 reflects high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers immediate exploitability. No public exploit identified at time of analysis.
Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.
Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.
Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.
Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
PHP object injection in the Elated-Themes Töbel WordPress theme (versions up to and including 1.8.1) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or data tampering depending on available POP gadgets. Rated CVSS 8.1 (High) with no public exploit identified at time of analysis and no CISA KEV listing, though the network attack vector and lack of authentication requirement make it a meaningful risk to any WordPress site running the theme.
Object injection in the Elated-Themes Aperitif WordPress theme through version 1.6 allows remote attackers to trigger PHP deserialization of attacker-controlled data, potentially leading to code execution, file manipulation, or full site compromise when a suitable gadget chain is present. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.
Local File Inclusion in Axiomthemes Confidant WordPress theme (versions up to and including 1.4) allows remote unauthenticated attackers to include arbitrary local PHP files on the server, potentially leading to sensitive information disclosure and code execution. The vulnerability is reported by Patchstack with a CVSS 8.1 (High) rating; no public exploit identified at time of analysis and the CVE is not present in CISA KEV. The high attack complexity (AC:H) suggests exploitation requires specific conditions to be met, despite the network-reachable, no-auth attack surface.
Sandbox escape in alf.io ticket reservation system prior to version 2.0-M5-2606 allows an authenticated administrator to break out of the Rhino JavaScript extension engine and execute arbitrary OS commands on the host. The flaw stems from an unguarded injected `returnClass` Java object combined with an incomplete AST blocklist, enabling reflection-based escape without triggering validation. No public exploit identified at time of analysis, but the vendor advisory (GHSA-3w8f-mcf6-cm7h) confirms the issue and a patched release is available.
Client-side cross-site scripting in React Router 7.7.0 through 7.13.1 allows remote attackers to execute arbitrary script in a victim's browser when the application uses the unstable React Server Components (RSC) APIs and processes redirects originating from untrusted sources. The flaw is patched in 7.13.2; no public exploit identified at time of analysis and the vulnerability does not affect deployments that do not opt into the RSC APIs.
Local code execution in NVIDIA NVTabular allows a low-privileged attacker to abuse insecure deserialization of untrusted data, potentially leading to arbitrary code execution, data tampering, and information disclosure on the host running the library. The flaw carries a CVSS 7.8 (High) rating with confidentiality, integrity, and availability all marked High, and currently no public exploit identified at time of analysis. NVTabular is a tabular feature-engineering library used in recommender-system pipelines, so the practical blast radius is data-science workstations and ML training nodes.
Local code execution in NVIDIA NVTabular allows an authenticated low-privileged user to abuse improper deserialization of untrusted data to run arbitrary code, tamper with data, and disclose sensitive information. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting a local attack vector with low complexity and low privileges; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Local privilege escalation in Dell ThinOS 10 versions prior to ThinOS10 2602_10.0765 allows a low-privileged user with local access to elevate to higher privileges due to improper access control (CWE-284). The CVSS 3.1 base score of 7.8 reflects high impact on confidentiality, integrity, and availability, though exploitation requires existing local foothold. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local credential exposure in Genetec Security Center main server installations allows an attacker with local OS privileges on the main server host to retrieve Server Admin credentials, enabling escalation to full Security Center administrative control. The flaw is tied to specific vulnerable installer builds rather than version numbers, meaning hosts running 5.10.4.0, 5.11.3.0, 5.12.2.0 or 5.13.3.0 may or may not be vulnerable depending on the installation package hash. No public exploit identified at time of analysis and no evidence of active exploitation per the vendor advisory.
Authentication bypass in prefecthq/prefect 3.6.19 allows remote unauthenticated attackers to access sensitive API endpoints by naming resources with paths ending in 'health' or 'ready', exploiting overly broad suffix-matching in the auth middleware exemption logic. Confirmed exploitable per the huntr.com bounty disclosure and validated by the upstream patch which replaces suffix matching with exact path comparison. No public exploit identified at time of analysis, and no EPSS or KEV signal is provided in the available data.
Arbitrary file write in Collibra Agent's restore handler allows remote unauthenticated attackers to drop files outside the intended extraction directory by submitting a crafted ZIP archive that abuses unsanitized path entries during extraction. The flaw affects multiple Collibra Platform SaaS and on-premises release trains and carries a CVSS 3.1 score of 7.5 (integrity-only impact). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but a vendor patch is available.
Algorithmic complexity denial of service in the Go standard library's mime package allows remote unauthenticated attackers to consume excessive CPU by submitting MIME headers containing many invalid encoded-words. Affected Go releases include mime versions before 1.25.11 and 1.26.0-0 through versions prior to 1.26.4, with a patch available from upstream Go. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the network-reachable, no-auth attack surface makes this relevant for any Go service that parses untrusted MIME input.
Information disclosure in Mozilla Firefox prior to 151.0.3 allows remote attackers to read out-of-bounds memory via the Graphics: Text component when processing crafted content. The flaw stems from incorrect boundary conditions (CWE-119) in text rendering and can be triggered without user authentication, though no public exploit has been identified and EPSS scores it at just 0.02% likelihood of exploitation.
Information disclosure in the Five Star Restaurant Reservations WordPress plugin (versions up to and including 2.7.14) allows unauthenticated remote attackers to bypass access control checks due to a missing authorization flaw (CWE-862). Patchstack characterizes the issue as a payment bypass vulnerability, meaning attackers can exercise restaurant reservation or payment-related functionality that should require proper authorization. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting it is not currently being mass-exploited.
Authentication bypass in Liquid Web / StellarWP BookIt WordPress plugin versions before 2.5.4.1 allows remote unauthenticated attackers to abuse the password recovery channel to take over accounts. The flaw maps to CWE-288 (alternate path/channel) and carries a CVSS 7.5 (high) integrity impact; no public exploit identified at time of analysis, though Patchstack has catalogued the issue for the WordPress ecosystem.
Broken access control in the EventPrime WordPress plugin (versions up to and including 4.3.2.0) allows unauthenticated remote attackers to modify or tamper with data due to incorrectly configured access control security levels. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a CVSS 3.1 base score of 7.5 with an integrity-only impact; no public exploit identified at time of analysis.
Local file inclusion in the UnboundStudio Accordion FAQ WordPress plugin (versions up to and including 2.2.1) allows authenticated remote attackers to include and execute arbitrary PHP files from the server filesystem via improperly controlled include/require statements. The flaw, reported by Patchstack and tagged as LFI/Information Disclosure, can lead to full compromise of the WordPress instance through disclosure of sensitive configuration data (e.g., wp-config.php) and potential code execution if attacker-controlled files are reachable. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Sandbox escape in Sony PlayStation 4 firmware versions 13.00 through 13.02 allows attackers to break out of the BD-J (Blu-ray Disc Java) sandbox by supplying a malformed JAR file, leading to privilege escalation with full impact on confidentiality, integrity, and availability. The flaw, tracked via HackerOne report 3452696 and CWE-367 (TOCTOU race condition), is rated CVSS 7.4 because the local attack vector and high attack complexity offset the unauthenticated nature of the exploit. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis.
Cleartext SIP signaling in Verizon's VoLTE/IMS infrastructure allows an on-path attacker positioned on the radio or core network to intercept and tamper with VoIP call signaling because IPsec integrity protection (Security-Client/Security-Server headers and ESP-protected traffic) is not enforced. The flaw, reported by CERT/CC and tracked as EUVD-2026-33945, affects an unspecified Verizon IMS deployment and enables disclosure of call metadata, caller identity spoofing, and signaling manipulation. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.
Remote code execution in VIVOTEK FD8136 network camera (firmware VVTK-0300a) is possible via a stack-based buffer overflow in the set_getparam.cgi component, reachable over the network without authentication. CVSS 7.3 reflects partial CIA impact, but the presence of public vulnerability-research artifacts on GitHub indicates publicly available exploit code exists, while EPSS remains low at 0.05% (17th percentile) and the issue is not currently listed in CISA KEV.
Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain hard-coded plaintext credentials in source code and a denial-of-service vulnerability that allows local and. Rated high severity (CVSS 7.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in GLPI versions 11.0.0 through 11.0.6 allows an authenticated technician to persist a malicious payload inside ITIL cost records, which then executes in the browser of any user who later views the affected ticket or change. The flaw is fixed in 11.0.7 and there is no public exploit identified at time of analysis, but the high CVSS 4.0 score (7.1) reflects the broad confidentiality/integrity/availability impact on the victim's session once triggered.
Cross-user API key overwrite in LibreChat versions up to and including 0.7.6 allows any authenticated user to replace another user's stored provider API keys (OpenAI, Anthropic, Azure) by injecting a userId parameter into PUT /api/keys requests. The flaw stems from an Insecure Direct Object Reference where the JavaScript spread operator overrides the server-set authenticated user ID, enabling conversation hijacking or denial of service. No public exploit identified at time of analysis, and the issue is fixed in 0.8.3-rc1.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to the hospital or. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Broken access control in NamelessMC 2.2.4 (Minecraft community website software) allows any low-privileged authenticated user to read posts from hidden, private, or staff-only forums by sending crafted requests to the get_quotes.php endpoint. The Forum module's quote helper only verifies that the caller is logged in and fails to enforce forum/topic visibility ACLs that the normal topic view does enforce. No public exploit identified at time of analysis, but the issue is trivial to weaponize given an account on the affected site.
Authentication bypass in the WP Swings Wallet System for WooCommerce plugin (versions up to and including 2.7.5) allows an authenticated low-privileged attacker to abuse the password recovery flow as an alternate channel to take over other accounts. Successful exploitation yields high impact to integrity (account/wallet compromise) with limited confidentiality exposure, and no public exploit has been identified at time of analysis.
Reflected cross-site scripting in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after they click a crafted link. The flaw has CVSS 7.1 elevated by scope change (S:C), meaning script execution can impact resources beyond the vulnerable component, such as the WordPress admin session. No public exploit identified at time of analysis and no CISA KEV listing.
Reflected cross-site scripting in the UnboundStudio Accordion FAQ WordPress plugin (versions through 2.2.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser session by luring them to click a crafted link. The CVSS 7.1 score reflects scope change (S:C), meaning script execution can affect resources beyond the vulnerable component, such as the WordPress admin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Physical USB tampering against Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations allows an attacker with bedside access to compromise software integrity, alter therapy data, and pivot to connected networks or Dräger Service Connect. The flaw, disclosed by VulnCheck and tracked under CWE-668 (Exposure of Resource to Wrong Sphere), carries a CVSS 4.0 base score of 7.0 reflecting high impact across confidentiality, integrity, and availability of the device itself. There is no public exploit identified at time of analysis and no CISA KEV listing, but the medical-device context elevates patient-safety concern even at moderate technical severity.
Open redirect in authentik's WS-Federation provider (all versions prior to 2026.2.3) allows an unauthenticated attacker to exfiltrate signed authentication assertions to attacker-controlled infrastructure by exploiting a prefix-only wreply URL validation check. Because the POST-based WS-Federation flow delivers a cryptographically signed identity assertion to whatever destination wreply specifies, successful exploitation leaks credential-bearing tokens rather than simply redirecting to a phishing page - elevating impact beyond a typical open redirect. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.