Server-side request forgery in blender-mcp's ZIP File Handler allows authenticated remote attackers to manipulate the zip_file_url parameter in import_generated_asset_hunyuan, causing the MCP server to issue arbitrary outbound HTTP requests on behalf of the attacker - including to internal network resources such as cloud metadata endpoints. All rolling-release commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, per CPE cpe:2.3:a:ahujasid:blender-mcp:*:*:*:*:*:*:*:*. A publicly available exploit exists via GitHub issue #203 (E:P confirmed in CVSS temporal vector), though no CISA KEV listing exists at time of analysis.
Insecure Direct Object Reference (IDOR) in SourceCodester Human Resource Management 1.0 allows authenticated remote attackers to read other employees' records by manipulating the `employeeid` parameter in `/detailview.php`. The vulnerability results in unauthorized disclosure of employee data across account boundaries, with no integrity or availability impact. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis.
Server-Side Request Forgery and arbitrary file read in ahujasid/blender-mcp allows authenticated remote attackers to exfiltrate local filesystem content or pivot to internal network services via unsanitized manipulation of the input_image_url parameter in the generate_hunyuan3d_model function (src/blender_mcp/server.py). The parameter is passed without validation directly to both open() for local file reads and requests.get() for remote fetches, enabling path traversal and SSRF primitives simultaneously. A publicly available exploit exists (GitHub issue #202); no CISA KEV listing at time of analysis. The fix has been merged upstream (PR #205, commit 5b37be25).
Missing authorization in nextlevelbuilder GoClaw up to version 3.11.3 allows low-privileged remote attackers to trigger unauthorized team task completions via the TeamTasksTool.executeComplete function. The flaw, classified as CWE-862, permits any authenticated user to bypass permission checks in the Team Task Completion Handler, falsely marking tasks as complete regardless of their authorization level. A publicly available exploit exists (referenced in GitHub issue #1133), though no public exploit confirmed in active exploitation - the vulnerability is not listed in CISA KEV, and its CVSS 4.0 score of 2.1 reflects the limited integrity-only impact.
SQL injection in itsourcecode Fees Management System 1.0 exposes database contents and integrity to authenticated low-privilege remote attackers via the unsanitized `ID` parameter in `/manage_payment.php`. The CVSS vector (PR:L) confirms exploitation requires a valid user account, but no elevated privileges are needed beyond basic authentication. A publicly available proof-of-concept exploit exists (GitHub), raising the practical exploitation risk; no vendor-released patch has been identified at time of analysis.
Local File Inclusion via null byte injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated remote attackers with low-privilege accounts to read arbitrary files from the server by manipulating the `page` parameter in `/index.php`. Publicly available exploit code exists, published as a GitHub writeup demonstrating the null byte (%00) bypass technique. No CISA KEV listing at time of analysis, but the public POC lowers the bar for targeted exploitation against low-security PHP deployments.
File inclusion in SourceCodester Pizzafy Ecommerce System 1.0 exposes the admin panel to path traversal attacks via the `page` parameter in `/admin/index.php`, enabling an authenticated remote attacker to include arbitrary server-side files. Successful exploitation yields low-impact confidentiality, integrity, and availability compromise consistent with the CVSS C:L/I:L/A:L rating. A public exploit writeup (POC) exists on GitHub, significantly lowering the skill threshold for exploitation; however, no active exploitation has been confirmed via CISA KEV at time of analysis.
Command injection in elunez eladmin's Application Deployment Module (App.java) allows authenticated remote attackers with low privileges to execute arbitrary operating system commands by manipulating the `uploadPath` argument. All versions up to and including 2.7 are affected per the CPE record. A public proof-of-concept exploit exists (referenced via GitHub issue #899), though no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV). The vendor has not responded to the coordinated disclosure, leaving no official patch available.
Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privilege credentials to manipulate the TTS Configuration Import function into issuing arbitrary server-side HTTP requests to unintended destinations. The vulnerable code path is the Import function within internal/http/tts_config.go, reachable over the network without user interaction once an administrative session is established. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal metric E:P and GitHub issue #1132); no active exploitation has been confirmed by CISA KEV, and the project has characterized the report as a bug rather than a security issue, which may signal a slower remediation response.
Stored cross-site scripting in CordysCRM (1Panel-dev, versions up to 1.4.1) allows an authenticated remote attacker to inject malicious scripts via the unvalidated Description parameter in the ModuleFormController's Save function. The payload persists to the database and executes in any victim's browser upon viewing the affected module form, enabling session hijacking, credential theft, or UI-based phishing. A publicly available proof-of-concept exists (GitHub issue #2233); no public exploitation at scale has been confirmed, and an official vendor patch is available as of v1.7.0.
Improper authentication in NousResearch hermes-agent through version 2026.4.23 allows a local low-privileged attacker to manipulate the Credential Pool Synchronization component, specifically the `_sync_anthropic_entry_from_credentials_file` function in `agent/credential_pool.py`, bypassing authentication controls over Anthropic API credentials. A proof-of-concept exploit is publicly available on GitHub and the vendor did not respond to coordinated disclosure, leaving no patch available at time of analysis. No public exploit identified at time of analysis for active KEV-confirmed campaigns, but publicly available exploit code exists and lowers the bar for any attacker already holding local system access.
Unsafe deserialization in FoundationAgents MetaGPT versions up to and including 0.8.2 allows a local low-privileged attacker to achieve confidentiality, integrity, and availability impact by manipulating the `mapping` argument passed to `Message.check_instruct_content` in `metagpt/schema.py`. Publicly available exploit code (POC) exists via a GitHub issue report, elevating practical risk despite the local-only attack vector. No vendor patch has been released - the project was notified via issue report but has not responded, leaving installations without a remediation path.
Cross-site scripting in westboy CicadasCMS Task Scheduling Management Module allows a high-privileged, authenticated attacker to inject malicious script payloads via the ScheduleJobController component that execute in a victim user's browser upon viewing the affected page. The vulnerability carries a CVSS base score of just 2.4, reflecting the steep access barriers of required high privileges (PR:H) and mandatory user interaction (UI:R), though a publicly available proof-of-concept exploit exists on the Gitee issue tracker. No active exploitation has been confirmed by CISA KEV, and the vendor has not responded to the responsible disclosure report, meaning no patch is available at time of analysis.
Race condition in Open5GS AMF up to version 2.7.6 allows a remote, low-privileged attacker to trigger concurrent NGAP Security Mode Command processing in gmm_state_security_mode (src/amf/gmm-sm.c), resulting in low availability impact. Publicly available exploit code exists (N2-SMC-Concurrent.zip), though no public exploit identified at time of analysis indicates active exploitation and this CVE is not listed in CISA KEV. Notably, the associated fix PR (#4501) addresses a broader NGAP identity-scoping flaw - where the AMF accepted UE-associated NGAP messages from any gNB regardless of which gNB originally registered the UE - suggesting the underlying attack surface may exceed what the formal CVSS score of 3.1 captures.
HCL iReflection Third party vulnerable and outdated components issue was detected in the web application. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Klaw, Aiven-Open's self-service Apache Kafka topic management portal, is vulnerable to targeted account lockout and Denial of Service via inconsistent case sensitivity handling in its user registration and login mechanisms, affecting all releases prior to v2.10.4. An attacker already holding high-privileged access (PR:H per CVSS vector) can register a username that is a case variant of an existing account, causing the legitimate account to become inaccessible. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS score of 2.7 (Low) accurately reflects the narrow, high-privilege-dependent attack surface.
HTTP header injection in the Tesla Elixir HTTP client library (versions 0.8.0 through before 1.18.3) allows untrusted input forwarded into Tesla.Multipart.add_content_type_param/2 to split outbound Content-Type headers by embedding CR (\r) or LF (\n) characters. When Tesla.Multipart.headers/1 joins content_type_params verbatim with "; ", a maliciously crafted param string terminates the current header line and inserts arbitrary headers into the outbound HTTP request sent by the Tesla client to downstream systems. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; however, a vendor-released patch is available in version 1.18.3.
{k}="#{v}" with no validation of CR, LF, or double-quote characters, enabling a crafted value to close the quoted parameter early, forge headers like Content-Type, or corrupt the part body. No public exploit is identified at time of analysis, and the CVSS 4.0 score of 2.1 (SI:L only) reflects a narrow integrity impact confined to the downstream system receiving the forged multipart payload.
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Splitting and HTTP Request Smuggling on shared TCP connections when applications forward attacker-controlled values as the HTTP method or target to Mint.HTTP.request/5. The target-based vector was partially closed in Mint 1.7.0 via validate_request_target/2, but the method field was left unvalidated in all versions prior to 1.9.0, meaning method-based injection remains exploitable under the default Mint configuration. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; the complete fix shipping method-character validation is available in Mint 1.9.0.
Server-side request forgery in DedeCMS 5.7.88 allows low-privileged authenticated remote attackers to make the server issue arbitrary HTTP requests by manipulating the base64-decoded Link argument in /plus/download.php?open=1. Exploitation enables internal network probing, potential access to cloud metadata endpoints (e.g., AWS IMDSv1), and limited confidentiality, integrity, and availability impact (C:L/I:L/A:L per CVSS). Publicly available exploit code exists (CVSS temporal E:P; description confirms exploit publication), though no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 exposes authenticated low-privileged users a pathway to manipulate database content via the `id` parameter in `/manage_fee.php`. The vulnerability allows remote attackers with valid application credentials to read, modify, or partially disrupt database records. Publicly available exploit code exists (CVSS 4.0 E:P modifier confirmed), though no active exploitation has been confirmed by CISA KEV. The overall severity is low (CVSS 4.0: 2.1), reflecting limited scope and confidentiality impact.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser by manipulating the `page` argument of index.php. The vulnerability requires passive user interaction - a victim must follow a crafted URL - limiting its scalability, but publicly available exploit code lowers the barrier to abuse. No KEV listing exists; this is a low-severity finding corroborated by a CVSS 4.0 score of 2.1 and an exploit-modified (E:P) supplemental metric.
Code injection in ahujasid/blender-mcp's execute_blender_code function allows low-privileged remote attackers with passive user interaction to inject and execute arbitrary code through the unsanitized code argument passed to the MCP server endpoint in /src/blender_mcp/server.py. All commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, with no maintainer response to the disclosed GitHub issue #201. A public exploit exists (E:P in CVSS vector; independently confirmed by description), though no public exploit identified at time of analysis for active KEV-tracked campaigns - exploitation remains opportunistic rather than confirmed widespread.
Stack-based buffer overflow in Orthanc DICOM Server up to version 1.12.11 allows a local, low-privileged attacker to crash the server process, causing limited availability impact through the DCMTK parser's DcmItem::read function. The CVSS 4.0 score of 1.9 reflects heavily constrained exploitation conditions: local access only, low-privilege account required, and impact confined to availability with no confidentiality or integrity exposure. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation has been confirmed by CISA KEV.
Cross-site scripting in 1Panel-dev CordysCRM versions up to 1.6.2 allows a high-privileged authenticated attacker to inject unescaped HTML payloads through request parameters processed by the Jackson string deserializer in RequestParamTrimConfig.java. The root cause is a global XSS escape toggle (xss.escape.all.enabled) that was disabled by default, meaning all incoming string parameters were returned without HTML sanitization. Publicly available exploit code exists (CVSS E:P, confirmed by VulDB disclosure), though the vulnerability has not been listed in CISA KEV and real-world impact is constrained by the high privilege requirement and passive user interaction dependency.
Out-of-bounds write in openSeaChest v25.05.3's --showSupportedFormats command allows a high-privileged local attacker to corrupt one byte beyond an allocated buffer by presenting a maliciously crafted NVMe device with a bogus namespace FLBAS (Format LBA Size) value, forcing that byte to 1. Affected platforms include all systems supported by the toolkit. With a CVSS 4.0 score of 1.8, this is a minimal-severity issue requiring both high privileges and a specially crafted physical or emulated NVMe device; no public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds write and read in Seagate's openSeaChest v25.05.3 affects the --showSCSIDefects diagnostic command, allowing memory corruption when parsing abnormally large SCSI defect list responses. A high-privileged local operator running diagnostics against a physically degraded drive with an excessive defect count, or against a maliciously crafted SCSI device returning an oversized defect response, can trigger limited confidentiality, integrity, and availability impact on the diagnostic host. No public exploit and no active exploitation has been identified at time of analysis; this vulnerability was self-reported by Seagate with a CVSS 4.0 base score of 1.8, reflecting the severe exploitation constraints.