Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Path traversal (Zip Slip) in IBM's Docling document processing library before v2.91.0 allows arbitrary file write when the EasyOCR model download function extracts ZIP archives without validating member paths. An attacker who can intercept or substitute the model download source (via MITM, DNS spoofing, or upstream supply-chain compromise) can drop files anywhere the process can write, leading to RCE or persistence. No public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.
Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.
XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Information disclosure in Phoenix Contact CHARX SEC-3000/3050/3100/3150 EV charging controllers allows an unauthenticated attacker on an adjacent network to download controller log files containing restricted information. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication make opportunistic abuse straightforward once an attacker reaches the same network segment. Reported via CERT@VDE under advisory VDE-2026-060.
Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.
Denial of service in Securly Chrome Extension version 3.0.7 allows on-path network attackers to halt all browsing activity by injecting malicious regular expression patterns into an HTTP-delivered configuration file. The extension fetches config.json over plaintext HTTP and compiles attacker-controlled patterns with new RegExp() without complexity checks, enabling catastrophic backtracking (ReDoS). No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the issue is reported by CERT/CC.
Denial of service in Securly Chrome Extension 3.0.7 allows remote attackers to render all web browsing unusable when the extension's filtering service is unreachable. The extension dynamically registers an undeclared content script (content13.min.js) at runtime via chrome.scripting.registerContentScripts(), hiding every page behind a full-page overlay until the service worker validates the page; if Securly's servers fail or are blocked, pages remain indefinitely blank. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile).
Information disclosure in Securly Chrome Extension version 3.0.7 allows remote unauthenticated attackers to retrieve SHA-1 hashes via publicly accessible endpoints, where the hashes are weakly protected by a reversible Caesar cipher. The flaw enables recovery of sensitive identifiers protecting filtered content data, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating very low predicted exploitation activity.
Remote denial-of-service in FRRouting BGP daemon affects stable branches 10.0 through 10.6 via the rfapiRibBi2Ri() function in the RFAPI module. A remote attacker capable of sending crafted BGP UPDATE messages can crash or hang the routing daemon due to missing input validation on encapsulation sub-TLV length fields. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the attack surface is any BGP peer the router accepts sessions from.
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller that decodes a UTF-8 BOM prefixed JSON document with a throwing filter callback. The flaw arises from a missed pointer restoration when decode_json aborts via a Perl exception, leaving the input scalar with a corrupted SvPVX pointer that fatally aborts the interpreter on later free. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CISA SSVC marks the issue as automatable with partial technical impact.
Information disclosure weakness in Securly Chrome Extension version 3.0.7 stems from continued reliance on the deprecated SHA-1 algorithm to hash and match 25,020 IWF CSAM URLs and 12,352 CIPA blocklist URLs. Because SHA-1 is vulnerable to collision attacks, an adversary with knowledge of the hash list could derive or guess matching URLs, exposing sensitive blocklist contents and undermining the integrity of the content-filtering mechanism. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue was reported through CERT/CC (VU#595768), giving it credible vendor-coordinated provenance.
Cryptographic weakness in Securly Chrome Extension version 3.0.7 and earlier exposes AES-encrypted data to recovery attacks because the extension derives keys using EVP_BytesToKey with MD5 and only a single iteration. Remote attackers who can obtain ciphertext from the extension's storage or network exchanges can feasibly brute-force or precompute keys, leading to disclosure of protected information. EPSS is very low (0.01%), no public exploit has been identified, and the issue is not listed in CISA KEV.
Unauthorized file or directory access in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to read, modify, or otherwise interact with resources that should not be externally reachable, with CVSS 4.0 scoring 7.3 due to high confidentiality and availability impact plus scope change to subsequent systems. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and was disclosed by ABB itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to access or modify resources belonging to other users by manipulating user-controlled identifiers (IDOR). The flaw scores CVSS 7.3 with high impact to integrity and availability, and no public exploit identified at time of analysis. The vulnerability was reported by the vendor (ABB) itself, indicating coordinated disclosure rather than incident-driven discovery.
Information disclosure in Mercusys AC12G (EU) V1 router firmware AC12G(EU)_V1_200909 leaks 128 bytes of uninitialized memory when the UPnP service on port 1900 receives POST requests lacking a SOAPAction header, enabling unauthenticated adjacent-network attackers to harvest internal buffer contents. The flaw is rated CVSS 7.3 (low impact across CIA), and no public exploit identified at time of analysis, though the referenced GitHub advisory documents the issue with reproduction details.
Authentication token recovery in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows network-based attackers to decrypt captured login credentials and recover plaintext administrator passwords. The flaw stems from a static authentication nonce that never rotates for requests originating from the same source IP, combined with a weak XOR-based password encoding routine (securityEncode). A public advisory exists on GitHub, but no public exploit code or active exploitation has been identified at the time of analysis.
Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.
Hardcoded cryptographic secrets in Securly Chrome Extension version 3.0.7 allow remote attackers to decrypt sensitive crisis alert keyword lists and intervention site data shipped with the extension. The plaintext AES passphrases embedded in securly.min.js can be extracted by anyone who installs or inspects the extension, exposing the proprietary detection logic used to safeguard students. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at 0.02% (4th percentile), but the trivial extractability of the keys means any motivated actor can replicate the disclosure.
Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting JSON with duplicate object keys when the dupkeys_as_arrayref option is enabled. The decode_hv() routine dereferences a scalar as a reference before verifying its type, turning attacker-controlled scalar contents into a wild pointer access. No public exploit identified at time of analysis; EPSS is 0.02% and CISA SSVC marks exploitation as 'none' but automatable with partial technical impact.
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables a low-privileged local user to execute code in a higher-privileged context by abusing insecure DLL search behavior. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the combination of low complexity and a security product as the target makes it a credible insider/post-compromise risk. Exploitation requires local access plus user interaction, which limits drive-by mass abuse.
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) enables an authenticated low-privileged user to execute code in a higher-privileged context by abusing uncontrolled DLL search path loading. Exploitation requires local access plus user interaction, and at the time of analysis no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The vendor (Acronis PSIRT) has published advisory SEC-11249 with a fixed build.
Local privilege escalation in Acronis DeviceLock DLP for Windows (builds prior to 9.0.15051.93227) allows a low-privileged local user to hijack the execution of a trusted DeviceLock executable and run arbitrary code with elevated rights. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), commonly seen when an application loads a binary from a writable or attacker-controllable location. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Acronis DeviceLock DLP for Windows before build 9.0.15051.93227 allows a low-privileged authenticated user to gain elevated privileges by abusing excessive permissions inherited by child processes spawned by the agent. With CVSS 7.3 and a high impact across confidentiality, integrity, and availability, successful exploitation requires user interaction and local access, and no public exploit identified at time of analysis.
Local privilege escalation in SWUpdate versions before 2026.05 allows unprivileged users to gain root or install attacker-controlled content by winning a TOCTOU race during processing of a signed update. The flaw, reported by SBA Research and tracked as EUVD-2025-210052, undermines SWUpdate's signed-update integrity model on embedded Linux devices. No public exploit identified at time of analysis, but an upstream patch is available via commit f4bd6426.
Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files on the device through the ugw-restoreinfo method, which fails to validate user-controlled path input (CWE-73). The flaw, reported by CERT@VDE and tracked under VDE-2026-039, affects the Single-A, Double-A (Profibus/X-Link), Single-X, and Double-X (CAN/DALI/KNX/LON/M-Bus/Profinet) fieldbus gateway product lines used in industrial and building automation. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege user accounts to delete arbitrary files on the device by abusing the ugw-restore method, which fails to validate user-controlled path input. The vulnerability affects multiple MBS gateway variants (Single-A, Double-A Profibus/X-Link, Single-X, and Double-X CAN/DALI/KNX/LON/M-Bus/Profinet bridges) used in industrial fieldbus integration. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete local files on the device via the ugw-logstop method, which fails to validate user-supplied path input. The flaw affects MBS Single-A, Double-A (Profibus, X-link), Single-X, and Double-X (CAN, DALI, KNX, LON, M-Bus, Profinet) industrial protocol gateways. No public exploit identified at time of analysis, but the low-complexity, low-privilege attack profile makes this a credible threat to availability of industrial control system gateways.
Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove any file on the device filesystem by abusing the ugw-delete-file method, which fails to validate user-controlled path input (CWE-73). With CVSS 4.0 score 7.2 and PR:L, exploitation requires only a low-privileged account, and successful abuse impacts integrity and availability of the gateway (VI:H/VA:H). No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across Profibus, Profinet, KNX, LON, M-Bus, DALI, CAN, and X-Link protocols) allows authenticated remote attackers to remove arbitrary files on the device via the bac-scanresult method, which fails to validate user-controlled path input. Reported by CERTVDE under advisory VDE-2026-039, no public exploit identified at time of analysis. The CVSS 4.0 score of 7.2 reflects high integrity and availability impact achievable with only low-privileged user credentials.
Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privileged remote user to terminate arbitrary processes on the device via the ugw-logstop method, which fails to validate user-supplied input. No public exploit identified at time of analysis, but the bug affects a broad set of MBS industrial protocol gateways (Single-A, Double-A Profibus/X-Link, Single-X, Double-X CAN/DALI/KNX/LON/M-Bus/Profinet) used in building and industrial automation. CVSS 4.0 base is 7.2 reflecting High integrity and availability impact with only low privileges required.
Stored/reflected cross-site scripting in ABB T-MAC Plus version 4.0-24 allows authenticated low-privileged attackers to inject malicious script content into the web management interface, which executes in the browsers of other users who interact with the affected pages. With a CVSS 4.0 base score of 7.2 and no public exploit identified at time of analysis, the flaw is notable because successful exploitation impacts both the vulnerable component and downstream subsequent systems with high integrity and availability consequences, reflecting the operational-technology context typical of ABB industrial products.
Authorization bypass in ABB T-MAC Plus version 4.0-24 allows adjacent-network attackers to perform unauthorized actions that compromise device integrity and availability without any credentials or user interaction. The flaw is an incorrect authorization weakness (CWE-863) carrying a CVSS 4.0 score of 7.2, and no public exploit identified at time of analysis. ABB itself disclosed the issue and published an advisory describing the affected firmware.
Path traversal and SSRF in Docling's HTML backend allow attackers to coerce the document processor into reading local files, contacting internal network resources, and consuming unbounded resources when a crafted HTML document is processed with non-default fetch flags enabled. The flaw affects the docling Python package prior to 2.94.0 and stems from missing validation of file:// URIs, relative/absolute paths, HTTP redirects, and download sizes; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Reflected cross-site scripting in Fox-themes Prague (WordPress theme/plugin family) through version 2.2.8 lets a remote attacker inject script that executes in a victim's browser when the victim clicks an attacker-crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 (scope-changed) rating; no public exploit identified at time of analysis and the issue is not on CISA KEV.
Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows unauthenticated attackers to reboot. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.
Cleartext transmission in Securly Chrome Extension version 3.0.7 exposes crisis alert keyword lists and content filtering rules to adjacent network attackers because the extension fetches these JSON configuration files over plaintext HTTP while other endpoints in the same extension correctly use HTTPS. An adjacent attacker on the same network segment can intercept or tamper with the filtering policy data, undermining the safety controls Securly is meant to enforce on managed Chromebooks. No public exploit identified at time of analysis and EPSS is very low at 0.01%, but a vendor patch is available.
Credential disclosure in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows recovery of plaintext admin, WiFi, and DDNS credentials from configuration backup files. The device encrypts backups with a hardcoded single-DES key in ECB mode, meaning anyone who obtains the backup file can trivially decrypt it. No public exploit identified at time of analysis, though a third-party advisory write-up exists on GitHub describing the cryptographic flaw.
Arbitrary file deletion in GLPI versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated technicians to remove any file on the webserver filesystem to which the web process has write permissions. The flaw is tracked as a missing authorization issue (CWE-862) and is tagged as an authentication bypass; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthorized object deletion in GLPI versions 9.5.0 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated low-privilege users with planning access to delete arbitrary objects across the asset and IT management platform. The flaw stems from a missing authorization check (CWE-862) tied to the planning module, and no public exploit identified at time of analysis. Patches are available in 10.0.25 and 11.0.7.
Authorization bypass in GLPI IT asset management software (versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6) permits an authenticated user holding only the config READ permission to access a specific asset object that should be outside their authorization scope. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none' with partial technical impact. Vendor patches are available in 10.0.25 and 11.0.7.
Version disclosure in FOSSBilling prior to 0.8.0 exposes the exact application version string to all visitors - including unauthenticated guests - via cache-busting query parameters appended to every rendered `<script>` and `<link>` HTML tag, directly bypassing the `hide_version_public` security control on every page of the application. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is network-accessible, unauthenticated, and requires no user interaction, making it trivially observable by any visitor. While not directly exploitable for code execution or data access, this reconnaissance enabler meaningfully lowers the barrier to targeting installations with other known FOSSBilling vulnerabilities; no public exploit has been identified at time of analysis and active exploitation has not been confirmed.
Predictable credential generation in ProjectsAndPrograms school-management-system allows unauthenticated remote attackers to derive valid account passwords for any student or teacher whose date of birth is known or guessable. Passwords are constructed deterministically from the user's date of birth alone (e.g., 12072000 for 12 July 2000), and the application never prompts users to change this default credential, leaving accounts permanently exposed. CVSS 4.0 rates this 6.9 with a fully network-accessible, no-authentication attack vector; no public exploit code has been identified at time of analysis, but the trivial exploitation logic requires no tooling.
Remote code execution in Koha v.25.11 and earlier allows unauthenticated network attackers to inject and execute arbitrary code through the Z39.50 configuration module. Koha is a widely deployed open-source integrated library system (ILS); the affected component handles Z39.50, a standard client-server protocol used for querying remote library catalogues. No public exploit identified at time of analysis, though a researcher technical write-up is publicly available at g03m0n.github.io, and EPSS exploitation probability is low at 0.05% (16th percentile). Notable discrepancy: CVSS impact scores (C:L/I:L) appear understated relative to the arbitrary code execution claim and should be treated with caution.
DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.
Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthenticated attackers to inject arbitrary StatsD metrics by supplying untrusted input containing unfiltered newlines, colons, or pipe characters. Because the StatsD wire protocol uses these characters as structural delimiters, unsanitized metric names sourced from user-controlled data can be interpreted as additional, attacker-controlled metrics by the receiving StatsD server. No public exploit identified at time of analysis and EPSS sits at the 9th percentile (0.03%), indicating low observed exploitation pressure, but any Perl application forwarding externally-supplied values as StatsD metric names is directly in scope.