Stored XSS in ProjectsAndPrograms school-management-system allows an authorized attacker to inject malicious JavaScript into multiple student and teacher object attributes, which then executes in the browsers of other authenticated users. Critically, when chained with CVE-2025-11661 - which grants unauthenticated access to backend endpoints - the attack escalates to fully remote, unauthenticated exploitation, removing the otherwise required low-privilege foothold. No patch has been released and no public exploit code has been identified at time of analysis, though the application is confirmed vulnerable at commit 6b6fae5 per CERT.PL.
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. No public exploit code or CISA KEV listing exists at time of analysis; EPSS data was not provided in available intelligence sources.
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.
Open redirect vulnerability in FOSSBilling's Redirect module (prior to version 0.8.0) allows authenticated administrators to configure arbitrary external URLs as redirect targets without URL scheme validation. Users following a legitimate FOSSBilling link are silently issued a 301 Moved Permanently response to an attacker-controlled phishing site; because 301 responses are persistently cached by browsers, the redirect continues to function even after server-side correction until client caches expire. No public exploit identified at time of analysis; version 0.8.0 (released 2026-05-28) patches the issue.
Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 reflects the constrained attack surface imposed by high privilege prerequisites and required passive user interaction.
Stored Cross-Site Scripting in Dovestones Softwares ADPhonebook before v4.0.1.1 permits authenticated admin users to inject persistent JavaScript payloads via the /Admin/Save API endpoint. Because multiple configuration sections lack input validation and output encoding, injected scripts survive across sessions and execute in any victim's browser when the affected configuration pages are loaded, with CVSS scope change (S:C) confirming cross-user impact beyond the planting admin. No public exploitation identified at time of analysis; EPSS is 0.02% (5th percentile), though a publicly available proof-of-concept gist exists at the referenced GitHub URL.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.
Private ECDH key recovery in OP-TEE prior to version 4.11.0 is achievable by a local attacker who can invoke TEE_DeriveKey with approximately 30-40 crafted public key values lying off the target elliptic curve. Because the implementation omits point validation - failing to verify that (X, Y) satisfies Y^2 ≡ X^3 + aX + b mod P for the specified curve - each malformed call leaks a residue d mod r, where d is the private key and r is the order of the attacker-chosen invalid curve. Accumulated residues allow full private key reconstruction via the Chinese Remainder Theorem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the underlying invalid curve attack technique is well-documented in cryptographic literature and reproducible by any skilled attacker with local access.
Stored Cross-Site Scripting in the Passeum Ticketing WordPress plugin (all versions ≤ 1.0) allows authenticated administrators on multisite installations to load attacker-controlled JavaScript and CSS on every frontend page that renders a plugin shortcode. The attack path runs through the plugin's `shop_name` setting: the `validate_shop_name()` function accepts any non-empty string, and `get_shop_url()` passes URLs beginning with 'http' directly to `wp_register_script()` and `wp_register_style()` without sanitization, causing the site to enqueue external resources from an attacker-controlled domain for all site visitors. No public exploit identified at time of analysis, and the vulnerability is explicitly scoped to WordPress multisite environments - single-site administrators are unaffected because they already hold the `unfiltered_html` capability.
Type confusion in OP-TEE OS versions 4.3.0 through 4.10.x allows a highly privileged local attacker operating in the normal world to crash the Trusted Execution Environment by submitting a malformed FFA_MEM_SHARE request, resulting in denial of service of all secure services hosted in the TEE. Exploitation is gated behind a non-default build configuration requiring both CFG_CORE_SEL1_SPMC=y and CFG_SECURE_PARTITION=y, substantially narrowing the affected population to deployments using OP-TEE as an S-EL1 Secure Partition Manager Core. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog; the CVSS score of 4.4 (Medium) reflects these real-world constraints accurately.
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Kernel pointer disclosure in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows unauthenticated adjacent-network attackers to obtain raw MIPS KSEG0 kernel addresses through the UPnP GetStatusInfo action, effectively defeating kernel address-space layout randomization on the device. The leaked pointer reveals the kernel memory map and is most useful as a precursor to a more severe exploit chain rather than as a standalone attack - its primary value is enabling reliable offset calculation for subsequent memory corruption attacks. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and the vulnerability is not listed in CISA KEV.
Unauthenticated information disclosure in the Mercusys AC12G (EU) V1 router allows any attacker on the adjacent network to retrieve internal buffer contents by querying an undocumented `/agileconfigreset` HTTP endpoint, confirmed for firmware version AC12G(EU)_V1_200909. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, though exploitation is bounded to the local network segment rather than the internet. No public exploit has been identified at time of analysis, and no vendor patch has been confirmed.
Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.
Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.
DNS version disclosure on Mercusys AC12G (EU) V1 router exposes the internal unbound 1.22.0 resolver version to unauthenticated adjacent-network attackers via CHAOS TXT queries. Any host on the same network segment can query 'version.bind' and receive a precise software version string, enabling targeted reconnaissance against known unbound vulnerabilities. No active exploitation or public exploit code has been identified at time of analysis, but the disclosure materially reduces attacker effort in follow-on attacks.
Stored or reflected Cross-Site Scripting in MaxSite CMS v.109.2 allows a remote attacker with low-privilege authenticated access to inject malicious scripts via the Backend page file upload endpoint (admin_page), which execute in the browsers of other users - including administrators - to exfiltrate sensitive information such as session tokens. The CVSS vector (S:C) confirms the attack crosses a security scope boundary, amplifying impact beyond the attacker's own session. A researcher-published proof-of-concept is publicly available on GitHub, though EPSS remains very low at 0.05% (17th percentile) and no active exploitation has been confirmed by CISA KEV.
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity.