Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.
Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.
Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.
Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.
Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.
Unauthenticated arbitrary file write and read in the Network Installation Service (NIS) component of Altium Enterprise Server enables remote attackers to overwrite binaries or configuration, drop content into web-accessible directories, and exfiltrate package archives - escalating to remote code execution as the service account. The CVSS 4.0 score of 10.0 (AV:N/AC:L/PR:N/UI:N with high impact across confidentiality, integrity, availability and scope) reflects a worst-case unauthenticated network primitive. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.
Remote code execution in Altium Enterprise Server (versions prior to 8.1.1) and Altium 365 arises from a path traversal flaw in the shared Git Service component, which processes post-clone file-manipulation operations using user-supplied paths without validation. An authenticated user with basic git permissions can move arbitrary files outside the repository area, drop attacker-controlled scripts into directories the service later executes, and on multi-tenant Altium 365 infrastructure could have reached data belonging to other tenants on the same node. No public exploit identified at time of analysis, and EPSS sits at 0.44% (63rd percentile).
Unauthenticated file disclosure and arbitrary file read in Altium Enterprise Server prior to 8.1.1 allows any network-reachable attacker to forge signed Vault download URLs using a hard-coded key shipped identically across all installations. Chained with a co-located path traversal in the same download endpoint (and optionally CVE-2026-9152 for enumeration), an attacker can read arbitrary server-side files including configuration and key material, leading to full server compromise. No public exploit identified at time of analysis; CVSS 4.0 score is 10.0 and Altium 365 SaaS is not affected because cloud deployments use object storage rather than the local filesystem.
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.
Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.
Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.
Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).
Authentication bypass in Defense Unicorns UDS Identity Config versions 0.11.0 through 0.26.0 allows remote unauthenticated attackers to obtain OAuth2 tokens for any Keycloak client using the client-kubernetes-secret authenticator by submitting an arbitrary client_secret value. A logic flaw in the custom authenticator overwrites the submitted secret with the mounted Kubernetes secret prior to comparison, rendering the comparison meaningless. With EPSS at 0.04% there is no public exploit identified at time of analysis, but the SSVC technical impact is rated total and exploitation is automatable, making this a high-priority patch for UDS Core operators.
Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.
Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to break out of the renderer sandbox via a use-after-free flaw in the Input component when a victim visits a crafted HTML page. The CVSS score of 9.6 reflects the scope change inherent to sandbox escapes, though Chromium rated the underlying severity as Low and EPSS estimates exploitation probability at only 0.03%. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Sandbox escape in Google Chrome on Linux prior to version 149.0.7827.53 allows remote attackers to potentially break out of the renderer sandbox via a crafted HTML page when a user visits an attacker-controlled site. The flaw stems from insufficient policy enforcement in the Linux sandbox implementation and carries a high CVSS of 9.6 due to scope change, though Chromium itself rates the security severity as Low. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Information disclosure in Google Chrome DevTools prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The flaw stems from a use-after-free condition (CWE-416) in DevTools, and while Google rates the underlying Chromium severity as Low, the NVD CVSS of 9.6 reflects the cross-origin scope change possible when chained with a prior renderer compromise. No public exploit identified at time of analysis.
Arbitrary file write in the Altium Enterprise Server Vault Service allows authenticated users to escape the configured storage root via the UploadController image upload endpoint and place content-controlled files anywhere the service account can write. The flaw (CVSS 4.0 base 9.4, CWE-22) escalates to remote code execution, service takeover, or denial of service by overwriting application binaries, configuration files, or dropping payloads in web-accessible directories. No public exploit identified at time of analysis, and Altium 365 cloud deployments are explicitly out of scope.
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.
Authenticated remote code execution affects HAX CMS PHP backend versions prior to 26.0.0, where attackers with valid credentials can configure malicious Git filter commands to overwrite files and execute arbitrary code on the server. The flaw carries a CVSS 4.0 score of 9.4 due to full compromise of confidentiality, integrity, and availability with cascading subsequent system impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Arbitrary file read in Altium Enterprise Server Collaboration Service (versions prior to 8.1.1) allows an authenticated low-privileged user to traverse the server filesystem via crafted filenames in MCAD and Simulation download flows. Because retrievable files include the master configuration holding privileged credentials, the bug escalates to full administrative takeover of the on-premises server. No public exploit identified at time of analysis, and Altium 365 cloud tenants are explicitly out of scope.
Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.
Directory traversal in the OpenDaylight Controller v12.0.5 cluster-admin:backup-datastore component allows unauthenticated remote attackers to read arbitrary files outside the intended backup directory via a crafted request. A public proof-of-concept exists on GitHub (majdlatah/ODL-Path-Traversal), though no active exploitation has been reported and EPSS scoring places real-world exploitation probability at the 16th percentile.
Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.
Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.
Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. The vulnerability was reported by Turkey's national CERT (TR-CERT), suggesting it primarily affects deployments within Turkey's defense and government sectors where HAVELSAN products are commonly used.
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.
Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.
Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.