Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.
Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.
Path traversal in OpenBullet2 through 0.3.2 lets authenticated attackers read, write, and delete arbitrary files via the wordlist endpoint, escalating to remote code execution by tampering with system files like /etc/passwd. Because the application runs as root by default, successful exploitation yields full system compromise. Publicly available exploit code exists (VulnCheck advisory and HackerNoon write-up), though there is no public exploit identified at time of analysis indicating CISA KEV listing.
Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. Publicly available exploit code exists, and the issue was reported by VulnCheck; pairing it with a known authentication bypass route (referenced HackerNoon write-up) materially raises real-world exploitability.
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
IPv6 access control bypass in Netty's netty-handler component (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote attackers to circumvent IpSubnetFilter restrictions due to a faulty bitwise masking operation in IpSubnetFilterRule.compareTo(). Because the comparator ANDs the incoming IP against the networkAddress instead of the subnetMask, valid public IPv6 addresses outside the configured allowlist/blocklist can pass filter checks. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
OS command injection in Tenda F451 routers (firmware 1.0.0.7 and 1.0.0.9) allows remote attackers with low-privileged web management access to execute arbitrary operating system commands by manipulating the 'mac' parameter sent to the /goform/WriteFacMac endpoint handled by the formWriteFacMac function. Publicly available exploit code exists, raising the practical risk for any device exposing the web management interface to untrusted networks. The flaw is rated CVSS 4.0 base 7.4 with high confidentiality, integrity, and availability impact on the device itself.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Credential disclosure in OpenBullet2 through 0.3.2 on Windows allows authenticated remote attackers to coerce SMB authentication and capture NTLMv2 hashes by configuring a job's proxy source with an attacker-controlled UNC path. Captured hashes can be relayed against other services or cracked offline to recover the password of the account running the application. Publicly available exploit code exists per VulnCheck advisory; no CISA KEV listing at time of analysis.
WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
DNS cache poisoning in Netty's netty-resolver-dns library (versions prior to 4.1.135.Final and 4.2.0.Final through 4.2.14.Final) allows an attacker who controls an authoritative name server for any subdomain to inject forged NS and A records for parent zones such as .co.uk into the resolver's authoritativeDnsServerCache. The bailiwick check in DnsResolveContext.AuthoritativeNameServerList only blocks records targeting the root zone, so any Java application embedding Netty's resolver can be steered to attacker-controlled name servers for unrelated domains. EPSS is only 0.01% and no public exploit identified at time of analysis, but the SSVC technical impact is rated total.
DNS cache poisoning in Netty's netty-resolver-dns component (versions before 4.1.135.Final and 4.2.x before 4.2.15.Final) lets remote attackers inject forged CNAME records into the resolver cache by exploiting missing bailiwick (origin) validation in DnsResolveContext#buildAliasMap. Any JVM application relying on Netty for asynchronous DNS resolution may be redirected to attacker-controlled hosts, enabling man-in-the-middle on subsequent traffic. No public exploit identified at time of analysis, EPSS is 0.01%, and the issue is not on the CISA KEV list, but CVSS rates it 10.0 due to the scope-changing integrity/confidentiality impact.
Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.
Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.
Remote code execution in Apache HTTP Server versions 2.4.0 through 2.4.67 is possible through a use-after-free condition in mod_ldap when LDAP authentication or authorization is configured in a per-directory context. The CVSS 9.8 rating reflects unauthenticated network exploitation with high impact across confidentiality, integrity, and availability, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.02%. CISA SSVC assesses exploitation status as none but flags the issue as automatable with total technical impact.
Unauthenticated remote exploitation of the Boa embedded web server on the D-Link DCS-5615 IP camera (firmware 1.01.00) allows attackers to violate the principle of least privilege via manipulation of the `/etc/conf.d/boa/boa.conf` configuration component. The CVSS 4.0 vector confirms network-reachable, zero-complexity, no-authentication access with an active proof-of-concept exploit publicly available. No public KEV listing is present, but the PoC status elevates real-world risk for this class of always-on, internet-facing IoT device.
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.
SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.
SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.
SQL injection in imvks786 Student Management System (rolling release up to commit 9599b560) allows remote unauthenticated attackers to manipulate the usr and pwd parameters of /index.ph in the Login component to inject arbitrary SQL. Publicly available exploit code exists per VulDB, though the project is on a rolling release with no tagged fix and the maintainer has not responded to the issue report. No CISA KEV listing and no EPSS score is provided, but the trivial network-reachable login vector makes opportunistic scanning likely.
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.
Authentication bypass in AdGuard Home prior to v0.107.77 allows unauthenticated remote attackers to gain full admin access when the binary is launched with the --glinet flag, by injecting a path traversal sequence into the Admin-Token cookie. The flaw lives in the authglinet middleware, which concatenates the cookie value into a file path without sanitization, letting attackers redirect token reads to arbitrary files. No public exploit identified at time of analysis, but the vendor advisory and a community-disclosed root cause make weaponization straightforward.
Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.