Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.
SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).
Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.
Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.
SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.
Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.
Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.
Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.
ReDoS (Regular Expression Denial of Service) in kokke tiny-regex-c up to commit f2632c6d9ed25272987471cdb8b70395c2460bdb allows local low-privileged attackers to cause availability degradation by supplying crafted input to the `matchstar` function in `re.c`, triggering exponential backtracking in the pattern handler. A public proof-of-concept exploit (tiny-regex-c-redos-poc.zip) has been published, though no vendor patch exists and the project maintainer has not responded to the responsible disclosure. No active exploitation in the wild has been confirmed (not in CISA KEV), and real-world risk is constrained by the local-only attack vector and low availability impact.
Memory exhaustion denial-of-service in Dulwich's git-receive-pack handler allows any client with push access to crash the server by sending a ~174-byte crafted thin pack. The pack's delta header declares an arbitrarily large dest_size value, causing dulwich's add_thin_pack/apply_delta code to allocate hundreds of megabytes of memory with no relationship to the actual bytes received. No public exploit code and no CISA KEV listing exist at time of analysis; the CVSS 5.7 Medium score reflects the low-privilege network vector but is bounded by the requirement that the attacker hold push credentials.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.
Kernel panic in the Linux amdgpu DRM driver exposes systems running RDNA4 hardware (e.g., AMD RX 9070 XT) to a denial-of-service condition during driver initialization, but only when the kernel is compiled with CONFIG_DRM_DEBUG_MM enabled. The RDNA4 architecture (GFX 12) removed the GDS, GWS, and OA on-chip memory resources entirely; however, amdgpu_ttm_init() unconditionally invokes amdgpu_ttm_init_on_chip() for these resources regardless of size, ultimately calling drm_mm_init(mm, 0, 0), which triggers DRM_MM_BUG_ON and crashes the kernel at modprobe time. No public exploit exists and EPSS sits at 0.02% (7th percentile), consistent with a hardware-specific, debug-config-dependent crash rather than a remotely triggerable attack surface.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the `/sys/fs/selinux/policy` file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a `policy_opened` flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.
Missing RTNL lock acquisition in the txgbe network driver causes a kernel assertion warning during module removal on systems with Wangxun copper NICs with external PHY. When `rmmod txgbe` is executed, `phylink_disconnect_phy()` fires an `ASSERT_RTNL()` check at `drivers/net/phy/phylink.c:2351` because the driver's remove path neglects to hold the RTNL mutex, producing a kernel WARNING and degrading system availability. No public exploit exists and EPSS is 0.02% (5th percentile); this is a stability regression rather than a remotely exploitable flaw, affecting a narrow hardware-specific code path.
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.
Denial-of-service in the Linux kernel's DRM VKMS (Virtual Kernel Mode Setting) subsystem arises from an improperly managed custom hrtimer used for vblank timing, replaced in the fix by DRM's standard vblank timer implementation. Local users with low-privileged access to the VKMS device can trigger a kernel availability failure - likely a crash or hang - due to the divergent timer lifecycle in struct vkms_output. EPSS is negligible at 0.02% and no active exploitation is confirmed; this is a low-urgency kernel hardening fix affecting development and CI-focused deployments.
Infinite loop denial-of-service in the Linux kernel's drm/v3d GPU driver allows a local low-privileged user to permanently peg a CPU core by submitting a crafted self-referential ioctl extension structure. The vulnerability exists in v3d_get_extensions(), which traverses a userspace-controlled linked list without bounding chain length; when both in_sync_count and out_sync_count are zero, the duplicate-extension guard silently passes on every iteration, trapping the kernel thread indefinitely. No public exploit or active exploitation has been identified at time of analysis; EPSS stands at 0.02%, consistent with the local-access-only attack surface.
NULL pointer dereference in the Linux kernel's Renesas VSP1 media driver crashes the kernel during module unload on Generation 4 Renesas SoC hardware. The defect exists because the cleanup path unconditionally invokes vsp1_drm_cleanup() rather than vsp1_vspx_cleanup() for gen 4 IP versions, while the initialization path correctly checks the IP version - an asymmetry introduced when gen 4 support was added. With an EPSS of 0.02% (4th percentile), no KEV listing, and no public exploit code, real-world exploitation risk is very low and confined to niche embedded and automotive platforms; vendor-released patches are available in stable kernel branches.
Improper interrupt registration in the Linux kernel's libwx network driver causes a kernel WARNING when VF (Virtual Function) misc interrupts are initialized, resulting in high availability impact on affected systems. The libwx driver incorrectly calls request_threaded_irq() with a primary handler, a NULL threaded handler, and the IRQF_ONESHOT flag - an invalid combination flagged as a WARNING by the kernel interrupt management subsystem since commit aef30c8d569c. Exploitation requires local access with low privileges on a system equipped with a Wangxun VF NIC using the libwx driver; no public exploit code exists and EPSS is negligible at 0.02%.
KVM/x86 on Linux exposes a race condition in interrupt request register (IRR) scanning that causes incorrect reporting of the highest pending interrupt in nested virtualization scenarios. Specifically, when PID.ON is set by a sender vCPU after the target vCPU has already harvested and cleared the PIR, a second call to vmx_sync_pir_to_irr() observes an empty PIR and returns max_irr=-1 without scanning the IRR, producing a spurious kernel WARNING in vmx_check_nested_events() and a wasted L2 VM-Enter/VM-Exit cycle. The interrupt itself is not lost - it resides in the IRR from the first sync - but the incorrect max_irr triggers the assertion. No public exploit exists and EPSS is 0.02%, consistent with the highly localized, timing-dependent nature of this defect.
Linux kernel x86 EFI runtime service fault handling panics instead of recovering gracefully on systems with buggy EFI firmware, following the FPU softirq changes introduced in commit d02198550423. When kernel_fpu_begin() began using local_bh_disable() in place of preempt_disable(), SOFTIRQ_OFFSET is set in preempt_count for the duration of EFI runtime service calls, causing in_interrupt() to return true in normal task context - which causes efi_crash_gracefully_on_page_fault() to bail unconditionally, escalating to panic(). On hardware where EFI firmware (e.g., GetTime()) accesses unmapped memory, this produces an unrecoverable system freeze. No public exploit identified at time of analysis; EPSS is 0.02%, confirming no observed exploitation activity.
Privilege escalation in Apache HTTP Server 2.4.0 through 2.4.67 allows local users with .htaccess write access to read arbitrary files using the privileges of the httpd daemon process, exploiting improper privilege management (CWE-269). The attack vector is local, requires low privileges, and impacts only confidentiality - no integrity or availability impact is present. No public exploit code and no active exploitation have been identified; SSVC classifies technical impact as partial and the vulnerability as non-automatable, consistent with the targeted, local nature of the attack.
Hard-coded credential exposure in SourceCodester's Online Examination & Learning Management System 1.0 (also distributed as Syllabus-aligned Learning Management and Examination System 1.0) allows remote unauthenticated attackers to exploit a statically embedded password ('CICT_2026') in the import_users.php file without any authentication or user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated remote exploitation at low complexity, and the E:P exploit maturity modifier alongside the CVE description's explicit statement of public disclosure confirm that publicly available exploit code exists. Impact is constrained to low confidentiality exposure against the vulnerable component with no confirmed integrity or availability consequences.
Unauthenticated password reset bypass in SourceCodester Barangay Resident Profiling and Information Management System 1.0 allows remote attackers to reset user accounts to a known hard-coded credential via the `passsword_reset.php` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. Despite the VI:L integrity-only CVSS impact rating, the Authentication Bypass tag indicates the realistic consequence is full account takeover for any user whose password can be reset to the predictable hard-coded value 'password123'.
Stored cross-site scripting in VMware Cloud Foundation Operations (and the related Aria Operations / Telco Cloud Platform builds) lets an authenticated user who can create policies, views, or text-widgets inject script that executes in the browser of any user who later views the affected object, including administrators. Because the CVSS vector marks Confidentiality, Integrity, and Availability as High with Scope:Unchanged, a successful payload effectively lets a low-privileged operator escalate to administrative actions inside the Operations console. No public exploit identified at time of analysis and not currently listed in CISA KEV, but a vendor advisory has been issued by Broadcom.
Stored cross-site scripting in VMware Cloud Foundation Operations (formerly VMware Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject scripts that execute in the browser context of other users, including administrators. The flaw spans VCF Operations 9.x, the legacy 5.x/Aria Operations 8.18.x line, and VMware Telco Cloud Platform 5.x, with a CVSS of 8.0 driven by high impact across confidentiality, integrity, and availability when a victim admin renders the malicious content. No public exploit identified at time of analysis and no EPSS or KEV signal is provided in the input.
Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.
Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.
Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. Publicly available exploit code exists (GitHub issue #11392), though the CVSS 4.0 score of 1.3 reflects high attack complexity and the authenticated, misconfiguration-dependent nature of the attack - no public exploitation or CISA KEV listing has been identified at time of analysis.
Weak password requirements in the Samba service of Tenda AC15 firmware 15.03.05.19 expose SMB file-sharing functionality to brute-force attacks from adjacent-network attackers. The flaw originates in the /etc_ro/smb.conf configuration, which enforces insufficient password complexity, enabling unauthenticated local-network adversaries to guess or brute-force credentials and achieve limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the high attack complexity (AC:H) and adjacency requirement (AV:A) constrain realistic exploitation to targeted, in-person or LAN-positioned threat actors.
Unbounded HTTP/2 stream creation in Netty's netty-codec-http2 library exposes any Netty HTTP/2 server running on default configuration to memory exhaustion from a single TCP connection. Because DefaultHttp2Connection.DefaultEndpoint initializes stream limits to Integer.MAX_VALUE and Http2Settings never advertises SETTINGS_MAX_CONCURRENT_STREAMS unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a remote unauthenticated attacker can sustain hundreds of thousands of simultaneous streams, each forcing JVM heap allocations for DefaultStream objects, PropertyMap slots, flow-controller state, and IntObjectHashMap entries. This misconfiguration is also the structural precondition for CVE-2023-44487-style HTTP/2 Rapid Reset amplification. No public exploit has been identified at time of analysis; vendor-released patches are available in 4.1.135.Final and 4.2.15.Final.
Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.
SQL injection in jflyfox jfinal_cms through version 5.1.0 exposes database contents to remote, low-privileged attackers via an unsanitized `orderBy` parameter in the `list` function of `AdvicefeedbackController.java`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-reachable exploitation requiring only a low-privileged account, with limited but real confidentiality, integrity, and availability impact. The project was notified via GitHub issue #62 but has not responded, and no vendor-released patch exists at time of analysis. No public exploit code or confirmed active exploitation has been identified.
SQL injection in CodeAstro Leave Management System 1.0 allows authenticated remote attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_updation.php. The vulnerability enables read, write, and denial-of-service impact against the underlying database with low complexity and no user interaction required. No public exploit code or active exploitation has been identified at time of analysis.
SQL injection in FUXA's TDengine DAQ storage connector allows unauthenticated remote attackers to read the complete historical PLC tag archive from any FUXA instance using TDengine as its storage backend. The flaw resides in `escapeTdString` (`server/runtime/storage/tdengine/index.js:10`), which doubles single quotes but fails to escape backslashes — enabling backslash-bypass injection via the `sids` parameter on `GET /api/daq` or the Socket.IO `DAQ_QUERY` event. Critically, enabling FUXA's own authentication layer does not close this gap: the Socket.IO handler carries no authorization check and the REST endpoint accepts guest-level requests by design, meaning the authentication bypass and SQLi are compounding issues. No public exploit identified at time of analysis; vendor-released fix confirmed in v1.3.2.
Cross-tenant contact tampering in WACRM (arnasdon/wacrm) before commit 73041bf allows any authenticated tenant user to read and modify contacts owned by other tenants by passing an arbitrary contact_id to the automation engine endpoint, which invokes a Supabase service-role client that bypasses row-level security. The flaw is an IDOR/authorization bypass (CWE-639) reported by VulnCheck; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
HTML serialization in typo3/html-sanitizer before version 2.3.2 fails to encode namespace attributes (xmlns:*), allowing an authenticated low-privilege attacker to inject unsanitized XSS payloads that execute in victims' browsers. The vulnerability bypasses the library's core XSS prevention purpose: crafted namespace attribute values containing raw HTML (e.g., onerror handlers) survive the sanitizer and render as executable markup. No public exploit has been independently identified at time of analysis, though the vendor-published commit includes a working test case demonstrating the exact bypass payload.