Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.
DNS cache poisoning in Netty's netty-resolver-dns library (versions prior to 4.1.135.Final and 4.2.0.Final through 4.2.14.Final) allows an attacker who controls an authoritative name server for any subdomain to inject forged NS and A records for parent zones such as .co.uk into the resolver's authoritativeDnsServerCache. The bailiwick check in DnsResolveContext.AuthoritativeNameServerList only blocks records targeting the root zone, so any Java application embedding Netty's resolver can be steered to attacker-controlled name servers for unrelated domains. EPSS is only 0.01% and no public exploit identified at time of analysis, but the SSVC technical impact is rated total.
DNS cache poisoning in Netty's netty-resolver-dns component (versions before 4.1.135.Final and 4.2.x before 4.2.15.Final) lets remote attackers inject forged CNAME records into the resolver cache by exploiting missing bailiwick (origin) validation in DnsResolveContext#buildAliasMap. Any JVM application relying on Netty for asynchronous DNS resolution may be redirected to attacker-controlled hosts, enabling man-in-the-middle on subsequent traffic. No public exploit identified at time of analysis, EPSS is 0.01%, and the issue is not on the CISA KEV list, but CVSS rates it 10.0 due to the scope-changing integrity/confidentiality impact.
Privilege escalation and cross-tenant resource takeover in juev/nebula-mesh versions prior to v0.3.4 allow any authenticated low-privilege operator to mint admin API keys, hijack other operators' hosts via the reenroll endpoint, and perform unauthorized CRUD across hosts, networks, and firewall rules. The `/api/v1/*` route surface trusts the bearer token for authorization without enforcing per-CA ownership checks that the Web UI applies, breaking the per-operator CA tenancy model from ADR 0002. No public exploit identified at time of analysis, though a detailed exploit chain with working curl commands is published in the GHSA advisory.
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.
Incorrect length calculation in the Linux kernel's lib/scatterlist extract_kvec_to_sg helper can produce scatterlist entries that cross page boundaries, leading to memory corruption or out-of-bounds access in kernel code paths that build scatterlists from kvecs (originally introduced in v6.3, moved to lib/scatterlist.c in v6.5). The flaw is patched upstream across the 6.6, 6.12, 6.18 and 7.0/7.1 stable trees, with no public exploit identified at time of analysis and a very low EPSS probability of 0.02%.
Remote code execution in Apache HTTP Server versions 2.4.0 through 2.4.67 is possible through a use-after-free condition in mod_ldap when LDAP authentication or authorization is configured in a per-directory context. The CVSS 9.8 rating reflects unauthenticated network exploitation with high impact across confidentiality, integrity, and availability, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.02%. CISA SSVC assesses exploitation status as none but flags the issue as automatable with total technical impact.
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Privilege escalation in STACKIT IaaS API allows authenticated low-privileged users to compromise entire organization environments by attaching arbitrary high-privileged service accounts to attacker-controlled virtual machines. The flaw stems from a missing authorization check on the PUT servers service-accounts endpoint, letting attackers query the Instance Metadata Service for OAuth2 tokens and cross tenant boundaries. With a CVSS 4.0 score of 9.3 and the CVSS vector indicating network-reachable, low-complexity exploitation, this represents a severe cloud tenant-isolation failure, though no public exploit identified at time of analysis.
Authentication bypass in AdGuard Home prior to v0.107.77 allows unauthenticated remote attackers to gain full admin access when the binary is launched with the --glinet flag, by injecting a path traversal sequence into the Admin-Token cookie. The flaw lives in the authglinet middleware, which concatenates the cookie value into a file path without sanitization, letting attackers redirect token reads to arbitrary files. No public exploit identified at time of analysis, but the vendor advisory and a community-disclosed root cause make weaponization straightforward.
Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).
Credential brute-force exposure in Flowise prior to 3.1.2 allows remote unauthenticated attackers to perform unlimited password-guessing attacks against the checkBasicAuth endpoint, which lacks rate limiting and uses non-constant-time plaintext comparison against the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. Successful exploitation grants full access to the Flowise LLM workflow builder. No public exploit identified at time of analysis, though the GHSA advisory documents the vulnerable code path in detail and EPSS sits at a low 0.04%.
Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.
Apache HTTP Server 2.4.0-2.4.67 has a buffer underwrite (CWE-124) in ap_regname, triggered by a crafted regular expression in the server configuration. The vendor (Apache) rates this Low severity. A separate CISA-ADP assessment assigned CVSS 9.8 using a network, unauthenticated vector that is inconsistent with the vendor description, because exploitation requires control over the httpd configuration. No public exploit and not in CISA KEV. Fixed in 2.4.68.