Remote code execution in OpenBullet2 through 0.3.2 allows authenticated users to execute arbitrary OS commands by abusing the FileProxySource proxy loading feature to upload malicious .bat, .ps1, or .sh script files that the server then executes and returns output as proxy lines. Publicly available exploit code exists per the VulnCheck advisory and a HackerNoon writeup, and the issue carries a CVSS 8.8 (High) with low attack complexity and only low-privilege authentication required. No public exploit identified in CISA KEV at time of analysis, but the combination of a documented technique and trivial exploitation path elevates near-term abuse risk.
Path traversal in OpenBullet2 through 0.3.2 lets authenticated attackers read, write, and delete arbitrary files via the wordlist endpoint, escalating to remote code execution by tampering with system files like /etc/passwd. Because the application runs as root by default, successful exploitation yields full system compromise. Publicly available exploit code exists (VulnCheck advisory and HackerNoon write-up), though there is no public exploit identified at time of analysis indicating CISA KEV listing.
Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. Publicly available exploit code exists, and the issue was reported by VulnCheck; pairing it with a known authentication bypass route (referenced HackerNoon write-up) materially raises real-world exploitability.
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
IPv6 access control bypass in Netty's netty-handler component (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote attackers to circumvent IpSubnetFilter restrictions due to a faulty bitwise masking operation in IpSubnetFilterRule.compareTo(). Because the comparator ANDs the incoming IP against the networkAddress instead of the subnetMask, valid public IPv6 addresses outside the configured allowlist/blocklist can pass filter checks. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Certificate validation bypass in Check Point Quantum Security Gateway and Spark Firewalls allows network-positioned attackers to subvert IKEv1 certificate-based authentication in site-to-site VPN tunnels. A man-in-the-middle adversary can intercept or modify traffic traversing the tunnel without possessing valid credentials. No public exploit identified at time of analysis, and the issue is constrained to the deprecated IKEv1 protocol path.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
OS command injection in Tenda F451 routers (firmware 1.0.0.7 and 1.0.0.9) allows remote attackers with low-privileged web management access to execute arbitrary operating system commands by manipulating the 'mac' parameter sent to the /goform/WriteFacMac endpoint handled by the formWriteFacMac function. Publicly available exploit code exists, raising the practical risk for any device exposing the web management interface to untrusted networks. The flaw is rated CVSS 4.0 base 7.4 with high confidentiality, integrity, and availability impact on the device itself.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Credential disclosure in OpenBullet2 through 0.3.2 on Windows allows authenticated remote attackers to coerce SMB authentication and capture NTLMv2 hashes by configuring a job's proxy source with an attacker-controlled UNC path. Captured hashes can be relayed against other services or cracked offline to recover the password of the account running the application. Publicly available exploit code exists per VulnCheck advisory; no CISA KEV listing at time of analysis.
Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.
Broken access control in Bludit CMS versions prior to 3.22.0 allows deleted user accounts to retain full authenticated access through pre-existing 'Ghost Sessions' that are never invalidated upon account removal. An authenticated attacker whose account is subsequently revoked can continue performing privileged operations until the session naturally expires. No public exploit identified at time of analysis, though the fix commit on GitHub publicly discloses the exact root cause.
Arbitrary file read in Bagisto v2.4.1 allows unauthenticated remote attackers to retrieve sensitive files outside the web root by injecting path traversal sequences into the filename parameter of the ImageCacheController. The CVSS 4.0 base score of 8.7 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality impact, and no public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 ONT/router devices (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory by manipulating the funckey_transfer parameter sent to the /boaform/voip_other_set endpoint handled by the asp_voip_OtherSet function. Publicly available exploit code exists via a dedicated GitHub proof-of-concept repository, and the flaw scores CVSS 4.0 8.7 with full confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV at time of analysis, but exposure of the Web Management Interface to untrusted networks materially raises real-world risk.
Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.
Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory exhaustion denial of service in Ninenines Gun (Erlang HTTP client) versions 1.0.0 through 2.3.x allows a malicious or compromised HTTP/1.1 server to crash the entire BEAM node by sending an unterminated response. The gun_http module accumulates incoming bytes into a per-connection buffer without any size ceiling, and since BEAM imposes no default per-process heap limit, a single connection can consume all node memory. No public exploit identified at time of analysis, though the upstream patch and accompanying test cases publicly demonstrate the triggering server behavior.
Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.
Stored/reflected cross-site scripting in Checkmk monitoring platform versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases allows authenticated users to bypass URL validation by leveraging HTML-encoded characters, enabling injection of javascript: URIs that execute in another user's browser session. The CVSS 4.0 score of 8.5 reflects the high impact on confidentiality, integrity, and availability when a victim interacts with a crafted link, though no public exploit identified at time of analysis and the issue requires both low-privilege authentication and user interaction.
Authenticated command injection in the TP-Link Archer MR600 v5 router allows administrators on the adjacent network to execute arbitrary OS commands via the WireGuard client configuration in the web management interface. The flaw stems from improper neutralization of user-controlled input when configuration changes are applied, enabling full device compromise. No public exploit identified at time of analysis, but TP-Link has released a firmware patch.
Stored cross-site scripting in Checkmk monitoring platform allows a low-privileged user with dashboard editing rights to embed a javascript: URI inside the URL dashboard widget, which then executes in the browser of any other user viewing that dashboard. The flaw affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases, and carries a CVSS 4.0 score of 8.5 due to the high confidentiality and integrity impact achievable against higher-privileged operators. No public exploit identified at time of analysis, but the prerequisite (dashboard edit permission) is commonly granted to operations staff.
Use-after-free in the Linux kernel's Open Firmware (OF) device-tree unit test code (of_unittest_changeset) allows reads of freed memory when the unit test path executes. The flaw lives in selftest code (drivers/of/unittest.c) reachable only when CONFIG_OF_UNITTEST is built in and the test runs, making real-world impact narrow. EPSS is 0.02% (5th percentile) and there is no public exploit identified at time of analysis; the bug has been fixed upstream and backported to stable trees.
Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync URIs whose module component contains '..' sequences, enabling read/write access across the entire Routinator rsync cache filesystem. The flaw is network-reachable and requires no authentication, and no public exploit identified at time of analysis. CVSS 4.0 of 8.3 reflects high integrity and availability impact with an attack requirement (AT:P) reducing it from critical.
Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.
Memory exhaustion in wojtekmach Req (Elixir HTTP client) versions 0.1.0 through 0.6.0 allows attacker-controlled HTTP servers to crash the BEAM process via decompression-bomb response bodies. Because Req enabled automatic body decompression and archive decoding by default with no size caps, a sub-megabyte response advertising gzip/zip/tar content can expand to multiple gigabytes in memory. No public exploit identified at time of analysis, but the fix and root cause are documented in the upstream advisory GHSA-655f-mp8p-96gv.
Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon by sending a specifically crafted non-UTF-8 string in the select-asn query parameter to the /api/v1/origins HTTP endpoint. The flaw only impacts deployments that expose the API to untrusted networks, and no public exploit has been identified at time of analysis. CVSS 4.0 base score is 8.2 driven by high availability impact to both the vulnerable component and downstream RPKI consumers.
Out-of-bounds disk read in the Linux kernel ISO 9660 filesystem (isofs) Rock Ridge handler allows narrow information disclosure when a crafted ISO image is mounted. The rock_continue() function trusted the CE continuation extent block number from the on-disk Rock Ridge record and passed it to sb_bread() without bounds checking against the volume size, so a malicious ISO can cause the kernel to read blocks belonging to an adjacent filesystem on the same block device and surface their contents through readlink() on SL sub-records. EPSS is 0.02%, no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Server-side request forgery in FUXA SCADA/HMI server (npm package fuxa-server <= 1.1.14-1243) allows unauthenticated remote attackers to connect to the Socket.IO endpoint and coerce the server to issue arbitrary HTTP(S), OPC UA, or ODBC requests with response bodies echoed back to the caller. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-w86f-rf9w-h3x6 provides full handler-level reproduction details and the fix is shipped in release v1.3.2.
Authorization bypass in Headplane (the web UI for Headscale) prior to 0.6.3 and 0.7.0-beta.3 allows authenticated low-privilege users to escape the intended Headscale API endpoint via path traversal sequences embedded in node and user rename values. By smuggling traversal payloads through un-encoded URL path segments, an attacker can reach arbitrary Headscale API operations, breaking the RBAC model and impacting integrity and availability of the tailnet. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored cross-site scripting in VMware Cloud Foundation Operations (formerly Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject malicious scripts that execute in other users' browsers, including administrators. Affected products include VCF Operations 5.x through 9.1.x, VMware Aria Operations 8.18.x, and VMware Telco Cloud Platform 5.x. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Local privilege escalation and memory corruption in the Linux kernel's topcliff-pch (pch_spi) SPI master driver arises from a use-after-free triggered when the driver is unbound, because DMA buffers are released before the driver's transfer queue is flushed. An attacker with the ability to unbind the device can cause the freed DMA buffers to be accessed by in-flight SPI transfers, yielding CWE-416 memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and the EPSS probability is negligible (0.02%), consistent with an obscure, hardware-specific driver rather than a broadly exploitable flaw.
Local memory corruption in the Linux kernel's mtd/docg3 M-Systems DiskOnChip driver occurs when docg3_release() dereferences a docg3 pointer already freed by doc_release_device() (kfree at line 1881), a CWE-416 use-after-free reachable during device teardown. Only systems that load the docg3 driver for DiskOnChip G3 flash hardware are affected. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 7th percentile), and the issue is not in CISA KEV; it has been fixed upstream across multiple stable branches.
Use-After-Free and race conditions in the Linux kernel's Bluetooth hci_uart driver (drivers/bluetooth/hci_uart.c) enable a local low-privileged user to corrupt kernel heap memory, potentially escalating to root. The flaw stems from improper lifecycle management of the hci_uart struct and its associated workqueues: when a TTY hangup interrupts Bluetooth UART initialization before HCI_UART_PROTO_READY is set, teardown skips workqueue cancellation, leaving deferred work items to dereference freed memory. Three compounding sub-issues - a tx_skb double-free, a vendor callback UAF via premature hci_free_dev(), and proto_lock races during error paths - are all resolved in patched stable releases. No public exploit is known and EPSS at 0.02% (7th percentile) signals low near-term exploitation probability despite the CVSS 7.8 rating.
Local privilege escalation in the Linux kernel's AMD GPU userqueue (drm/amdgpu/userq) driver allows a low-privileged local user to exploit a race condition between queue creation and wptr_obj unmapping, resulting in access to stale wptr mappings and potential substitution of a buffer object at the same address. The flaw affects AMD GPU userqueue handling and could enable memory corruption with high impact to confidentiality, integrity, and availability. No public exploit has been identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Use-after-free in the Linux kernel's HMM (Heterogeneous Memory Management) test driver (lib/test_hmm) allows local users to trigger a kernel panic and potentially escalate privileges when device private pages are faulted in after the dmirror file descriptor is closed. The flaw was discovered during arm64 selftest runs where a SIGABRT coredump walked stale VMAs and dereferenced a dangling zone_device_data pointer. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the bug is fixed upstream across multiple stable trees.
Use-after-free in the Linux kernel's mm/zone_device subsystem allows local attackers with low privileges to corrupt memory or escalate privileges by exploiting a race where a device folio is accessed after the driver's ->folio_free() callback has already reallocated it with a potentially different order. The flaw affects systems using ZONE_DEVICE memory (typically with DAX, HMM, or GPU/accelerator drivers exposing device-backed folios) and carries a 7.8 CVSS with low EPSS (0.02%, 5th percentile), indicating high theoretical impact but no public exploit identified at time of analysis.
Local privilege escalation via use-after-free in the Linux kernel io_uring io-wq worker subsystem allows an unprivileged local user to corrupt kernel memory and potentially execute arbitrary code in kernel context. The flaw lives in io_wq_remove_pending(), where a missing io_wq_is_hashed() check on the predecessor work item lets a non-hashed io_kiocb be recorded in wq->hash_tail[0]; after that request is freed back to req_cachep, the stale pointer is dereferenced on the next hashed bucket-0 enqueue. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from any process that can issue io_uring syscalls.
Local privilege escalation and memory corruption in the Linux kernel's MediaTek power-domain (pmdomain) driver stems from a use-after-free in scpsys_get_bus_protection_legacy(), where a device node is released via of_node_put() before the error path dereferences it in dev_err_probe(). Affecting kernels using the MediaTek SCPSYS legacy bus-protection code path (typically ARM/ARM64 MediaTek SoC platforms), a local low-privileged attacker able to influence the probe error path could corrupt freed kernel memory, with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.02%, 4th percentile).
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Improper handling of allocation-profiling codetags in the Linux kernel's mm/alloc_tag subsystem causes an 'alloc_tag was not set' WARNING when pages allocated before page_ext initialization are later freed, because their codetag reference was never set. This affects local systems running kernels built with the debug option CONFIG_MEM_ALLOC_PROFILING_DEBUG and with mem_profiling_compressed disabled, and is triggered by ordinary boot-time activity (e.g. KASAN quarantine reclaim freeing early-allocated pages). It is classified under CWE-415 (double free) but the observed effect is a kernel warning splat; there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Authenticated remote code execution in Nginx Proxy Manager versions 2.9.14 through 2.15.1 allows users holding the certificates:manage permission to inject arbitrary OS commands via the dns_provider_credentials field, which executes on backend restart as the service account. No public exploit has been identified at time of analysis, but the vendor patch (commit a5db5ed) and a VulnCheck advisory disclose the exact sink (child_process.exec in setupCertbotPlugins), making weaponization straightforward. CVSS 7.5 (AV:N/AC:H/PR:L) reflects the authentication and timing prerequisites rather than reduced impact - successful exploitation yields full code execution on the proxy host.