Least privilege violation in the D-Link DGS-1100-08PD managed switch firmware version 1.00.006 allows remote unauthenticated attackers to achieve low-integrity impact through improper processing of the Boa web server configuration file /etc/boa.conf via the device's web interface. The CVSS 4.0 score is 2.9 (Low), reflecting high attack complexity (AC:H) and constrained impact (VI:L only), though a publicly available proof-of-concept lowers the barrier for skilled attackers. No active exploitation has been confirmed in CISA KEV, making this a low-priority but trackable risk for network operators deploying this switch model.
Path traversal in hsweb-framework up to version 5.0.1 allows authenticated remote attackers to write files outside the intended upload directory by manipulating the filename argument in the file upload component. The root cause is insufficient sanitization of path sequences — including URL-encoded variants (`..%2F`) and Windows-style backslashes (`..\`) — in the `denied` function of `FileUploadProperties.java`. A public exploit has been disclosed via GitHub issue #344, and a patch commit is available; no KEV listing indicates opportunistic rather than confirmed mass exploitation.
Least-privilege violation in TOTOLINK AC1200 T8 firmware 4.1.5cu.8611 exposes the vsftpd FTP service to unauthorized integrity manipulation by low-privileged authenticated network users. The /etc/vsftpd.conf configuration grants excessive permissions beyond the principle of least privilege (CWE-272), allowing a low-privilege authenticated attacker to perform write operations they should not be authorized to execute. A proof-of-concept exploit has been publicly disclosed; the vulnerability is not confirmed in CISA KEV, but the CVSS temporal vector (E:P, RC:R) reflects publicly available exploit code with reasonable confidence in the report.
Privilege escalation in Kushan2k student-management-system allows authenticated remote attackers to grant themselves administrator rights by manipulating the `isadmin` parameter in the Profile Update Endpoint. The `edit-admin` function in `controllers/AdminController.php` performs no server-side authorization check on this parameter, enabling any low-privileged account holder to self-elevate to admin. A publicly available exploit exists per VulDB and a GitHub issue disclosure; the vendor has not yet responded, and no patch has been released under the rolling-release model.
SQL injection in CodeAstro Leave Management System 1.0 exposes the application's database to remote authenticated attackers via the `type_of_leave` parameter in `/admin/add_leave.php`. The vulnerability (CWE-89) allows manipulation of backend SQL queries, potentially enabling data extraction, modification, or destruction. A publicly available exploit exists per VulDB report and a referenced GitHub proof-of-concept, elevating practical risk despite the low CVSS 4.0 base score of 2.1.
SQL injection in CodeAstro Leave Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `Name` parameter in the admin endpoint `/admin/search_staff_to_assign_pc.php`. Per the CVSS 4.0 vector, impact is limited to low confidentiality, integrity, and availability on the vulnerable system (VC:L/VI:L/VA:L) with no scope change to subsequent systems. Publicly available exploit code exists via a GitHub issue, though no active exploitation is confirmed in CISA KEV, and no vendor-released patch has been identified at time of analysis.
SQL injection in CodeAstro Leave Management System 1.0 exposes the /admin/delete_leave_type.php endpoint to arbitrary database query manipulation via the unsanitized leave_type parameter. The CVSS 4.0 vector (PR:L) confirms that a low-privileged authenticated user can remotely trigger the injection without user interaction or additional attack complexity. A publicly available exploit exists on GitHub (no public exploit identified in CISA KEV), and the CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impact confined to the vulnerable component with no lateral scope change.
SQL injection in CodeAstro Leave Management System 1.0 allows remote authenticated attackers to manipulate database queries via the Name parameter in /admin/search_staff_for_deletion.php. The vulnerability is a classic CWE-89 unsanitized input flaw in a PHP-based web application, enabling read, write, and limited availability impact against the underlying database. Publicly available exploit code exists per VulDB disclosure; no KEV listing indicates opportunistic rather than targeted exploitation at this time.
SQL injection in CodeAstro Ingredients Stock Management System 1.0 exposes the `/Ingredients-Stock/add_stock.php` endpoint to authenticated remote attackers who can manipulate the `ID` parameter to execute arbitrary SQL commands against the backend database. The attack is network-accessible with low complexity, enabling unauthorized data exfiltration, record manipulation, and potential escalation within the database tier. Publicly available exploit code exists (E:P in CVSS temporal vector), materially lowering the barrier to exploitation; no CISA KEV listing has been identified at time of analysis.
Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated attackers to redirect victims to attacker-controlled URLs by supplying a crafted redirect_uri during OAuth2 authorization flows. The root cause is a naive prefix-based string comparison using startsWith() in OAuth2Client.java, which trivially allows bypass via domain-prefix spoofing (e.g., registering https://app.example.com.attacker.com when the legitimate URI is https://app.example.com). Publicly available exploit code exists per GitHub issue #354 and CVSS E:P; no public exploit identified at time of analysis in CISA KEV, and the CVSS 4.0 score of 2.1 reflects the limited impact and required user interaction.
Least privilege violation in D-Link DIR-823G firmware version 1.0.2B05 exposes the vsftpd FTP daemon configuration file (/etc/vsftpd.conf) to manipulation by network-accessible, low-privileged authenticated users, enabling unauthorized modification of FTP service behavior. The CVSS vector (AV:N/AC:L/PR:L/UI:N/I:L) confirms this is remotely exploitable with low complexity by any authenticated user, resulting in limited integrity impact. A publicly available proof-of-concept exploit has been released per VulDB reporting (E:P), though no active exploitation has been confirmed in CISA KEV at this time.
SQL injection in the `getStatus` function of `controllers/GradeController.php` within Kushan2k's student-management-system exposes the Certificate Verification Endpoint to database manipulation by low-privileged remote attackers via the `nic` parameter. A publicly available exploit (proof-of-concept via GitHub issue) lowers the practical bar for abuse despite the CVSS 4.0 base score of 2.1. No patch has been released, and the maintainer has not responded to responsible disclosure, leaving all deployments through commit f16a4ceaddd6729c4b306ed4641cda3176c1ef2a unprotected.
SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the backend database to manipulation by authenticated remote attackers via the `classId` parameter in `/attendance-php/Admin/createClassArms.php`. An attacker with low-privilege authenticated access to the admin panel can craft malicious SQL payloads to read, alter, or delete database records - impacting confidentiality, integrity, and availability (C:L/I:L/A:L per CVSS). A public proof-of-concept exploit exists (GitHub issue, VulDB reference), elevating practical risk beyond the moderate CVSS score of 6.3 alone. No CISA KEV listing has been identified at time of analysis.
SQL injection in CodeAstro Student Attendance Management System 1.0 exposes the /attendance-php/Admin/createClass.php?action=edit endpoint to database manipulation via an unsanitized ID parameter. Authenticated remote attackers with low-privilege access can exploit this to read, modify, or partially disrupt database contents. A public exploit exists (reported via GitHub), though the CVSS 4.0 score of 2.1 reflects constrained real-world impact due to limited scope change and low-severity confidentiality/integrity/availability ratings - no public exploit identified in CISA KEV at time of analysis.
SQL injection in CodeAstro Student Attendance Management System 1.0 allows low-privileged authenticated remote attackers to manipulate backend database queries via the unsanitized `className` parameter in `/attendance-php/Admin/createClass.php`. A publicly available proof-of-concept exploit (CVSS E:P) lowers the barrier to exploitation, though the CVSS 4.0 score of 2.1 (Low) reflects constrained impact scope - all confidentiality, integrity, and availability impacts are rated Low with no scope change. No confirmed active exploitation (not in CISA KEV) has been identified at time of analysis.
SQL injection in CodeAstro Payroll System 1.0 exposes database records to manipulation via the ID parameter in /view_account.php, allowing a low-privileged authenticated remote attacker to read, alter, or partially disrupt payroll data. A public proof-of-concept exploit is available via GitHub, as reported by VulDB. Despite network accessibility and public PoC, the CVSS 4.0 score of 2.1 reflects constrained impact - limited to the vulnerable component with no lateral scope - and a mandatory low-privilege authentication prerequisite that tempers broad exploitation risk.
SQL injection in CodeAstro Payroll System 1.0 exposes payroll data to manipulation by authenticated low-privilege users via unsanitized input in the salary calculation endpoint. The vulnerability affects the `rate` and `salary_rate` parameters of `/home_salary.php`, where attacker-controlled values are passed directly into SQL queries without sanitization. Publicly available exploit code exists per GitHub references, though the vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of only 2.1, reflecting constrained real-world impact due to authentication requirements and limited CIA impact ratings.
Least privilege violation in TOTOLINK CP450 router firmware 4.1.0cu.747 allows low-privileged remote attackers to perform unauthorized integrity-affecting actions via the vsftpd FTP service, whose configuration in /etc/vsftpd.conf grants excessive permissions beyond operational necessity. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting constrained impact limited to low integrity effects on the vulnerable system with no confidentiality or availability consequence. A publicly available proof-of-concept exploit exists, and no CISA KEV listing has been confirmed, indicating no known active widespread exploitation at time of analysis.
Improper authorization in the imvks786 student_management_system PHP application allows authenticated low-privileged remote attackers to delete student records they are not authorized to remove via manipulation of the `del` parameter at the /see.php Student Deletion Endpoint. The vulnerability (CWE-285) stems from the application failing to verify that the requesting user holds sufficient privileges to perform the deletion action, effectively enabling horizontal or vertical privilege escalation within the data management scope. No public exploit identified at time of analysis via CISA KEV, though publicly available exploit code exists per the referenced GitHub issue disclosure.
Improper access control in imvks786's Student Management System PHP application exposes the /add.php Student Record Handler endpoint to unauthorized manipulation by authenticated remote attackers. The vulnerability, classified under CWE-284, allows a low-privileged user to perform actions beyond their intended authorization scope - consistent with the 'Authentication Bypass' tag suggesting role-boundary violations rather than full pre-auth access. Public exploit code exists per the GitHub issue report, though the CVSS 4.0 score of 2.1 reflects limited impact scope (low confidentiality, integrity, and availability impact, no downstream system effect). The vendor has not responded to the coordinated disclosure.
SQL injection in designcomputer mysql-mcp-server (versions up to 0.2.2) allows authenticated remote attackers to execute arbitrary SQL via a crafted mysql:// URI passed to the read_resource function in server.py. The vulnerability stems from insufficient validation of the table-name segment in mysql://database/<name> URIs before interpolation into MySQL queries. A publicly available proof-of-concept exploit exists (GitHub issue #89); the issue is not listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis. An official fix was released as v0.3.0 (also backported to v0.2.3).
Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. No patch has been released - the maintainer has not responded to the responsible disclosure report - making this an unresolved risk for any organization running this application.
Stored cross-site scripting in SourceCodester Inventory System 1.0 allows remote unauthenticated attackers to inject persistent malicious scripts via the fullname and username parameters in /users.php on the User Management Page. When an authenticated user - likely an administrator - visits the affected page, the injected script executes in their browser session, enabling session hijacking, credential theft, or unauthorized UI manipulation. Publicly available exploit code exists (GitHub PoC by Xmyronn); this is not listed in CISA KEV but the low-complexity, no-authentication submission path elevates practical risk above the CVSS 4.3 score suggests.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient database records to authenticated remote attackers via the unsanitized `admissiontme` parameter in `/addpatient.php`. A publicly available proof-of-concept (published on GitHub) lowers the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects constrained impact - limited to partial data read/write with no scope change to subsequent systems. No active exploitation has been confirmed (not in CISA KEV), but the healthcare context amplifies regulatory significance even for low-severity data exposure.
SQL injection in itsourcecode Hospital Management System 1.0 allows remote low-privileged attackers to manipulate backend database queries via the 'Date' parameter in /adminaccount.php. The vulnerability is PHP-based (CWE-89) and publicly exploitable code exists via a GitHub submission linked through VulDB. Despite remote reachability, the CVSS 4.0 score of 2.1 reflects constrained real-world impact: low privileges are required, and the scope is fully contained with only low-level confidentiality, integrity, and availability consequences. No public patch has been identified at time of analysis.
Cross-site scripting in itsourcecode Hospital Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `patientid` parameter in `/billing.php`, executing in the context of a victim user's browser session upon interaction with a crafted URL. A publicly available proof-of-concept exploit exists, referenced in GitHub issue #13 of the ltranquility/vuln_submit repository, lowering the barrier for opportunistic exploitation. This CVE is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects limited impact scope - low integrity effect only, no confidentiality or availability loss - constrained further by the passive user interaction requirement.
Cross-site scripting in imvks786/student_management_system allows a low-privileged remote attacker to inject malicious scripts via the name, address, or fname parameters in /add.php. The payload executes in a victim's browser when the affected page is viewed, enabling session hijacking, credential theft, or UI redress attacks against other users of the application. A public exploit is available via a GitHub issue report; the vendor has not responded to the coordinated disclosure.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.
Command injection in Neovim up to version 0.12.2 allows a local attacker with low privileges to execute arbitrary Vim commands by crafting a file with a malicious name containing pipe (`|`) or other Vim Ex command separators. The vulnerable code path is the `M.read` function in `runtime/lua/vim/secure.lua`, which concatenates an unsanitized file path directly into a `vim.cmd('sview ...')` call when a user selects the 'View' action in Neovim's security trust prompt. This CVE is not listed in CISA KEV, indicating no confirmed widespread active exploitation; however, a publicly available proof-of-concept exploit exists (GitHub issue #39914) and an official patch has been released (commit f83e0dcaf8cf18de94828341b0a1a61a86c75baf via PR #39918).
Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 enables a high-privileged authenticated attacker to inject persistent malicious script via the Notice Title parameter in the Notice Board Management component, executing in the browsers of any user who subsequently views the affected notice. The publicly available proof-of-concept on GitHub demonstrates exploitation via an SVG onload payload submitted through a POST request to /notice/All_notice. Despite remote accessibility, real-world severity is constrained by the requirement for prior high-privilege authentication and the need for victim interaction - reflected in the low CVSS score of 2.4 - and no public exploitation campaign has been identified at time of analysis.
ReDoS (Regular Expression Denial of Service) in kokke tiny-regex-c up to commit f2632c6d9ed25272987471cdb8b70395c2460bdb allows local low-privileged attackers to cause availability degradation by supplying crafted input to the `matchstar` function in `re.c`, triggering exponential backtracking in the pattern handler. A public proof-of-concept exploit (tiny-regex-c-redos-poc.zip) has been published, though no vendor patch exists and the project maintainer has not responded to the responsible disclosure. No active exploitation in the wild has been confirmed (not in CISA KEV), and real-world risk is constrained by the local-only attack vector and low availability impact.
Authorization bypass in Weaviate's Static API Key Handler (versions 1.37.0-1.37.7) stems from the validateConfig function failing to reject duplicate API keys mapped to distinct users, allowing key-to-user resolution to resolve ambiguously. An authenticated low-privilege attacker holding a duplicated key can authenticate to Weaviate and be resolved as an unintended user identity, bypassing user-level authorization controls. Publicly available exploit code exists (GitHub issue #11392), though the CVSS 4.0 score of 1.3 reflects high attack complexity and the authenticated, misconfiguration-dependent nature of the attack - no public exploitation or CISA KEV listing has been identified at time of analysis.
Weak password requirements in the Samba service of Tenda AC15 firmware 15.03.05.19 expose SMB file-sharing functionality to brute-force attacks from adjacent-network attackers. The flaw originates in the /etc_ro/smb.conf configuration, which enforces insufficient password complexity, enabling unauthenticated local-network adversaries to guess or brute-force credentials and achieve limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, though the high attack complexity (AC:H) and adjacency requirement (AV:A) constrain realistic exploitation to targeted, in-person or LAN-positioned threat actors.
Open redirect in JeecgBoot's ThirdLoginController (versions 3.9.0-3.9.2) allows remote attackers to manipulate the OAuth `state` parameter and redirect victims to attacker-controlled URLs via the third-party login flow. The vendor's own assessment confirms low real-world exploitability: successful exploitation requires social engineering to induce victims into clicking a crafted OAuth login link, and the affected third-party login feature (DingTalk, WeChat) is optional and likely disabled in most deployments. Publicly available exploit code exists, but no KEV listing indicates active exploitation campaigns at time of analysis.
Path traversal in Dulwich's porcelain.format_patch function allows patch files to be written outside the intended output directory by processing commits with malicious subject lines. Any service passing untrusted commits to dulwich.porcelain.format_patch(outdir=...) - such as CI pipelines, PR review platforms, or developer tooling processing third-party repositories - is affected in versions 0.24.0 through 1.2.4. No public exploit identified at time of analysis and no CISA KEV listing, but the attack pattern is trivially reproducible from the advisory description alone; exploitation requires no special tooling beyond crafting a commit with a subject like 'x/../../target'.
Weak cryptographic hashing of attachment passwords in phpMyFAQ prior to 4.1.4 exposes protected attachment credentials to offline cracking or collision-based forgery. The application stored SHA-1 hashes of per-attachment passwords in the database column `password_hash`, computed via `sha1((string) $key)` in `AbstractAttachment::setKey()`. Because SHA-1 has been cryptographically broken since the 2017 SHAttered collision attack, an attacker who obtains these database-stored hashes faces significantly weakened resistance compared to a modern algorithm. No active exploitation is confirmed (CISA KEV: no; exploit status E:U per CVSS 4.0), and the CVSS 4.0 base score of 2.7 reflects limited real-world impact.
Hard-coded cryptographic key exposure in the glnassys (GL.iNet NAS system) component across eight GL.iNet router models running firmware 4.8.x enables a low-privileged remote attacker to exploit a static authentication token and potentially execute unauthorized commands against the NAS subsystem. The vulnerability is rooted in CWE-321 (Use of Hard-coded Cryptographic Key), where the firmware embeds a fixed authentication secret that cannot be rotated by users or administrators. No public exploit identified at time of analysis, and the vendor has released firmware 4.9.0 as a fix.
Second-order SQL injection in BeikeShop's Admin Design Builder endpoint (versions up to 1.6.0.22) allows authenticated admin-panel users to manipulate the `settings.value` argument in `beike/Admin/Routes/admin.php` to inject arbitrary SQL. The root cause spans multiple PHP repository classes - `DesignService.php`, `BrandRepo.php`, and `ProductRepo.php` - where brand and product ID arrays were passed to database queries without integer casting or sanitization. A public proof-of-concept exploit exists; the CVSS 4.0 score of 2.1 reflects the administrative authentication prerequisite that meaningfully constrains real-world exposure.
CRLF injection in Req, the Elixir HTTP client library (versions 0.5.3 through before 0.6.0), allows an attacker who can influence multipart form field metadata - specifically name, filename, or content_type values - to inject arbitrary headers into outgoing multipart requests or smuggle additional form parts. The flaw exists because Req.Utils.encode_form_part/2 interpolates caller-supplied metadata directly into Content-Disposition and Content-Type header lines without escaping double-quotes, carriage returns, or newlines. The attack surface is particularly accessible when using File.Stream inputs, since POSIX filenames may legitimately contain CR/LF characters. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog; however, any application forwarding user-controlled filenames through Req.post/2 with form_multipart is affected.
XSS sanitizer bypass in typo3/html-sanitizer before 2.3.2 allows authenticated low-privileged users to inject unsanitized HTML by exploiting a parser divergence between the Masterminds HTML5 tokenizer and browser behavior for whitespace-variant closing tags such as </style\t>. The vulnerability is gated behind the non-default ALLOW_INSECURE_RAW_TEXT configuration flag, substantially limiting exposure. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Improper authorization in SourceCodester Inventory System 1.0 allows authenticated remote attackers to manipulate the ROLE parameter in the account creation API endpoint, bypassing role-based access controls to create or modify accounts with elevated privileges beyond what is authorized. The affected component is /Product_Inventory/api/users_handler.php, a PHP endpoint that fails to enforce server-side authorization on the ROLE argument during account creation. A publicly available proof-of-concept exploit exists (CVSS temporal E:P), lowering the barrier for opportunistic abuse. No patch has been identified at time of analysis.
Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.
Reflected cross-site scripting in SourceCodester Inventory System 1.0 allows remote authenticated attackers to inject arbitrary JavaScript into victim browsers via unsanitized parameters in header.php. The attack requires low-level authentication and victim interaction with a crafted URL, limiting scope to integrity impact only (no confidentiality or availability impact per CVSS). Publicly available exploit code exists (CVSS E:P), though no active exploitation has been confirmed via CISA KEV, and the overall CVSS score of 3.5 (Low) reflects the constrained attack conditions.
HTML injection in Bolt CMS 3.7.5 and earlier allows authenticated remote attackers to inject arbitrary HTML by manipulating the `style` argument within the HTML Attribute Handler component (`src/Storage/Field/Type/TextType.php`). The vulnerability requires low-privilege credentials and passive victim interaction for injected content to render, producing low-severity but persistent integrity exposure. Publicly available exploit code exists (CVSS E:P confirmed), and because the project repository has been archived as read-only by the maintainer, no vendor patch will ever be released - any remaining deployment faces permanent unpatched exposure.
Weak SHA1-based chunk ID generation in yoanbernabeu grepai 0.35.0 enables insufficient namespace isolation within the Qdrant vector database backend, allowing an authenticated remote attacker to potentially access or corrupt indexed data belonging to other projects sharing the same Qdrant collection. The vulnerability stems from the absence of project namespace scoping in chunk UUID derivation, meaning chunk IDs could collide or be predicted across project boundaries. Publicly available exploit code exists per the CVSS E:P modifier and vendor disclosure, though no confirmed active exploitation (CISA KEV) has been recorded; the extremely low CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope.
Cross-project embedding cache leakage in grepai (versions up to 0.35.0) allows a local low-privileged authenticated user to retrieve cached PostgreSQL embedding vectors belonging to other projects by supplying a known or predicted content_hash value to the LookupByContentHash function. The underlying flaw is a missing project_id scope in the SQL query, meaning any project's embedding vectors can be retrieved by any other authenticated caller who can supply a matching hash. No public exploitation has been confirmed via CISA KEV, but proof-of-concept exploit code has been publicly disclosed per VulDB and GitHub issue #249, and a fix PR (#250) is pending acceptance.