WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote exploitation of the Boa embedded web server on the D-Link DCS-5615 IP camera (firmware 1.01.00) allows attackers to violate the principle of least privilege via manipulation of the `/etc/conf.d/boa/boa.conf` configuration component. The CVSS 4.0 vector confirms network-reachable, zero-complexity, no-authentication access with an active proof-of-concept exploit publicly available. No public KEV listing is present, but the PoC status elevates real-world risk for this class of always-on, internet-facing IoT device.
Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated remote attackers who can upload arbitrary files - including PHP webshells - by manipulating the `stimg` argument in `service/RegisterService.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no complexity, and no user interaction are required, making this trivially exploitable by any network-reachable attacker. Publicly available exploit code exists (E:P confirmed), and the vendor has not responded to responsible disclosure as of analysis time, leaving all installations unpatched.
SQL injection at the Administrator Login Endpoint of imvks786's student_management_system (PHP) allows unauthenticated remote attackers to manipulate the a_usr and a_pwd parameters in admin/admin_login.php to inject arbitrary SQL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no privileges or user interaction required. A public proof-of-concept exploit has been released via GitHub issue tracker; the project maintainer has not responded to disclosure, and no patch is available at time of analysis.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive patient data to remote, unauthenticated attackers via the `ID` parameter in the `/classes/Master.php?f=save_patient` endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, attack prerequisites, or user interaction are required, making this trivially exploitable from the network. A publicly available exploit exists (CVSS E:P), elevating real-world risk beyond what the moderate base score of 5.5 suggests; no public exploit identified at time of analysis rises to KEV level, but the POC lowers the barrier for opportunistic attackers targeting healthcare data.
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the Category parameter in /Frontend/Search.php to execute arbitrary SQL commands against the backend database. Publicly available exploit code exists (disclosed via GitHub), increasing the practical risk despite the small footprint of this PHP application. No active exploitation has been confirmed in CISA KEV at the time of analysis.
SQL injection in code-projects Online Music Site 1.0 allows remote attackers to manipulate the ID parameter in /Administrator/PHP/AdminDeleteAlbum.php to execute arbitrary database queries. Publicly available exploit code exists (published via GitHub and tracked by VulDB), and the flaw is reachable over the network without authentication per the CVSS vector. There is no public exploit identified as actively used in the wild (not CISA KEV), but the combination of trivial attack complexity and public PoC raises the practical exploitation risk for any exposed deployment.
SQL injection in code-projects Simple Flight Ticket Booking System 1.0 allows remote unauthenticated attackers to manipulate database queries via the Username POST parameter in checkUser.php. Publicly available exploit code exists (disclosed via GitHub), increasing the likelihood of opportunistic attacks against exposed instances, though the issue is not listed in CISA KEV. The CVSS 3.1 base score of 7.3 reflects network-reachable, low-complexity exploitation with no privileges or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive1.php to inject arbitrary SQL queries against the backend database. Publicly available exploit code exists per VulDB submission 369106, raising the practical risk despite the moderate CVSS 7.3 score. No KEV listing and no public exploitation campaigns identified at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive2.php to execute arbitrary SQL queries against the backend database. Publicly available exploit code exists (disclosed via GitHub), though there is no confirmed active exploitation in CISA KEV. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial impact across confidentiality, integrity, and availability.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index1.php to unauthenticated remote exploitation via an unsanitized Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier indicates a publicly available proof-of-concept - confirmed via a GitHub issue disclosure. An attacker can manipulate the Password argument to inject arbitrary SQL, potentially bypassing authentication or exfiltrating database contents. No CISA KEV listing is present, and no vendor patch has been identified at time of analysis.
Unauthenticated remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the login endpoint /index2.php to arbitrary query manipulation via the Password parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack complexity, making this trivially reachable from the network. Publicly available exploit code exists (POC confirmed via GitHub), though no CISA KEV listing has been issued, meaning widespread active exploitation is not confirmed at time of analysis.
SQL injection in CodeAstro Student Attendance Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter at /attendance-php/index.php to inject arbitrary SQL. Publicly available exploit code exists per VulDB reference, raising the practical risk despite the moderate 7.3 CVSS score. No CISA KEV listing and no EPSS score were supplied, so exploitation appears opportunistic against this small-vendor PHP application rather than mass-targeted.
SQL injection in imvks786 Student Management System (rolling release up to commit 9599b560) allows remote unauthenticated attackers to manipulate the usr and pwd parameters of /index.ph in the Login component to inject arbitrary SQL. Publicly available exploit code exists per VulDB, though the project is on a rolling release with no tagged fix and the maintainer has not responded to the issue report. No CISA KEV listing and no EPSS score is provided, but the trivial network-reachable login vector makes opportunistic scanning likely.
WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in QloApps through 1.7.0 enables authenticated administrators to inject persistent JavaScript into the application by uploading SVG files containing malicious event handlers (e.g., onload) via the admin file manager. Any user who subsequently views the uploaded file triggers the embedded script in their browser, crossing a security boundary (S:C) from the admin upload context into arbitrary victim sessions. Publicly available exploit code exists per VulnCheck and a linked GitHub issue; no active exploitation has been confirmed by CISA KEV.
CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.
DNS cache poisoning in Netty's resolver component (io.netty:netty-resolver-dns) enables remote unauthenticated attackers to redirect downstream application traffic to attacker-controlled IPs through a Kaminsky-style spoofing attack. The vulnerability combines two compounding weaknesses present in the default configuration: DNS transaction IDs shuffled with a mathematically predictable Linear Congruential Generator (ThreadLocalRandom), and a static UDP source port resulting from the default ChannelPerResolver channel strategy. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the Netty project rated it high severity and released fixes in versions 4.1.135.Final and 4.2.15.Final.
Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.
Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticated network clients to exhaust server memory by initiating a sync operation and halting consumption of responses, causing unbounded queue growth until the server becomes unavailable. Compounding this, race conditions in the plugin's thread lifecycle management can independently trigger server crashes during connection teardown or graceful shutdown. Affected across Red Hat Directory Server 11, 12, and 13 as well as the bundled 389-ds-base package on RHEL 6 through 10. No public exploit identified at time of analysis and no CISA KEV listing.
Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required.
Stored Cross-Site Scripting in WPZOOM's Recipe Card Blocks Lite WordPress plugin (all versions through 3.4.13) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts into published posts and recipe print views. The vulnerability is a sanitization bypass: the `WPZOOM_Helpers::deserialize_block_attributes` method re-decodes unicode-escaped character sequences back into raw HTML after WordPress's sanitization pipeline has already run, permitting crafted payloads in the recipe block's 'summary' and 'notes' attributes to survive sanitization and execute in victims' browsers. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Changed Scope (S:C) rating reflects cross-user impact, including potential administrator session hijacking.
HTTP response splitting in ninenines cowlib allows network-accessible attackers to inject arbitrary HTTP headers when applications route untrusted input through the library's structured-field encoder. The root cause is an encoder/decoder asymmetry in cow_http_struct_hd:escape_string/2: it escapes only backslash and double-quote, emitting all other bytes verbatim - including CR (0x0D) and LF (0x0A) - while the matching parser only accepts printable ASCII. Any Cowboy or Gun application that builds a structured HTTP header from attacker-controlled input via cow_http_struct_hd:item/1 or cow_http_hd:wt_protocol/1 is affected. No public exploit has been identified and this CVE does not appear in CISA KEV, but upstream fixes are available as commits to both Cowboy and Gun.
Incorrect authorization in Checkmk's User Messages dashboard widget exposes the dashboard creator's personal messages to any party possessing a valid public dashboard share token. The message-fetching endpoints resolve messages using the dashboard creator's identity rather than the requesting party's identity, meaning that direct API calls with a share token return the issuer's private messages regardless of whether the User Messages widget is actually present on the shared dashboard. All Checkmk deployments running versions prior to 2.5.0p5 that use the public dashboard sharing feature are affected. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Cross-origin cookie injection in ninenines gun (versions 2.0.0 through 2.3.x) allows a malicious or compromised HTTP/2 server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. The gun_http2 module fails to validate the :authority pseudo-header in incoming PUSH_PROMISE frames before passing the server-supplied value to the cookie-setting path, violating RFC 7540 §10.6 and RFC 9113 §8.4. This enables session fixation attacks against third-party domains and may lead to account takeover if planted cookies override legitimate session tokens; no public exploit identified at time of analysis. Note: the 'RCE' tag present in source intelligence is not supported by any available data and appears to be erroneous metadata.
Privilege escalation in FUXA's Scheduler API allows authenticated operator-level users to create or modify scheduled actions restricted to administrators, reaching PLC write and server-side script execution surfaces in SCADA deployments. The vulnerability (CWE-862) exists because POST /api/scheduler and DELETE /api/scheduler lacked the authJwt.haveAdminPermission() check applied to every other privileged write endpoint. Uniquely dangerous in OT environments: the scheduled-action model means an attacker does not need to maintain an active session - a repeating schedule persistently re-applies unauthorized setpoint or script changes even after manual admin remediation.
Cross-site scripting in Apache HTTP Server's mod_proxy_ftp module allows a network-accessible attacker to inject malicious scripts into HTML directory listings generated when the server proxies FTP directory contents. Affected are all versions of Apache HTTP Server up to and including 2.4.67, in both forward and reverse proxy configurations. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, but the Changed scope (S:C) in the CVSS vector means injected scripts execute in victims' browsers under the origin of the proxy host, elevating the effective impact beyond the medium base score.
Memory exhaustion denial-of-service in Dulwich's git-receive-pack handler allows any client with push access to crash the server by sending a ~174-byte crafted thin pack. The pack's delta header declares an arbitrarily large dest_size value, causing dulwich's add_thin_pack/apply_delta code to allocate hundreds of megabytes of memory with no relationship to the actual bytes received. No public exploit code and no CISA KEV listing exist at time of analysis; the CVSS 5.7 Medium score reflects the low-privilege network vector but is bounded by the requirement that the attacker hold push credentials.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `sy` parameter in `/archive5.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.
Kernel panic in the Linux amdgpu DRM driver exposes systems running RDNA4 hardware (e.g., AMD RX 9070 XT) to a denial-of-service condition during driver initialization, but only when the kernel is compiled with CONFIG_DRM_DEBUG_MM enabled. The RDNA4 architecture (GFX 12) removed the GDS, GWS, and OA on-chip memory resources entirely; however, amdgpu_ttm_init() unconditionally invokes amdgpu_ttm_init_on_chip() for these resources regardless of size, ultimately calling drm_mm_init(mm, 0, 0), which triggers DRM_MM_BUG_ON and crashes the kernel at modprobe time. No public exploit exists and EPSS sits at 0.02% (7th percentile), consistent with a hardware-specific, debug-config-dependent crash rather than a remotely triggerable attack surface.
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, `hugetlb_add_param()` in `mm/hugetlb` dereferences a NULL pointer via `strlen()` when `hugepages`, `hugepagesz`, or `default_hugepagesz` kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in `ipu6_pci_probe()` at `drivers/media/pci/intel/ipu6/ipu6.c:690`, where `isp->psys` holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
Kernel warning (WARN_ON) triggerable in the Linux videobuf2 DMA scatter-gather subsystem on Apple Silicon systems allows a low-privileged local user to destabilize video capture pipelines by performing mmap() on an imported DMA-buf. The vb2_dma_sg_mmap function fails to set VM_DONTEXPAND and VM_DONTDUMP VMA flags - protections that vb2_dma_contig correctly applies - causing drm_gem_mmap_obj() to hit its assertion guard. No public exploit has been identified at time of analysis; EPSS is 0.02% (5th percentile), consistent with the narrow hardware-specific trigger surface.
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
Local denial-of-service in the Linux kernel's SELinux subsystem allows any low-privileged local process to monopolize the `/sys/fs/selinux/policy` file descriptor, blocking all other processes from reading the active kernel policy. The root cause is a `policy_opened` flag that enforced a single-open restriction on the SELinux policy pseudofile - originally intended to prevent inconsistent reads or unbounded kernel memory allocation, but which also created a trivial resource-starvation primitive. No active exploitation has been identified (not in CISA KEV), and the EPSS score of 0.02% places this in the 5th percentile for exploitation likelihood.
NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.
Missing resource cleanup in the Linux kernel's generic power domain (genpd) subsystem causes runtime PM to remain enabled for virtual devices after detach, leading to a NULL pointer dereference in genpd_runtime_suspend() and local denial of service. The flaw affects systems where drivers use genpd_dev_pm_attach_by_id() - predominantly ARM and SoC-based platforms - since the balancing pm_runtime_disable() call is absent from genpd_dev_pm_detach(). No public exploit exists and EPSS at 0.02% (5th percentile) confirms negligible exploitation probability; this is not listed in CISA KEV.
Sensitive HMAC key material is exposed through kernel debug logging in the Linux kernel's CAAM (Cryptographic Acceleration and Assurance Module) crypto driver. On systems with CONFIG_DYNAMIC_DEBUG enabled and debug output activated for the caam module at runtime, calls to hash_digest_key() emit raw HMAC key bytes via hex dump into the kernel log, allowing any local attacker with debug log read access to extract cryptographic secrets. No public exploit code has been identified and EPSS probability is 0.02%, though the confidentiality impact is severe if exploitation conditions are met. The provided CVSS vector (C:N/A:H) appears to misclassify this as an availability issue rather than a confidentiality issue - see confidence notes.
Missing RTNL lock acquisition in the txgbe network driver causes a kernel assertion warning during module removal on systems with Wangxun copper NICs with external PHY. When `rmmod txgbe` is executed, `phylink_disconnect_phy()` fires an `ASSERT_RTNL()` check at `drivers/net/phy/phylink.c:2351` because the driver's remove path neglects to hold the RTNL mutex, producing a kernel WARNING and degrading system availability. No public exploit exists and EPSS is 0.02% (5th percentile); this is a stability regression rather than a remotely exploitable flaw, affecting a narrow hardware-specific code path.
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Sensitive cryptographic material-HMAC session keys, nonces, and passphrase data held in struct tpm2_auth-is left in freed slab memory when a TPM device is released via tpm_dev_release() in Linux kernels from 6.10 onward, because that code path uses kfree() rather than kfree_sensitive(). Every other tear-down path in the same TPM driver (tpm2_end_auth_session() and tpm_buf_check_hmac_response()) already calls kfree_sensitive(), making this an isolated inconsistency. No public exploit exists and EPSS is 0.02% (5th percentile), but in high-assurance environments where TPM-backed key confidentiality is mandatory the residual key material is a meaningful exposure until overwritten by subsequent allocations.
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
NULL pointer dereference in the Linux kernel's drm/imagination (PowerVR GPU) driver crashes the kernel when a local user writes to the ftrace mask debugfs entry. Affected kernels range from the introduction of the drm/imagination driver at commit a331631496a0af9a6f4e7e1860983afd8b1bb013 through Linux 7.0, with fixes landed in 7.0.4 and 7.1-rc2. An attacker with local access and write permission to the debugfs interface can trigger a kernel Oops, resulting in a full system crash and denial of service. No public exploit exists and EPSS is 0.02%, consistent with the narrow hardware scope (Imagination Technologies PowerVR GPUs) and local-only attack surface.