Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative control of the appliance. Publicly available exploit code exists (watchTowr Labs PoC chained with CVE-2026-10520 for RCE), though it is not yet listed in CISA KEV; EPSS sits at a modest 0.31% (54th percentile) despite the critical CVSS 9.8 rating.
Privilege elevation in the Windows TCP/IP networking stack allows an unauthenticated attacker on an adjacent network to gain elevated privileges by triggering a heap-based buffer overflow (CWE-122). The CVSS 9.6 score with scope change (S:C) indicates the compromise crosses security boundaries beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-exception-level write access in multiple Arm CPU cores including Cortex-A76 through Cortex-X925, Neoverse N1/N2/V1/V2/V3/V3AE, and C1-Ultra/Premium designs allows a lower-privileged context to modify resources owned by a higher exception level due to a race condition (CWE-362). Tracked also as Xen XSA-493 and EUVD-2025-210084, the issue carries a CVSS of 9.1 reflecting high confidentiality and integrity impact, though there is no public exploit identified at time of analysis and the EPSS score of 0.02% (4th percentile) indicates very low predicted exploitation probability.
Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed API key to overwrite the global LLM and embedder configuration via the POST /configure endpoint, redirecting all model traffic to an attacker-controlled server. The malicious configuration is persisted to PostgreSQL and survives restarts, affecting every user and API key on the instance. Publicly available exploit code exists and a vendor patch has been released in commit ae7f406.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an authenticated low-privilege user can win to gain higher privileges on the host. The CVSS 7.8 score with Scope:Changed indicates successful exploitation crosses a security boundary, impacting confidentiality, integrity, and availability of resources beyond the vulnerable component. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) that an attacker with low-privileged local access can exploit to gain higher privileges. No public exploit identified at time of analysis, and the issue is not on CISA KEV, but the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability once the race is won. A vendor patch is available via the Microsoft Security Response Center advisory.
Local privilege escalation in Windows Push Notifications enables an authenticated low-privileged user to elevate to higher privileges by exploiting a race condition (CWE-362) in concurrent access to a shared resource. Successful exploitation results in high impact to confidentiality, integrity, and availability with scope change, but no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory.
Local privilege escalation in Microsoft Windows Push Notifications service stems from a race condition (CWE-362) in concurrent handling of shared resources, allowing an authorized low-privileged attacker to win a timing window and elevate to higher privileges with scope change. The CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H reflects local-only exploitation with high attack complexity due to the timing-dependent nature, but a successful attacker gains full confidentiality, integrity, and availability impact across a security boundary. No public exploit identified at time of analysis.
Privilege escalation in TYPO3 CMS allows authenticated backend users with Form Framework access to execute arbitrary SQL by uploading malicious form definitions with non-standard file extensions, enabling creation of administrative backend accounts. The flaw stems from incomplete file-extension validation in FormPersistenceManager and affects every supported branch (10.4, 11.5, 12.4, 13.4, 14.3) below the fixed releases. No public exploit identified at time of analysis, but the upstream fix commits are public on GitHub.
Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition in the kernel-mode driver. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but AFD.sys has a long history of being targeted for kernel EoP, making this a likely candidate for future weaponization. CVSS 7.0 reflects the high attack complexity required to reliably win the underlying race or reuse condition.
Local privilege escalation in Microsoft Windows DNS allows an authenticated low-privileged user to gain elevated privileges via a heap-based buffer overflow (CWE-122). The CVSS 7.0 score reflects high attack complexity and local-only access, and no public exploit is identified at time of analysis. The flaw was reported privately by Microsoft (MSRC) and is tracked under MSRC advisory CVE-2026-41108.
WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.
Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over a network when a victim performs a required interaction, due to improper input validation classified as missing authentication (CWE-306). The flaw carries a critical CVSS 9.6 score with scope change, meaning a successful attack impacts resources beyond the vulnerable component. No public exploit identified at time of analysis, but the user-interaction trigger combined with VS Code's massive developer install base makes this a notable supply-chain-adjacent risk.
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthenticated attacker to redirect file operations to unintended targets, achieving high-integrity impact without requiring elevated privileges. The vulnerability stems from improper link resolution (CWE-59) before file access, enabling unauthorized modification of files the attacker would otherwise lack write access to. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) make exploitation straightforward for any actor with local access.
Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.
Sensitive key material extraction is possible in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection in the WinCC Certificate Manager component. A local attacker on an affected HMI/SCADA workstation could harvest cryptographic key material that protects operator certificates, potentially enabling impersonation or downstream attacks against industrial control networks. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation.
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.
Remote code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and ColdFusion 2025 (Update 8 and earlier) allows unauthenticated network attackers to execute arbitrary code in the context of the current user without any user interaction, with a scope change extending impact beyond the vulnerable component. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS 3.1 score of 10.0, though EPSS exploitation probability is currently only 0.04% (11th percentile) and SSVC reports no observed exploitation. No public exploit identified at time of analysis.
Privilege escalation in Microsoft Office SharePoint allows an authenticated network attacker to elevate privileges by submitting maliciously crafted serialized data that the server deserializes without proper validation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability combined with low attack complexity, though the PR:L requirement means the attacker must already hold at least a low-privileged SharePoint account. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Nuance PowerScribe allows unauthenticated network attackers to run arbitrary code by submitting maliciously crafted serialized objects to the application. The flaw is a CWE-502 untrusted-data deserialization issue carrying a critical CVSS 9.8 score, reported through Microsoft Security Response Center; no public exploit identified at time of analysis. Because PowerScribe is a clinical radiology reporting platform widely deployed in hospital environments, successful exploitation could compromise systems handling protected health information.
Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.
Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.
Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.
Remote code execution in the Windows Kernel allows unauthenticated network attackers to execute arbitrary code by triggering a use-after-free condition (CWE-122 heap-related memory corruption). The flaw was reported by Microsoft (secure@microsoft.com) and carries a critical CVSS 9.8 with no public exploit identified at time of analysis. Tag metadata indicates the bug can also be leveraged for heap overflow and denial-of-service outcomes.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.
Local privilege escalation and code execution in Microsoft Azure Kubernetes Service (AKS) is possible via a path traversal flaw (CWE-22) that allows an authorized attacker on the local system to break out of restricted directory boundaries and execute code with elevated privileges. The CVSS 3.1 score of 8.8 reflects the scope change (S:C) where exploitation impacts resources beyond the vulnerable component, enabling full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.