Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.
Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative control of the appliance. Publicly available exploit code exists (watchTowr Labs PoC chained with CVE-2026-10520 for RCE), though it is not yet listed in CISA KEV; EPSS sits at a modest 0.31% (54th percentile) despite the critical CVSS 9.8 rating.
Privilege elevation in the Windows TCP/IP networking stack allows an unauthenticated attacker on an adjacent network to gain elevated privileges by triggering a heap-based buffer overflow (CWE-122). The CVSS 9.6 score with scope change (S:C) indicates the compromise crosses security boundaries beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-exception-level write access in multiple Arm CPU cores including Cortex-A76 through Cortex-X925, Neoverse N1/N2/V1/V2/V3/V3AE, and C1-Ultra/Premium designs allows a lower-privileged context to modify resources owned by a higher exception level due to a race condition (CWE-362). Tracked also as Xen XSA-493 and EUVD-2025-210084, the issue carries a CVSS of 9.1 reflecting high confidentiality and integrity impact, though there is no public exploit identified at time of analysis and the EPSS score of 0.02% (4th percentile) indicates very low predicted exploitation probability.
Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.
Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over a network when a victim performs a required interaction, due to improper input validation classified as missing authentication (CWE-306). The flaw carries a critical CVSS 9.6 score with scope change, meaning a successful attack impacts resources beyond the vulnerable component. No public exploit identified at time of analysis, but the user-interaction trigger combined with VS Code's massive developer install base makes this a notable supply-chain-adjacent risk.
Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.
Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9394 and earlier allows unauthenticated network attackers to execute arbitrary code in the context of the current user with no user interaction required. The flaw stems from an Incorrect Authorization weakness (CWE-863) and carries the maximum CVSS 3.1 base score of 10.0 with changed scope, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, though the perfect CVSS score and authentication-bypass characteristics make this a high-priority patch for any organization running ACC for marketing automation.
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.
Remote code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and ColdFusion 2025 (Update 8 and earlier) allows unauthenticated network attackers to execute arbitrary code in the context of the current user without any user interaction, with a scope change extending impact beyond the vulnerable component. The flaw stems from improper input validation (CWE-20) and carries a maximum CVSS 3.1 score of 10.0, though EPSS exploitation probability is currently only 0.04% (11th percentile) and SSVC reports no observed exploitation. No public exploit identified at time of analysis.
Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission bypass the TERMINAL_COMMANDS whitelist by injecting shell metacharacters into the unsanitized 'dir' POST parameter of pheditor.php, achieving full command execution as the web server user. Publicly available exploit code exists in the GitHub Security Advisory PoC, and the upstream commit confirms the root cause is missing escapeshellarg() on $dir before concatenation into shell_exec().
Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Nuance PowerScribe allows unauthenticated network attackers to run arbitrary code by submitting maliciously crafted serialized objects to the application. The flaw is a CWE-502 untrusted-data deserialization issue carrying a critical CVSS 9.8 score, reported through Microsoft Security Response Center; no public exploit identified at time of analysis. Because PowerScribe is a clinical radiology reporting platform widely deployed in hospital environments, successful exploitation could compromise systems handling protected health information.
Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.
Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.
Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.
Remote code execution in the Windows Kernel allows unauthenticated network attackers to execute arbitrary code by triggering a use-after-free condition (CWE-122 heap-related memory corruption). The flaw was reported by Microsoft (secure@microsoft.com) and carries a critical CVSS 9.8 with no public exploit identified at time of analysis. Tag metadata indicates the bug can also be leveraged for heap overflow and denial-of-service outcomes.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Unsafe JSON deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) lets an attacker who controls JMS message content instantiate arbitrary classes, enabling gadget-chain attacks that can escalate to unauthorized actions or remote code execution. It affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7 when applications consume messages from an untrusted JMS source. There is no public exploit identified at time of analysis, and despite a 9.8 CVSS the EPSS probability is only 0.04% and CISA SSVC rates exploitation as 'none'.
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.
Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.
Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.
Hardcoded credentials and default-enabled telnet on the Shenzhen Kangda Xin DR300 router (firmware 2.1.2.121) allow remote unauthenticated attackers to gain full administrative access over both WAN and LAN interfaces. With CVSS 9.8 and SSVC indicating proof-of-concept exploit code with total technical impact, attackers can read/write device memory, modify flash-resident firmware, and enumerate connected devices and active connections. No CISA KEV listing exists, but publicly available exploit code exists and the issue is automatable.
Remote SQL injection in MOSK Information Technologies CBS Platform (versions through 09062026) allows unauthenticated attackers to inject arbitrary SQL commands over the network without user interaction, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The vendor confirmed to TR-CERT that the product is no longer supported, so no official fix will be issued. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
SQL injection in Netcad Software's E-İmar urban planning/permit management platform (versions 2.10.1.0 through 3.0.2) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The CVSS 9.8 rating reflects network-reachable exploitation with no authentication or user interaction required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, but the disclosure by Turkey's national CERT (TR-CERT) indicates coordinated vendor notification.
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Remote code execution in Google Chrome's Network component before version 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page. The flaw is a use-after-free (CWE-416) classified High severity by Chromium with a CVSS 9.6 due to scope change and user-interaction prerequisite. No public exploit identified at time of analysis, but a vendor patch is already shipped via the Stable channel update.
Sandbox escape in Google Chrome before 149.0.7827.103 allows a remote attacker to break out of the renderer sandbox through a use-after-free in the Navigation component when a victim visits a crafted HTML page. The CVSS 9.6 score reflects a scope-changing impact on confidentiality, integrity, and availability with only user interaction (visiting a page) required, and no public exploit was identified at time of analysis.
Sandbox escape in Google Chrome for Mac (versions prior to 149.0.7827.103) stems from a use-after-free condition in the CameraCapture component, enabling a remote attacker to break out of the renderer sandbox via a crafted HTML page. With a CVSS of 9.6 (scope-changed, high impact across CIA) and an upstream fix released by Google, the bug carries high severity but requires user interaction to load the malicious page; no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 149.0.7827.103 enables remote attackers to break out of the browser's renderer sandbox via a crafted HTML page that triggers a use-after-free in the Printing component. Chromium rated this issue Critical severity, and the CVSS scope change (S:C) confirms the sandbox boundary is crossed; no public exploit identified at time of analysis, but the attack only requires the victim to load attacker-controlled content.
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.103 allows remote attackers to exploit a use-after-free flaw in the Gamepad component via a crafted HTML page, requiring only that a victim visit a malicious site. Chromium rates this Critical severity and the CVSS score of 9.6 reflects scope change (sandbox escape) with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the bug class and Critical Chromium rating make it a high-priority browser patch.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker to break out of the browser's renderer sandbox via a crafted HTML page that exploits insufficient input validation in the UI layer. The scope-changing CVSS 9.6 reflects that successful exploitation crosses the sandbox security boundary, though user interaction (visiting a malicious page) is required. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but Google rates the underlying Chromium severity as High.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 can be triggered by an integer overflow in the browser's UI component when a victim visits a crafted HTML page. Rated CVSS 9.6 with scope change, this issue allows a remote attacker to break out of the Chrome renderer sandbox after one click or navigation, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Security feature bypass in Adobe ColdFusion 2023 (through Update 19) and ColdFusion 2025 (through Update 8) allows remote attackers to read files outside intended directories via a path traversal flaw, with a scope change that extends impact beyond the vulnerable component. Exploitation requires the victim to open a malicious file, and no public exploit identified at time of analysis; EPSS is low (0.02%) but CVSS is 9.6 due to the scope change and high CIA impact.
Remote code execution in Veeam Backup & Replication enables an authenticated domain user to execute arbitrary code on the Backup Server, with CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream systems. The vulnerability is tagged as a deserialization flaw (CWE-502), and while no public exploit is identified at time of analysis, the low attack complexity and only-low-privilege requirement make this a high-priority patching event for any environment running Veeam in a domain-joined configuration.
Stored cross-site scripting in Vinna Process Monitor 4.0 Service Pack 1 (Build 63255) allows authenticated low-privilege users to inject persistent JavaScript that executes in other users' browsers, enabling theft of administrative session tokens and credentials. The CVSS 4.0 score of 9.3 reflects the cross-scope impact whereby a low-privileged attacker can escalate to administrative control. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.
Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.
Remote tampering in Microsoft Windows DHCP Server allows unauthenticated network attackers to manipulate critical data with high confidentiality and integrity impact, as reflected by the 9.1 CVSS score. The vulnerability is reachable over the network without privileges or user interaction, and no public exploit identified at time of analysis. The combination of authentication bypass tagging and DHCP's role as a core network infrastructure service makes this a high-priority issue for any Windows environment running the DHCP Server role.
Heap corruption in FreeSWITCH libesl prior to version 1.11.1 allows a malicious or man-in-the-middle Event Socket Library (ESL) peer to crash or corrupt the memory of any process linked against libesl by sending a frame containing a negative Content-Length header. The flaw is pre-authentication and reachable before the client completes authentication to the peer, and no public exploit identified at time of analysis despite a CVSS of 9.1.
Arbitrary code execution in Adobe ColdFusion 2023 (through update 19) and 2025 (through update 8) lets an attacker who already holds high-privilege access run code in the context of the current user without any user interaction. The flaw stems from improper input validation (CWE-20) and carries a scope-changed CVSS 9.1, meaning impact can extend beyond the vulnerable component. There is no public exploit identified at time of analysis, EPSS is low (0.04%), and CISA SSVC currently rates exploitation as none, so this is a high-severity but not-yet-exploited issue requiring proactive patching.
Authentication bypass in bookcars v8.3 lets remote unauthenticated attackers forge JWT tokens against the /api/social-sign-in endpoint to impersonate arbitrary users. The flaw carries a CVSS 9.1 rating with no public exploit identified at time of analysis, though a third-party vulnerability writeup is referenced on GitHub. EPSS is very low (0.02%, 7th percentile), suggesting limited mass-scanning interest despite the high severity.
Privilege escalation and arbitrary code execution in Adobe ColdFusion 2023 (Update 17 and earlier) and 2025 (Update 8 and earlier) allows a high-privileged remote attacker to bypass authorization controls and execute code in the context of the current user. The flaw is a CWE-863 incorrect-authorization issue with a scope change, raising CVSS to 9.1, but no public exploit identified at time of analysis and EPSS is low (0.02%, 6th percentile). Adobe disclosed the issue via APSB26-64 and a vendor patch is available.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manipulate file inclusion parameters within crafted HTTP logon requests, leading to inclusion and processing of arbitrary local files. Successful exploitation can expose or modify sensitive data and render portions of the server unavailable, with no public exploit identified at time of analysis but a CVSS of 9.0 reflecting full CIA impact with scope change.