Symlink mishandling in LiteSpeed cPanel Plugin before 2.4.8 (and the bundling LiteSpeed WHM PlugIn before 5.3.2.0) lets a low-privileged tenant on a shared CloudLinux/CageFS host escape their per-user filesystem jail by planting symlinks the plugin follows with elevated privileges. The CVE record states the flaw was exploited against shared hosting providers in May 2026, and CVSS 8.5 with Scope:Changed reflects cross-tenant compromise of other customers' files on the same server. No separate KEV listing or public POC is present in the provided intelligence.
Authenticated command injection in the GL.iNet GL-MT3000 travel router (firmware up to 4.4.5) lets remote attackers with low-privileged access execute arbitrary OS commands via the replace_country function in the Tor Proxy Service configuration handler. Publicly available exploit code exists for the flaw, and the vendor has shipped a fix; no public exploit identified at time of analysis as actively exploited in the wild.
Command injection in the GL.iNet GL-MT3000 travel router's Online Firmware Upgrade Handler (/usr/bin/one_click_upgrade) allows authenticated remote attackers to execute arbitrary OS commands on devices running firmware up to 4.4.5. Publicly available exploit code exists on GitHub, and the issue is fixed in firmware 4.7 (with 4.8.1 currently published by the vendor). No CISA KEV listing has been confirmed, but the combination of a published PoC and an internet-exposable management interface raises the practical risk above the headline CVSS score.
Command injection in the Ruijie EG105G-P 2.340 gateway router allows authenticated remote attackers to execute arbitrary OS commands by manipulating the params.target argument of the nslookup function in the /cgi-bin/luci/api/diagnose JSON-RPC endpoint. Publicly available exploit code exists, the vendor did not respond to coordinated disclosure, and successful exploitation yields full confidentiality, integrity, and availability impact on the device.
Local privilege escalation in VS Revo RevoUninstaller versions 2.5.x and 2.6.x is possible through a heap-based buffer overflow in the IOCtl_Handler function within the RevoDetector.sys kernel driver. Authenticated local users sending crafted IOCTL requests can corrupt kernel pool memory, potentially achieving SYSTEM-level code execution. Publicly available exploit code exists, and a detailed write-up plus PoC repository have been published, raising the practical risk despite no active exploitation listing.
Iptanus File Upload WordPress plugin before version 5.1.7 allows authenticated low-privilege users to overwrite other users' uploaded files by exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition in the plugin's file deduplication logic. The flaw is conditional on the `duplicatepolicy` setting being configured to 'maintain both,' and requires winning a precise timing race between the file existence check and the write operation. No active exploitation is confirmed by CISA KEV; however, a publicly available exploit exists via WPScan, and EPSS remains negligible at 0.01%, consistent with the high attack complexity required.
OS command injection and arbitrary file truncation in the Perl module Config::IniFiles before 3.001000 occurs because _make_filehandle uses Perl's 2-argument open() on the -file argument, letting filenames prefixed/suffixed with shell metacharacters ('| cmd', 'cmd |', '> path', '>> path') execute commands or overwrite files under the process UID. Any application passing untrusted input to new(-file => ...) or ReadConfig is exposed. EPSS is low (~0.26%) and SSVC reports no observed exploitation, but an upstream patch and a public regression test demonstrate the issue clearly.
Off-by-one buffer overflow in nanoMODBUS through v1.23.0 lets remote unauthenticated attackers write one attacker-controlled byte past a 260-byte receive buffer in the Modbus/TCP server's recv_msg_header() function. The corruption of the adjacent buffer-index field can cause denial of service on all targets and, on bare-metal/RTOS deployments without memory protection, leak one byte of memory and trigger unintended writes through the Write Multiple Registers (FC16) handler. No public exploit identified at time of analysis, but the bug is trivially reachable by sending a crafted MBAP frame with Length=255.
Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.
Heap-based out-of-bounds read and integer underflow in LiamBindle MQTT-C (all versions through 1.1.6) allows a remote attacker who controls an MQTT broker - or who can inject packets into an unencrypted MQTT session - to crash any subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single specially crafted PUBLISH packet. The flaw resides in mqtt_unpack_publish_response() in src/mqtt.c, where the broker-supplied 16-bit topic_name_size field is used to advance a parse pointer without validating it fits within the packet's remaining_length, and the subsequent unsigned subtraction to derive application_message_size wraps to near 2^32 and is passed directly to memmove(). No patched release has been identified at time of analysis; a proof-of-concept is indicated by the CVSS 4.0 E:P supplemental metric, and this vulnerability is not listed in the CISA KEV catalog.
Buffer overflow in the web server component of GALAYOU Y4 version 1.0.0 allows adjacent-network attackers to compromise the device's confidentiality, integrity, and availability without authentication. Publicly available exploit code exists per VulDB disclosure, though the vendor was contacted and did not respond, leaving the issue unpatched. EPSS data was not provided and the flaw is not listed in CISA KEV, but the public PoC combined with vendor silence elevates practical risk for any deployment exposed on shared LAN/Wi-Fi segments.
Insecure deserialization in Comma AI Openpilot 0.11 allows a local authenticated attacker to achieve code execution by supplying a malicious pickle payload to the pickle.load/pickle.loads calls in selfdrive/modeld/modeld.py. The flaw requires local access with low privileges and no public exploit identified at time of analysis, but the vendor reportedly did not respond to coordinated disclosure, leaving the issue unpatched. CVSS 4.0 scores it 7.1 (High) with full confidentiality, integrity, and availability impact on the vulnerable system.
Timing side-channel in Linux-PAM's pam_userdb module through version 1.7.2 allows plaintext password recovery by any attacker capable of repeatedly submitting authentication attempts to a service backed by the vulnerable configuration. The module's use of length-prefixed strncmp() (or strncasecmp() with PAM_ICASE_ARG) on plaintext credentials leaks both password length and individual prefix bytes via measurable response-time differences, enabling iterative character-by-character reconstruction of the stored password. Proof-of-concept exploit methodology exists per CVSS 4.0 supplemental metadata (E:P); while no CISA KEV listing was found, the high confidentiality impact (VC:H) and credential-disclosure nature make this a meaningful risk for any deployment relying on pam_userdb in plaintext mode.
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated operator issues a PATCH request to update authorized fields in a node's volume properties - the API response returns sensitive data such as iSCSI CHAP usernames and secrets in plaintext. The scope change reflected in the CVSS (S:C) is meaningful: leaked storage credentials extend the blast radius beyond Ironic itself to the underlying iSCSI storage infrastructure. Notably, the same volume properties endpoint does not exhibit this behavior on POST requests, isolating the flaw to the PATCH response serialization path. No public exploit code has been identified and the vulnerability is not listed in CISA KEV.
SQL injection in Grit42 Grit up to version 0.11.0 allows authenticated low-privilege remote attackers to query or manipulate the backend database through a CSV export endpoint handled by the GritEntityController Rails concern. The vulnerable code path resides in shared controller logic at modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb, meaning the injection surface may extend across multiple entity types rather than a single isolated route. A public proof-of-concept exploit exists via a researcher's GitHub repository, no vendor patch has been released, and the vendor was unresponsive to responsible disclosure - leaving deployments without an official remediation path.
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.
Improper authorization in the custom URL scheme handler of Genspark AI Workspace App 2.8.4 on Android allows a local low-privileged attacker to invoke restricted application functionality via the ai.mainfunc.genspark component without proper access control. The flaw is classified under CWE-939, affecting inter-app communication on Android where the URL scheme handler fails to verify the caller's authorization. No patch is available as the vendor did not respond to responsible disclosure; no public exploit or CISA KEV confirmation exists at time of analysis.