SQL injection in Grit42 Grit up to version 0.11.0 allows authenticated low-privilege remote attackers to query or manipulate the backend database through a CSV export endpoint handled by the GritEntityController Rails concern. The vulnerable code path resides in shared controller logic at modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb, meaning the injection surface may extend across multiple entity types rather than a single isolated route. A public proof-of-concept exploit exists via a researcher's GitHub repository, no vendor patch has been released, and the vendor was unresponsive to responsible disclosure - leaving deployments without an official remediation path.
Improper authorization in Moovit Bus & Public Transit App 1.18 on Android exposes the com.tranzmate custom URL scheme handler to invocation by any locally installed application without proper authorization checks, enabling information disclosure and limited unauthorized manipulation of app functionality. The vulnerability is classified as CWE-939 and is restricted to local attack vectors, meaning a co-resident malicious application on the same Android device is required to trigger it. A proof-of-concept exploit has been publicly released via GitHub and Google Drive, and the vendor did not respond to responsible disclosure - no patch is confirmed available at time of analysis.