Authentication bypass via replay attack affects Wertheim SafeController 5400 and Controller 5400 (AssemblyVersion 6.11.8130.22320) vault room safe deposit locker systems, where RS-485 traffic between the server and microcontroller flows without cryptographic protection. An adjacent attacker with physical access to the RS-485 bus can capture legitimate commands and replay them - for instance, repeatedly injecting a 'quit alarm' message to silently disable the safe's alarm. No public exploit identified at time of analysis, and there is no published CISA KEV listing or EPSS data for this physical-bus weakness.
SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.
SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.
Local privilege escalation in multiple Ricoh and Konica Minolta printer drivers on Windows hosts allows an authenticated low-privileged user to gain higher privileges by supplying a specially crafted driver component. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), and at time of analysis no public exploit identified at time of analysis. CVSS 4.0 of 8.5 reflects high confidentiality, integrity, and availability impact despite requiring local access.
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently run local commands by registering Claude hooks in .claude/settings.local.json without prompting the user for approval. The flaw, tracked under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables sandbox escape, persistence, and follow-on compromise the moment an agent turn completes. No public exploit identified at time of analysis, but the vendor advisory GHSA-pc9j-3qc2-95wv confirms the issue and the CVSS 4.0 base score of 8.5 (High) reflects full CIA impact on the victim's workstation.
Local privilege escalation and denial of service in HP One Agent software on HP PC products allow authenticated low-privileged users to gain elevated rights or disrupt the agent. HP has acknowledged the issue and is releasing software updates as mitigation. No public exploit identified at time of analysis, and the flaw is not listed on CISA KEV.
SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.
SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.
SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.
SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.
Local privilege escalation in Iru, Inc Kandji Agent versions prior to 4.7.5(5374) allows a local attacker to invoke restricted agent functionality by exploiting a client-side validation gap. The flaw maps to CWE-269 (Improper Privilege Management) and carries a CVSS 8.4 rating due to high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS is low at 0.14%.
Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.
Denial of service in @angular/common's formatDate function (and the DatePipe that wraps it) allows remote attackers to exhaust CPU and memory by supplying an excessively long, attacker-controlled date format string. On Server-Side Rendered Angular apps this triggers a JavaScript heap out-of-memory crash that takes down the application for all users; on Client-Side Rendered apps it freezes the victim's browser tab. No public exploit identified at time of analysis, but the upstream patch and regression tests are public in angular/angular#69197.
Information disclosure in @angular/common HttpTransferCache allows unauthenticated attackers to obtain other users' private data when Server-Side Rendering and hydration are enabled. The flaw stems from the cache failing to inspect the withCredentials flag or Cookie header, allowing credentialed responses to be serialized into SSR HTML and inadvertently shared via downstream CDN/reverse-proxy caches. No public exploit identified at time of analysis, but a vendor patch and detailed advisory describing the conditions are available.
Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.
Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.
Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.
Authenticated command injection in kanishka-linux Reminiscence v0.3.0 lets remote attackers execute arbitrary OS commands by submitting crafted input to the /manage/features/media endpoint. The flaw maps to CWE-78 with CVSS 8.1 (PR:L), and publicly available exploit code exists in a referenced gist; EPSS is modest at 0.66% (47th percentile) and the issue is not on CISA KEV.
Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.
Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.
Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.
Authentication bypass in the CloudSecure WP Security WordPress plugin (versions ≤ 1.4.7) allows remote unauthenticated attackers to subvert the plugin's authentication controls, leading to high impact on confidentiality, integrity, and availability of affected WordPress sites. The flaw is tracked by Patchstack and ENISA EUVD as a broken authentication issue (CWE-288) with a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.
Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.
Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.
Arbitrary code execution in Foxit AI (versions before 2026-06-15) occurs when the application processes JavaScript embedded in a PDF inside its sandbox but fails to intercept dangerous interfaces, permitting remote script loading. A user must open a malicious PDF for exploitation to succeed, and no public exploit identified at time of analysis with EPSS at only 0.13%. SSVC reports total technical impact but no observed exploitation.
Credential leakage in Tornado's SimpleAsyncHTTPClient (versions prior to 6.5.6) allows sensitive Authorization headers and HTTP auth parameters to be forwarded to attacker-controlled origins during 3xx redirect handling. Because follow_redirects=True is the default behavior, any Tornado-based client making outbound HTTP requests with credentials may inadvertently disclose them to a redirect target on a different scheme, host, or port. No public exploit identified at time of analysis, and this issue is not listed in CISA KEV.
Arbitrary file deletion in the Link Library WordPress plugin (versions 7.8.8 and earlier) allows authenticated contributors to delete arbitrary files on the server via a path traversal flaw. Reported by Patchstack and tracked as EUVD-2026-36986, the issue enables low-privileged authors of WordPress content to disrupt site availability by removing critical files such as wp-config.php; no public exploit identified at time of analysis.
Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. No public exploit identified at time of analysis and EPSS is low (0.18%), but the scope-change CVSS of 7.7 reflects cross-user impact.
Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.
Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.
Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.
Denial of service in Tornado web framework versions prior to 6.5.6 allows a malicious HTTP server to exhaust client memory through a gzip decompression bomb against SimpleAsyncHTTPClient in its default configuration. The flaw stems from missing cumulative size enforcement on decompressed response bodies; HTTPServer is also vulnerable when explicitly configured with decompress_request=True. No public exploit identified at time of analysis, though the technique (gzip bomb) is well-understood and trivial to weaponize.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. Impact is limited to availability - no confidentiality or integrity compromise is possible.
Unauthenticated information disclosure in the Arraytics WP Event Solution (Eventin) WordPress plugin through version 4.1.8 allows remote attackers to bypass access control checks and read data they should not be permitted to access. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36985; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated sensitive data exposure in the Inisev Backup Migration WordPress plugin (versions through 2.1.1) allows remote attackers to retrieve confidential information without credentials or user interaction. Patchstack rates the issue at CVSS 7.5 with high confidentiality impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.
Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.Template instance, enabling cross-user command contamination, runtime panics, and execution of unintended commands. Authenticated users of the OliveTin web interface can exploit this by issuing parallel ExecRequests; no public exploit is identified at time of analysis, but the bug manifests during normal multi-user operation. The vendor patched the issue in version 3000.13.0.
Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.
{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.
Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.