Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CAPTCHA challenge controls in Discuz! X5.0 (releases 20260320-20260501) can be reliably defeated by unauthenticated remote attackers who harvest samples from exposed forum endpoints and train a custom optical character recognition model to predict challenge text. The underlying weakness - CWE-804 - stems from a limited, predictable character set and insufficient visual distortion in generated images, enabling automation of login, registration, and other abuse-protected flows. Critically, a publicly available exploit exists and KarmaInsecurity has documented chaining this bypass with a race condition to achieve full remote code execution, substantially elevating practical risk beyond the standalone CVSS 4.0 score of 6.9.
Path traversal in Microweber CMS up to version 2.0.20 exposes the unauthenticated `/api_nosession/thumbnail_img` endpoint to file system manipulation via the `cache_path_relative` parameter of the `userfiles_path` function. Remote, unauthenticated attackers can traverse outside the intended directory to read - and potentially write - files accessible to the web server process. A public proof-of-concept exploit is available and the vendor did not respond to responsible disclosure, meaning no patch exists at time of analysis.
Unauthenticated information disclosure in HKUDS AI-Trader exposes the Research Export endpoint (`/api/research/agents.csv`) to any remote attacker without credentials, leaking proprietary research output in CSV format. The vendor explicitly confirmed the pre-patch state lacked access control: 'Research export endpoints now require an authenticated agent with the research_exports capability.' A public proof-of-concept exploit exists (CVSS 4.0: 6.9, E:P), and the upstream fix is available via commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65; no active exploitation is confirmed in CISA KEV at this time.
Stack-based buffer overflow in Ritlabs TinyWeb Server 1.94 and earlier on Win32 allows remote unauthenticated attackers to crash the server or potentially execute arbitrary code by sending a specially crafted HTTP Authorization header, triggering a memory corruption condition in the libeay32.dll component's Header Handler. A public proof-of-concept exploit has been disclosed at nathan2.com/posts/tinyweb/, and the vendor has not responded to responsible disclosure notifications, leaving all known versions unpatched. No active exploitation has been confirmed in CISA KEV, though the combination of a public POC, network-reachable attack surface, and no patch represents a meaningful risk for any deployment of this software.
Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated attackers to modify JavaScript Object.prototype attributes by supplying crafted template filter input. All versions through 2.2.10 are affected per the CPE range cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*. No vendor patch exists - the maintainer did not respond to coordinated disclosure - and a public exploit is available on GitHub (OriginSecurityX/avalon-filter-rce), which the repository title characterizes as capable of remote code execution, a materially more severe claim than the CVSS 4.0 VI:L rating assigned by the reporter.
Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. No patch exists - the vendor failed to respond to coordinated disclosure - leaving all users of jsonata ≤ 2.2.0 indefinitely exposed.
Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.
Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.
The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
Tar parser interpretation differential in node-tar (npm `tar` package) <= 7.5.15 allows a crafted archive to present a different member list to node-tar than to GNU tar, libarchive, or Python tarfile, enabling security scanner evasion in pipelines that scan with one tool and extract with another. The flaw stems from node-tar incorrectly applying a PAX extended header's `size=` override to intermediary GNU long-name (`L`) and long-link (`K`) metadata headers, desynchronizing the stream cursor and causing node-tar to raise a checksum error and report zero members while reference parsers correctly extract files. A detailed, working proof-of-concept (Python stdlib only) is included in the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis, but the broad npm ecosystem blast radius - node-tar backs npm's own tarball handling - materially elevates real-world risk.
Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holding the settings_branches_manage privilege to embed directory traversal sequences in a newly created branch code, redirecting downstream file-write operations — covering uploaded files, profile pictures, and settings data — to attacker-chosen filesystem locations. The root cause is insufficient server-side validation of the branch code field at branch creation time; that tainted value later propagates into multiple file-path-generation routines across the application. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; real-world impact is bounded by both the service account's write permissions and length restrictions on the branch code value.
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.
Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.
An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.
Authentication token cache file exposure in Kiro IDE on macOS and Linux allows any local user to read credentials belonging to other users due to world-readable file permissions (0644) instead of the security-appropriate owner-only permissions (0600). All versions before 0.11.133 are affected on UNIX-based platforms; the vulnerability is confirmed by AWS via security bulletin 2026-045 and has been assigned CWE-276 (Incorrect Default Permissions). No public exploit code has been identified at time of analysis, but exploitation requires no technical sophistication - only filesystem read access on a shared system.
Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.
Denial-of-service in aiohttp (all versions up to and including 3.14.0) allows remote attackers to exhaust server memory by sending large, incomplete WebSocket frame payloads that bypass the library's configured memory size limits. Any Python web application exposing WebSocket endpoints via aiohttp is affected - no authentication is implied as a prerequisite at the protocol layer. No public exploit code has been identified at time of analysis, but the attack primitive is straightforward and the fix is available in 3.14.1.
Memory exhaustion in aiohttp's optimised C HTTP parser allows remote unauthenticated attackers to bypass the max_line_size guard by fragmenting oversized request targets or response reason phrases across multiple TCP reads, potentially causing denial of service against any server using the default pre-built wheel configuration. The flaw is specific to the Cython-compiled C parser (the default in pre-built PyPI wheels); the pure-Python fallback correctly accumulated fragment lengths and is unaffected. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in aiohttp 3.14.1.
Unbounded HTTP/1 pipelined request queuing in aiohttp server allows a remote, unauthenticated attacker to exhaust process memory and cause denial of service by sending pipelined requests faster than the server can handle them. All aiohttp server deployments at version 3.14.0 and earlier are affected; the client library is not impacted. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, though the attack requires no special tooling beyond a standard HTTP/1.1 client capable of pipelining.
Unread compressed request bodies in aiohttp bypass the client_max_size limit during the cleanup phase, allowing a single-chunk decompression of an arbitrarily large payload into server memory. All versions up to and including 3.14.0 are affected. An attacker who can send HTTP requests with compressed bodies can trigger a zip bomb condition during cleanup, exhausting server memory and causing denial of service. No public exploit has been identified at time of analysis.
Broken authentication in WP Full Stripe Free (WordPress plugin by Themeisle) versions 8.4.1 and earlier permits subscriber-level authenticated users to bypass authorization controls and access restricted functionality, resulting in high-confidence information disclosure. The vulnerability (CWE-288) targets the Stripe payment integration plugin's internal access control logic, allowing a low-privileged WordPress user to reach endpoints or data intended only for higher-privileged roles. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.
Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.
Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the low privilege bar makes this accessible to any registered WordPress user.
Sensitive data exposure in the Contest Gallery WordPress plugin (versions <= 28.1.7) allows authenticated subscribers to access confidential information they are not authorized to view. The vulnerability stems from insufficient access control over data retrieval endpoints within the plugin, permitting low-privileged WordPress users to read sensitive data with high confidentiality impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low complexity and remote exploitability make it a credible risk for WordPress sites with open subscriber registration.
Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.
Broken access control in the RepairBuddy WordPress plugin (versions ≤ 4.1132) allows subscriber-level authenticated users to access restricted functionality or sensitive data without adequate authorization checks. The CVSS vector (PR:L, C:H, I:N, A:N) confirms that low-privileged users - specifically WordPress subscribers, the lowest authenticated role - can achieve high confidentiality impact, likely by reading repair orders, customer PII, or administrative data reserved for shop managers and admins. No public exploit code or active exploitation has been identified at time of analysis.
Broken access control in the Bookify WordPress plugin (versions ≤ 1.1.1) allows authenticated subscriber-level users to access resources or functionality reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to retrieve sensitive data they should be denied. No public exploit or CISA KEV listing has been identified at time of analysis, though Patchstack has documented the vulnerability with a CVSS 6.5 score reflecting high confidentiality impact.
Denial of service in GStreamer's AV1 codec parser (gst-plugins-bad) allows a remote unauthenticated attacker to crash any application using GStreamer for AV1 media playback by delivering a specially crafted AV1 file. The root cause is a unit mismatch in the gst_av1_parser_parse_tile_list_obu() function, which feeds a byte count to an API expecting a bit count, desynchronizing the parser and triggering an assertion abort. No public exploit has been identified at time of analysis, and exploitation requires user interaction; however, the vulnerability affects Red Hat Enterprise Linux 6 through 10 where GStreamer is a core multimedia component.
Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Broken access control in the Rank Math SEO WordPress plugin (versions ≤ 1.0.271) allows authenticated subscribers to invoke privileged functionality beyond their authorization level. The missing authorization check (CWE-862) permits low-privileged WordPress Subscriber-role users to manipulate SEO settings or execute actions normally gated to editors or administrators, with a confirmed High integrity impact per CVSS. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Broken access control in Tutor LMS WordPress plugin versions up to and including 3.9.7 permits unauthenticated remote attackers to bypass authorization checks and access or modify restricted LMS resources. The flaw, classified as CWE-862 (Missing Authorization), stems from the plugin failing to enforce appropriate permission checks before executing sensitive operations. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the unauthenticated attack vector and low complexity make this straightforward to exploit opportunistically.
Broken access control in the Booking Activities WordPress plugin (versions up to and including 1.16.48.1) enables unauthenticated remote attackers to perform restricted booking-related operations without authorization. Rooted in CWE-862 (Missing Authorization), the flaw bypasses access controls at the network level with no privileges or user interaction required, resulting in low-severity integrity and availability impacts - likely allowing unauthorized creation, modification, or cancellation of bookings. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.
Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.