Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating.
Privilege escalation and full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible for a low-privileged attacker with logon access to the host infrastructure, via the Siebel Cloud Manager component. Successful exploitation produces a scope change that significantly impacts adjacent products beyond Siebel itself, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle has issued a fix in its June 2026 Critical Patch Update.
PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.
In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Unauthenticated password change in Rockwell Automation 1794-AENTR Flex I/O EtherNet/IP adapter's embedded web server allows remote attackers to overwrite the web interface password via a crafted HTTP GET request to a specific endpoint, enabling full account takeover of the industrial device. The flaw, reported by Rockwell and tracked as CVE-2026-0647 with a CVSS 4.0 base score of 8.8, has no public exploit identified at time of analysis but is trivially exploitable given no authentication, no user interaction, and low attack complexity over the network.
Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. No public exploit identified at time of analysis, but the technique is trivial to reproduce from the public advisory text.
Cross-product compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged remote attacker to read and modify critical data with scope change to additional Oracle Fusion Middleware products. Exploitation requires user interaction from a separate victim and yields high confidentiality and integrity impact (CVSS 3.1 base 8.7); no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Cross-tenant data compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a low-privileged authenticated attacker to coerce another user into an interaction that yields unauthorized read, create, modify, or delete access to all WebCenter Content data, with a scope change extending impact to additional Oracle Fusion Middleware products. Disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.7; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker over HTTPS to read, create, modify, or delete critical data through the administration Console, provided a separate user is induced to perform an action. The CVSS 3.1 base score of 8.7 reflects high confidentiality and integrity impact with scope change reaching beyond WebLogic itself, and no public exploit identified at time of analysis.
Unauthenticated remote compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 via the WebLogic component allows attackers with HTTP access to read and modify critical data across PeopleTools and additional products in scope. Oracle rates the issue 8.7 CVSS 3.1 with high attack complexity but no privileges or user interaction, and the scope-change flag means impact extends beyond PeopleTools itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's IPv6 PPPoE configuration handler allows administrators to break out of the configuration parser and execute arbitrary shell commands with elevated (typically root) privileges on the device. The flaw was reported by TP-Link itself and a firmware fix is available; no public exploit identified at time of analysis. Risk is bounded by the CVSS 4.0 vector requiring adjacent-network access and high privileges (AV:A/PR:H), but post-exploitation impact on confidentiality, integrity, and availability is rated High.
Authenticated OS command injection in the TP-Link TL-WR940N v6 router's BigPond Cable (BPA) WAN configuration module allows administrators to execute arbitrary system commands with elevated privileges on the device. The flaw stems from improper sanitization of user-supplied input in the WAN setup path and affects firmware versions prior to V6_260528. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Authorization bypass in OpenClaw before 2026.5.26 allows an attacker with a previously paired device to re-establish WebSocket node-level authority after the session has been revoked, effectively defeating the revocation control. The flaw stems from a surviving pairing-scoped device session that can mint new node tokens without renewed approval, letting authenticated attackers retain unauthorized node-level access longer than intended. No public exploit identified at time of analysis, but the issue is acknowledged in a GitHub Security Advisory (GHSA-q99w-vh6v-q3v7) and a VulnCheck advisory.
Denial-of-service in Rockwell Automation 1794-AENTR FLEX I/O EtherNet/IP adapters allows remote unauthenticated attackers to fault the device and sever its connection to associated I/O modules via malformed CIP protocol requests. Recovery requires a manual reset, making this a high-impact availability issue for industrial control environments where uptime is critical. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects the network-reachable, no-privilege attack path against operational technology.
Denial-of-service in Rockwell Automation 1769 CompactLogix 5370 controllers allows remote unauthenticated attackers to induce a minor fault on the PLC by abusing Connection IDs exposed via the device's web interface and sending forged CIP traffic. The CVSS 4.0 base score of 8.7 reflects high availability impact with no authentication or user interaction required, and no public exploit has been identified at time of analysis.
Remote denial of service in Rockwell Automation CompactLogix and ControlLogix programmable automation controllers allows unauthenticated attackers on the network to crash the device by sending a single crafted Common Industrial Protocol (CIP) message. The fault produces a Major Non-Recoverable Fault (MNRF) that requires a full program download to recover, meaning an outage continues until an engineer physically intervenes. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 and OT impact make this a priority patch for affected plant floors.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Authentication bypass in Radiflow iSAP Smart Collector exposes a REST API protected only by a hardcoded constant token, allowing remote attackers to read system settings, modify device configuration, and trigger commands such as a system reboot. The constant token effectively negates authentication, making the API exploitable by anyone who can reach the device's web server. No public exploit identified at time of analysis, but the CVSS 8.6 (high) score reflects network-reachable, unauthenticated, low-complexity abuse leading to high integrity impact.
Authentication bypass in OpenClaw before 2026.5.3 allows remote attackers with low privileges to receive agent responses intended for other Zalo identities by manipulating their mutable display name to match allowFrom policy entries. The flaw stems from policy enforcement relying on mutable display metadata rather than immutable identifiers, and no public exploit has been identified at time of analysis.
Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.
Arbitrary file deletion in the Car Zone WordPress theme (versions through 3.7) by Aivah Themes lets remote, unauthenticated attackers remove files on the underlying server through a path-traversal flaw. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/A:H) reflects that file deletion crosses scope into the broader WordPress installation, enabling denial-of-service or forced reinstall scenarios. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Arbitrary OS command execution in Sonatype Nexus Repository 3 versions prior to 3.92.0 allows authenticated users holding the nx-licensing-create privilege to run commands as the Nexus process user by uploading a malicious license file. The flaw is rooted in unsafe deserialization (CWE-502) during license processing. No public exploit identified at time of analysis.
Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.
Takeover of Oracle Complex Maintenance, Repair and Overhaul (cMRO) versions 12.2.3 through 12.2.15 is achievable by a low-privileged attacker over HTTP, with the scope changing to impact additional Oracle E-Business Suite products beyond cMRO itself. The high CVSS 3.1 score of 8.5 reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers exploitability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authenticated path traversal in Gogs self-hosted Git service (versions <= 0.13.4) allows any user with repository edit permissions to overwrite arbitrary files on the host filesystem via the diff preview endpoint, resulting in denial of service. By abusing the `git diff --output=<file>` flag through the `POST /:user/:repo/_preview/:branch/:path_to_file` handler and bypassing the standard library `path.Clean` filter, an attacker can corrupt critical files such as `gogs.db` or `app.ini`. Publicly available exploit code exists in the form of a detailed researcher write-up with payload examples, though no CISA KEV listing or active exploitation has been reported.
Takeover of Oracle MySQL Shell is possible against the Shell for VS Code component in version 2026.2.0+9.6.1, where a low-privileged remote attacker can compromise the Shell with a scope-changing impact on additional products. The 8.5 CVSS score reflects full confidentiality, integrity, and availability impact, though high attack complexity tempers practical exploitability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-user credential access in n8n workflow automation platform allows member-level users with Editor access to shared workflows to reference credentials owned by other users via specific public API endpoints. The flaw stems from incomplete ownership checks (CWE-863) and affects versions prior to 1.123.55, between 2.0.0-rc.0 and 2.25.7, and between 2.26.0 and 2.26.2. No public exploit identified at time of analysis, but the vulnerability enables credential exfiltration in multi-tenant n8n deployments where workflow sharing is enabled.
Authorization bypass in Gitea versions up to and including 1.26.1 allows any authenticated user with mere read access to push arbitrary commits directly to any repository they can view, including all public repositories on the instance. The flaw stems from the 'Allow edits from maintainers' pull request flag being trusted without verifying the PR submitter actually owns write access on the HEAD side, enabling reverse-fork PRs to grant unauthorized push rights to upstream targets. Publicly available exploit code exists (a working poc.py is attached to the advisory), and the issue is fixed in Gitea 1.26.2.
Resource-accounting bypass in OpenStack Nova (compute service) lets an authenticated tenant create an instance whose scheduler hint data is not properly stripped, resulting in a running VM that has no corresponding Placement allocation. Because the instance consumes real host CPU/RAM/disk that the Placement service never accounted for, an attacker with ordinary project credentials can quietly over-subscribe a compute host and degrade availability for co-located tenants. SSVC lists exploitation as proof-of-concept (no public exploit identified as weaponized) with partial technical impact; EPSS is low at 0.26% (17th percentile).
Blind SQL injection in the wpWax Directorist Booking WordPress plugin (versions up to and including 3.0.3) allows authenticated low-privilege users to issue crafted database queries that exfiltrate data across trust boundaries. The CVSS 3.1 score of 8.5 reflects a scope change (S:C) with high confidentiality impact, indicating the affected database context exposes data beyond the plugin's own component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Takeover of Oracle WebCenter Content 14.1.2.0.0 is possible when a high-privileged attacker over HTTP induces a separate user to interact with crafted content, resulting in full confidentiality, integrity, and availability compromise plus impact on adjacent products via CVSS scope change. The Oracle Critical Patch Update (June 2026) lists this in the Content Server component with a CVSS 3.1 base score of 8.4. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Full compromise of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, where an unauthenticated attacker with logon access to the underlying host can take over the PeopleTools instance. Oracle rates this 8.4 CVSS with full confidentiality, integrity and availability impact, and no public exploit identified at time of analysis. The local attack vector keeps remote internet-based mass exploitation unlikely, but any user who can log on to the PeopleTools server should be treated as a critical risk.
Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.
Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.
Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.
Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.
OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond its granted scope when submitted via HTTP Basic authentication instead of as a Bearer token. A token issued with only `read:user` can modify user settings, add attacker-controlled emails, and create or delete the user's repositories, effectively nullifying the entire OAuth2 scope model for Basic-auth requests. No public exploit identified at time of analysis, but the advisory itself contains a full working PoC.