Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. Successful chaining with a POP gadget in WordPress core or other installed plugins typically yields remote code execution or full site compromise.
Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. Reported by Patchstack and tracked as EUVD-2026-37464.
Unauthenticated privilege escalation in the Support Board WordPress plugin (versions prior to 3.8.9) allows remote attackers with no credentials to elevate privileges on affected WordPress sites. The flaw was reported by Patchstack and is tied to CWE-266 (Incorrect Privilege Assignment), with a critical CVSS 3.1 base score of 9.8 reflecting network-reachable, low-complexity exploitation. No public exploit identified at time of analysis, but the unauthenticated nature and plugin's customer-support role make this a high-priority patch for any WordPress site running it.
Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.
PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.
Remote takeover of Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the product via HTTP, per Oracle's June 2026 Critical Patch Update. The CVSS 3.1 base score of 9.8 reflects complete loss of confidentiality, integrity, and availability with no privileges or user interaction required, and no public exploit identified at time of analysis. Oracle's own advisory characterizes the flaw as 'easily exploitable,' raising the urgency for affected customers despite the lack of a published CWE classification.
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.
Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).
Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker over HTTP coerces a victim user into interacting with a crafted request targeting the Metadata Plugin component. The flaw is scope-changing and yields full confidentiality, integrity, and availability impact on the platform and potentially adjacent products. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to fully compromise the management platform - and potentially additional managed products - by tricking an authenticated user into interacting with a malicious HTTP-delivered payload targeting the Metadata Plugin component. The CVSS 3.1 base score is 9.6 with a scope change reflecting impact beyond the vulnerable component, and at time of analysis no public exploit identified at time of analysis. Because Oracle Enterprise Manager centrally controls fleets of Oracle databases, middleware, and infrastructure, successful exploitation has outsized blast-radius implications for downstream Oracle estates.
Remote takeover of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) is achievable by unauthenticated network attackers who can lure a victim into triggering a crafted HTTP interaction, with scope change extending impact to additional products. Oracle's June 2026 Critical Patch Update advisory (cspujun2026) assigns CVSS 9.6 reflecting full confidentiality, integrity, and availability loss, and no public exploit identified at time of analysis.
Account takeover in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker to fully compromise the product when a victim user is tricked into interacting with attacker-supplied content over HTTP. The scope-changing flaw carries a CVSS 3.1 base score of 9.6 with high confidentiality, integrity, and availability impact, and there is no public exploit identified at time of analysis. Listed in the ENISA EUVD as EUVD-2026-37304 and addressed in Oracle's June 2026 Critical Patch Update.
Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.
Cross-component compromise in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker to read and tamper with critical data across adjacent Oracle E-Business Suite components via HTTP. The scope-changed CVSS 3.1 score of 9.6 reflects high confidentiality and integrity impact reaching beyond the vulnerable component, though no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update.
Cross-component compromise in Oracle MySQL NDB Cluster (versions 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0) allows a low-privileged remote attacker with HTTP access to the NDB Operator component to read, modify, create, or delete all data accessible to the cluster. The scope-changed nature (S:C) means successful attacks reach beyond the NDB Cluster boundary into adjacent products. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Oracle's CVSS 9.6 rating and 'easily exploitable' characterization make this a high-priority patch.
Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.
Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.
Sandbox escape in Mozilla Firefox and Firefox ESR allows a remote attacker to break out of the browser's content sandbox by exploiting incorrect boundary conditions in the Networking component, leading to full compromise of confidentiality, integrity, and availability on the host. Exploitation requires user interaction (e.g., visiting a malicious page), but with CVSS 9.6 and a scope change, successful exploitation crosses the renderer/host trust boundary. No public exploit identified at time of analysis, and EPSS is low (0.16%), consistent with the SSVC 'Exploitation: none' signal.
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Sandbox escape in Mozilla Firefox's DOM Workers component allows remote attackers to break out of the browser's content process sandbox when a user visits a malicious web page. The flaw affects Firefox prior to 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, with no public exploit identified at time of analysis despite a critical 9.6 CVSS score. EPSS exploitation probability is low at 0.16% and CISA SSVC marks exploitation as 'none', suggesting no in-the-wild abuse has been observed yet.
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Authentication bypass in LiteLLM proxy versions prior to 1.84.0 allows unauthenticated attackers to reach protected management routes by sending a crafted Host header that causes Starlette to reconstruct request.url.path inconsistently with the route FastAPI actually dispatches. The flaw lives in get_request_route() in litellm/proxy/auth/auth_utils.py and only impacts deployments that expose the proxy listener directly without an upstream Host-validating layer; no public exploit identified at time of analysis.
Path traversal in FileBrowser Quantum (gtsteffaniak fork) versions prior to 1.3.2-stable, 1.4.0-beta, and 1.4.1-beta allows holders of a public share link with AllowModify=true to move, copy, or rename arbitrary files within the share owner's source root by abusing the publicPatchHandler in backend/http/public.go. The flaw stems from filepath.Join collapsing ../ segments BEFORE the SanitizeUserPath check runs, an identical pattern to the previously patched DELETE endpoint (CVE-2026-44542). No public exploit identified at time of analysis, but the GHSA advisory documents the exact code path and the issue is rated CVSS 4.0 9.3 (Critical).
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.
Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided in the input.
Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.
Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.
Cross-scope compromise in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows an unauthenticated remote attacker to read, modify, or delete all WebCenter Content-accessible data when a victim is lured into interacting with attacker-supplied content over HTTP. The scope-changed (S:C) nature of the flaw means impact extends beyond WebCenter Content into adjacent products in the Fusion Middleware deployment, earning a CVSS 9.3 rating. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV.
Cross-product compromise of Oracle WebCenter Content 14.1.2.0.0 (Fusion Middleware Content Server) allows a remote unauthenticated attacker to abuse a victim's browser session to gain high-impact read and write access to all WebCenter Content data, with scope change extending the impact to additional Oracle products. The CVSS 3.1 base score is 9.3 with a scope-changed vector requiring user interaction (UI:R), and no public exploit identified at time of analysis.
Cross-component compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server) allows a remote unauthenticated attacker to read, create, modify, or delete all data accessible to the product after coaxing a victim into a single interaction over HTTP. The scope-changed nature means the impact extends beyond WebCenter Content into other Fusion Middleware components sharing trust with it. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but the 9.3 CVSS base score and 'easily exploitable' wording from Oracle place it in the priority-patch tier for the June 2026 CPU.
Authentication bypass in Perry versions before 0.5.1166 allows remote attackers holding any previously issued bearer token to maintain authenticated access indefinitely, including after logout or administrative revocation. The flaw stems from hardcoded validate_exp=false logic in the stdlib JWT verification path, neutralizing token expiration entirely. No public exploit identified at time of analysis, but the trivial nature of replaying captured tokens against jwt.verify() calls makes this a high-priority fix.
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars component) allows network-based attackers to read all Coherence-accessible data and perform limited data modification over HTTP, with a scope change that can impact additional products in the same deployment. Oracle rates the issue CVSS 9.3 and describes it as easily exploitable; no public exploit identified at time of analysis and it is not currently on the CISA KEV list.
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to read all accessible data and modify a subset, with a scope change that can impact adjacent products. CVSS 3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and no public exploit is identified at time of analysis, though the low attack complexity and unauthenticated network reachability make this a high-priority Critical Patch Update item.
Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 via the Web Runtime Security component allows attackers with HTTP access to read all data the product can reach and modify a subset of it, with a scope change that propagates impact to other integrated products. Oracle rates the issue 9.3 (CVSS 3.1) and describes it as easily exploitable, and the public tagging as an authentication bypass aligns with the PR:N vector. No public exploit identified at time of analysis and no CISA KEV listing has been recorded.
Unauthenticated information disclosure in Rocket.Chat allows remote attackers to enumerate and download arbitrary uploaded files via the Livechat file-download endpoint. The flaw at /file-upload/:fileId/:name validates rc_token against rc_rid but never checks that rc_rid matches the requested file's actual room ID, and sequential MongoDB ObjectIDs make :fileId predictable, enabling discovery of all uploads. No public exploit identified at time of analysis, but the HackerOne report (#3687142) and upstream fix PR are public.
Full takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is achievable by an attacker with local logon access to the host running the Installation Security component, requiring no application credentials. The flaw carries a CVSS 3.1 base score of 9.3 with a scope change, meaning successful exploitation can pivot beyond JD Edwards into adjacent enterprise products on the same infrastructure. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Oracle ranks it as easily exploitable in the June 2026 Critical Patch Update.
SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. No public exploit identified at time of analysis, but Patchstack's disclosure and the unauthenticated network attack vector make this a high-priority issue for any site running the plugin.
Unauthenticated SQL injection in the ListingPro WordPress plugin (versions ≤ 2.9.10) allows remote attackers to inject arbitrary SQL into backend queries without credentials, exposing the WordPress database to extraction and manipulation. Reported by Patchstack and tracked as EUVD-2026-37469, the flaw carries a 9.3 CVSS with scope change, indicating impact beyond the vulnerable component. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in Radiflow iSAP Smart Collector allows an authenticated attacker on the management network to execute arbitrary commands with administrative (root-equivalent) privileges on the underlying operating system via the device's token-authenticated REST API. The CVSS 9.1 score reflects scope-changed impact across confidentiality, integrity, and availability, which is significant given the device's role as an OT/ICS data collector. No public exploit identified at time of analysis, and the flaw was disclosed through ENISA via the Italian CVCN national coordination center.
Authentication bypass in vLLM versions 0.3.0 through 0.21.x allows remote unauthenticated attackers to reach OpenAI-compatible API endpoints without supplying the configured VLLM_API_KEY by injecting URL-special characters into the HTTP Host header. The flaw stems from vLLM's AuthenticationMiddleware reconstructing the request URL via starlette's URL(scope) - which trusts an unsanitized Host value - while FastAPI routing uses the raw HTTP path, producing a mismatch the attacker controls. No public exploit identified at time of analysis, but x41-dsec disclosed full technical details and a vendor-released patch is available in 0.22.0.
Authentication bypass in Rockwell Automation FactoryTalk Historian Site Edition allows remote attackers to obtain a valid authentication token by repeatedly hammering the login endpoint, exploiting a race condition (CWE-362) in the authentication flow. The flaw carries a CVSS 4.0 score of 9.2 with network attack vector and no privileges required, though successful exploitation depends on winning a timing window (AT:P). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. The combined high privilege requirement and scope change make this a real lateral-movement risk inside ERP deployments rather than a perimeter RCE.
Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged attacker over HTTP, with a scope change that can impact additional products beyond WebLogic itself. Affected versions are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0, with a CVSS 3.1 base score of 9.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privileged takeover of Oracle WebCenter Content (Content Server component) affects supported versions 12.2.1.4.0 and 14.1.2.0.0, enabling a high-privileged attacker with HTTP network access to fully compromise the instance and pivot to additional Fusion Middleware products via a scope change. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting low attack complexity and full CIA impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote unauthenticated tampering and denial-of-service in Oracle Enterprise Manager's APM (Application Performance Management) component, specifically the JADM / JVM Diagnostics module in versions 13.5 and 24.1, allows attackers reachable over HTTP to modify, create, or delete any APM-accessible data and to hang or repeatedly crash the service. The flaw is rated CVSS 9.1 with no privileges or user interaction required, but at time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privileged remote takeover of Oracle iSupport (Oracle E-Business Suite, Internal Operations component) affects versions 12.2.3 through 12.2.15, where an authenticated high-privilege attacker with HTTP access can fully compromise the application with scope change into adjacent E-Business Suite components. The CVSS 9.1 score reflects the cross-component blast radius rather than ease of access, since PR:H means the attacker must already hold elevated privileges. No public exploit identified at time of analysis and the issue is not listed on CISA KEV.
Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with a scope change that lets the attack significantly impact additional products beyond iSupport itself. The flaw carries a CVSS 3.1 base score of 9.1 with confidentiality, integrity, and availability all rated High, and no public exploit identified at time of analysis. The vendor (Oracle) is the sole reporting source via the June 2026 Critical Patch Update advisory.