PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. Given the plugin's role in customizing WordPress login flows, a successful attacker could obtain administrator-level access to the underlying site.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
Remote code execution in OpenHuman desktop agent through 0.54.0 allows attackers to escape the Supervised SecurityPolicy sandbox and run arbitrary OS commands as the desktop user via indirect prompt injection. Two allowlist bypasses in src/openhuman/security/policy.rs - missing coverage of find's -execdir/-okdir flags and pre-validation stripping of inline KEY=value env assignments (e.g. GIT_EXTERNAL_DIFF, GIT_SSH_COMMAND) - let an attacker turn an allowlisted command into arbitrary execution. No public exploit identified at time of analysis, but the vendor has shipped a fix in commit 60050aa (first stable release 0.56.0).
Heap memory address leakage in vLLM's Anthropic API router and speech-to-text WebSocket paths exposes the same ASLR-bypass primitive previously fixed in CVE-2026-22778. Five exception-handling sites across `vllm/entrypoints/anthropic/api_router.py`, `vllm/entrypoints/anthropic/serving.py`, and `vllm/entrypoints/speech_to_text/realtime/connection.py` echo raw `str(e)` output - including PIL BytesIO object repr strings containing heap addresses - directly to unauthenticated callers. A proof-of-concept is referenced in the advisory, and when chained with the parent CVE's libopenjp2 heap overflow, this leak reduces ASLR entropy from approximately 4 billion candidates to 8, enabling RCE; no public exploit identified at time of analysis for this CVE in isolation.
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle detection by obfuscating eval calls nested under callable objects via getattr, causing the very tool intended to detect malicious pickles to miss them. Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as actively used in attacks; the CVSS 4.0 score of 9.3 reflects unauthenticated network-reachable impact on confidentiality, integrity, and availability.
Authentication bypass in Backpropagate 1.1.0 and 1.1.1 lets any client that can reach the Reflex web UI's bound port take full control of the training control plane, despite the operator passing --auth user:pass. The CLI advertised and confirmed authentication as active, but the Reflex backend never read the BACKPROPAGATE_UI_AUTH variable and registered no middleware, so dataset upload, training control, GGUF export, and HuggingFace Hub push were exposed unauthenticated. No public exploit identified at time of analysis, but the gap is trivially reachable and CVSS 4.0 is 9.3.
HTTP request smuggling in Tinyproxy through 1.11.3 allows remote unauthenticated attackers to desynchronize the proxy and its backend by sending requests with multiple Content-Length headers having differing values. Because Tinyproxy forwards all duplicate Content-Length headers while parsing only the first value, downstream servers may interpret request boundaries differently, enabling cache poisoning, access control bypass, and request hijacking. No public exploit identified at time of analysis, but the underlying primitive is well documented and the upstream commit 364cdb6 clearly demonstrates the parsing flaw.
HTTP request smuggling in Tinyproxy through 1.11.3 lets remote unauthenticated attackers desynchronize the proxy and backend by sending requests carrying both Content-Length and Transfer-Encoding: chunked headers. Tinyproxy forwards both headers verbatim while parsing the body using Content-Length, producing a classic CL.TE desync that enables cache poisoning, access control bypass, and request hijacking against the backend. No public exploit identified at time of analysis, though VulnCheck has published an advisory and the upstream issue/PR describe the bug in detail.
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.
Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
{flow_id} endpoint, causing disk exhaustion (DoS) and leaking the absolute filesystem path of the cache directory in the JSON response. No public exploit identified at time of analysis beyond the reporter's PoC, and the issue is not on CISA KEV, but exploitation is trivial - a single unauthenticated curl request - and the fix landed in 1.9.1 via PR #12831.
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the scanner by invoking the module-level profile.run() function, which is missing from the blocklist that only covers Profile.run and Profile.runctx. The scanner reports zero issues while pickle.loads() triggers exec() of attacker-controlled Python. No public exploit identified at time of analysis beyond the proof-of-concept in the GHSA advisory, and the issue is not listed in CISA KEV.
Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past the scanner by exploiting an off-by-one parsing error in STACK_GLOBAL opcode handling. The flaw, reported by VulnCheck and tracked under GHSA-9gvj-pp9x-gcfr, lets crafted pickles trigger an unexpected exception in _list_globals so dangerous imports such as os.system go unflagged; a working PoC is published in the advisory and a vendor patch is available, though no public exploitation against deployments has been observed.
Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by smuggling the unblocked ctypes module into a pickle payload. A working POC demonstrates loading kernel32.dll via ctypes.WinDLL and invoking WinExec to launch arbitrary commands during pickle deserialization scans or downstream loads. Publicly available exploit code exists in the GHSA-4675-36f9-wf6r advisory, and the flaw undermines the very security guarantee picklescan is deployed to provide for ML model pipelines.
Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing distutils.file_util.write_file inside crafted pickle payloads. Because picklescan is used as a safety gate before loading ML model pickles, a bypass means malicious models pass scanning and can overwrite files on disk to achieve denial of service or remote code execution. Publicly available exploit code exists in the GHSA advisory, though there is no public exploit identified at time of analysis indicating active exploitation.
Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle detection by using pydoc.locate and operator.methodcaller, which were missing from the deny-list. Any downstream tool that trusts a 'clean' picklescan verdict and then deserializes the pickle (e.g., ML model loaders) will execute attacker-supplied code. Publicly available exploit code exists (GHSA PoC), and CVSS 4.0 is rated 9.3 Critical, though no public exploit identified at time of analysis in CISA KEV.
Blind SQL injection in the StylemixThemes Motors WordPress plugin (versions up to and including 1.4.109) allows remote unauthenticated attackers to inject crafted SQL fragments into backend queries, leading to confidentiality compromise of the WordPress database and limited availability impact. The CVSS 3.1 base score of 9.3 reflects a scope change (S:C), meaning the impact extends beyond the plugin to the underlying database engine shared with the WordPress core. No public exploit identified at time of analysis, but the SQLi class and unauthenticated network vector make this a high-priority issue for sites running the Motors car dealership/classified listings plugin.
Blind SQL injection in the VillaTheme GIFT4U WordPress plugin (versions through 1.0.10) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries via unsanitized user input. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality loss and partial availability impact, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. The vulnerability was reported by Patchstack and impacts WordPress sites running this travel-booking block plugin in default configurations.
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
Blind SQL injection in Webilia's Listdom WordPress plugin (versions up to and including 5.4.0) allows remote unauthenticated attackers to inject SQL fragments into back-end queries and extract data inferentially. The flaw carries a 9.3 CVSS score with a scope change (S:C), indicating the injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the Advanced Ads - Tracking WordPress plugin versions prior to 3.0.7 allows remote attackers to inject arbitrary SQL into backend database queries without authentication. The CVSS 9.3 score with scope change (S:C) indicates the impact extends beyond the plugin to the underlying WordPress database, enabling data exfiltration and partial availability disruption. No public exploit identified at time of analysis, but the unauthenticated network-accessible nature makes this attractive for opportunistic scanning of WordPress installations.
Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. No public exploit identified at time of analysis, but the lack of authentication requirements makes this a high-priority patch target for any site running the affected versions.
Unauthenticated SQL injection in the eyecix JobSearch WordPress plugin (versions 3.2.9 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. With a CVSS 3.1 score of 9.3 and a Scope:Changed vector indicating impact beyond the vulnerable component, the flaw enables high-confidentiality data theft from the WordPress database including user records and credentials. No public exploit identified at time of analysis, but Patchstack-tracked WordPress plugin SQLi issues are commonly weaponized shortly after disclosure.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with JetEngine's wide deployment across Crocoblock-powered WordPress sites makes this a high-priority issue.
Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. No public exploit identified at time of analysis, but the trivial attack complexity and lack of authentication requirement make this a high-priority patching target for any WordPress site running the plugin.
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. No public exploit identified at time of analysis, but Patchstack has catalogued the issue, indicating vendor-side confirmation.
Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. The vulnerability was disclosed via Patchstack and affects a popular Crocoblock/JetImpex filtering plugin widely deployed on WordPress sites.
Unauthenticated SQL injection in Blocksy Companion Pro (a premium WordPress plugin from Creative Themes) prior to version 2.1.29 allows remote attackers to inject arbitrary SQL into backend database queries without any login or user interaction. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H) with scope-change indicates the impact crosses a security boundary, with full confidentiality compromise of database contents and limited integrity/availability effect. No public exploit identified at time of analysis, but the vulnerability class and SSDLC profile are highly attractive to automated scanners targeting WordPress.
Unauthenticated SQL injection in the WPJobster WordPress theme versions 6.3.5 and earlier allows remote attackers to inject SQL queries without any authentication or user interaction. Reported by Patchstack and tracked under CWE-89, the issue carries a CVSS 3.1 score of 9.3 with a scope-changed impact, meaning a successful injection can affect resources beyond the vulnerable component. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature of WordPress theme endpoints makes this a high-priority issue for any site running the affected theme.
SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.
Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to corrupt heap memory in the DDS middleware, impacting integrity and availability of both the vulnerable component and downstream subsystems. The flaw spans a wide range of long-supported branches (5.0.x through 7.6.x) and carries a CVSS 4.0 score of 9.2, though no public exploit identified at time of analysis.
Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond intended buffer bounds, with the CVSS 4.0 vector (9.2 Critical) indicating high availability impact on both the vulnerable component and downstream systems consuming its data. The flaw affects a wide range of Connext Professional releases used as DDS middleware in defense, autonomous, and industrial deployments. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Authentication bypass in Hermes WebUI before 0.51.409 allows unauthenticated remote attackers to register the first passkey on instances where HERMES_WEBUI_PASSKEY=1 is set and no credentials yet exist, yielding permanent administrative control. The flaw resides in the passkey registration API endpoints, which fail to enforce authentication during the initial enrollment window. No public exploit identified at time of analysis, but a vendor patch is available and the issue was disclosed by VulnCheck.
Authenticated remote command execution in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows administrators to run arbitrary OS commands and escalate to root via a crafted HTTP request. The flaw, tracked as CVE-2026-20181 and reported by Cisco with a CVSS 3.1 score of 9.1 (scope-changed), can also crash single-node deployments and deny network access to unauthenticated endpoints. There is no public exploit identified at time of analysis.
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated broken access control in WPMET MetForm Pro WordPress plugin versions 3.9.1 and earlier allows remote attackers to access protected functionality without credentials, with CVSS 9.1 reflecting high confidentiality and availability impact. Reported by Patchstack, the flaw stems from missing authorization (CWE-862) on plugin endpoints, and no public exploit identified at time of analysis.
Unauthenticated arbitrary file upload in the SigmaForms Pro - AI Generated Forms WordPress plugin (versions <= 1.4.5) allows remote attackers to upload files of their choosing to the underlying web server, enabling webshell deployment and full site takeover. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 9.0 with scope change, indicating impact beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.