Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total.
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.
Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_read() that allows attackers to send oversized SSH packets and corrupt heap memory. The flaw was reported by VulnCheck and is fixed upstream in commit 97acf3df (PR #2052), which adds an upper-bound check against LIBSSH2_PACKET_MAXPAYLOAD. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects pre-authentication network reach with high impact on confidentiality, integrity, and availability.
Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.
Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked function past its scanner using pkgutil.resolve_name as an indirection primitive. Because pkgutil.resolve_name is not on the blocklist, an attacker can chain two REDUCE opcodes to resolve and invoke os.system, builtins.exec, subprocess.call, or any other dangerous function while the scanner reports the pickle as CLEAN - a universal blocklist bypass that defeats picklescan's entire safety premise. No public exploit is identified in CISA KEV, but the GHSA advisory authored by VulnCheck publishes a complete working technique, so weaponization is trivial.
Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). No public exploit identified at time of analysis; tagged as Privilege Escalation by the Android reporter.
Local privilege escalation in Google Android's Telecomm component allows applications to initiate unauthorized phone calls by bypassing permission checks, with no user interaction required. The flaw is reported through the Android Security Bulletin for Android 17 and carries a CVSS 4.0 score of 10.0, though no public exploit identified at time of analysis. Despite the network-vector CVSS rating, the description characterizes this as local escalation of privilege, suggesting realistic exploitation requires a malicious app already installed on the device.
Local privilege escalation in Google Android's Package Manager allows on-device attackers to bypass the device lock controller due to a missing permission check, with no user interaction required. The flaw, disclosed in the Android Security Bulletin for Android 17, carries a vendor CVSS 4.0 score of 10.0 but is described as a local escalation. No public exploit identified at time of analysis.
Local privilege escalation in Google Android's telephony subsystem (PhoneInterfaceManager) allows attackers to disable carrier restrictions without any user interaction or additional execution privileges. The flaw stems from a logic error in the setAllowedCarriers handler and is addressed in the Android Security Bulletin for Android 17. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in Android's SettingsLib component stems from a missing permission check caused by a logic error, allowing on-device attackers to elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis, and the issue is addressed in the Android Security Bulletin for Android 17. The CVSS 4.0 vector supplied (AV:N) conflicts with the description's 'local escalation' wording and should be treated as a discrepancy.
Local privilege escalation in Google Android's NFC subsystem stems from a use-after-free condition in Nfc::eventCallback() within Nfc.h, triggerable via a race condition without user interaction or additional execution privileges. Affected devices covered by the Android Security Bulletin for Android 17 can have an unprivileged local process win the race and elevate to higher-privileged context. No public exploit identified at time of analysis; the vulnerability was disclosed by Google through the Android security bulletin process.
Local privilege escalation in Google Android's NFC subsystem allows an unprivileged local app to spoof NFC events because of a missing permission check, granting capabilities normally reserved for privileged components. No user interaction is required, and no public exploit has been identified at time of analysis, though the issue is tracked in the Android Security Bulletin for Android 17. Despite the CVSS 4.0 vector encoding AV:N, the description clearly describes a local Android attack surface.
Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. User interaction is required, but no additional execution privileges are needed beyond installing the malicious app.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Local information disclosure in Android's MmsSmsProvider component allows installed applications to read sensitive SMS/MMS data without holding the required permissions. The flaw stems from a missing permission check inside MmsSmsProvider.java, enabling any local app to query the content provider and exfiltrate message data without user interaction. No public exploit identified at time of analysis, and the issue is addressed in the Android Security Bulletin for Android 17.
Local information disclosure in the Android Contacts Provider component permits an on-device attacker to extract data from the contacts database via SQL injection without requiring additional execution privileges or user interaction. The flaw is addressed in the Android Security Bulletin for Android 17, and no public exploit identified at time of analysis. Although the input CVSS 4.0 score is 10.0 with a network vector, the description explicitly characterizes the impact as local, which security teams should reconcile before prioritization.
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.
Persistent denial of service in Google Android allows local attackers to exhaust device resources in multiple code paths, rendering functionality unavailable until manual intervention. The flaw requires no privileges and no user interaction, and is addressed in the Android Security Bulletin for android-17. No public exploit identified at time of analysis and no EPSS or KEV signal is provided.
Subscriber Arbitrary File Upload in Grip <= 1.0.9 versions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Arbitrary file write via path traversal in SOLIDWORKS Visualize (bundled with SOLIDWORKS Desktop 2024 through 2026) allows remote attackers to place files at attacker-chosen locations on the server. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote, unauthenticated exploitation with high impact across confidentiality, integrity, and availability. At time of analysis, no public exploit identified and the issue is not on the CISA KEV list.
Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.
Arbitrary file upload in the Charity Zone WordPress theme (versions 1.1.1 and prior) allows authenticated users with only Subscriber-level privileges to upload files of attacker-chosen type, leading to remote code execution under the web server context. The flaw was disclosed via Patchstack and carries a CVSS 9.9 due to the scope change from a low-privileged WordPress role to full server compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file upload in the Kids Gift Shop WordPress theme (versions 0.5.4 and earlier) allows authenticated users with Subscriber-level privileges to upload arbitrary files to the server. The CVSS 3.1 score of 9.9 with scope change reflects the potential for remote code execution leading to full site compromise, and no public exploit identified at time of analysis.
Arbitrary file upload in the Ecommerce Zone WordPress theme (versions <= 0.9.7) allows authenticated low-privileged users (Subscriber role) to upload files of attacker-chosen types, resulting in a CVSS 9.9 critical scoring with scope change. No public exploit identified at time of analysis, and the issue was reported by Patchstack via their WordPress vulnerability database. Successful exploitation typically leads to remote code execution on the underlying web server.
Arbitrary file upload in the Restaurant Zone WordPress theme through version 0.7.8 allows authenticated attackers with only Subscriber-level privileges to upload arbitrary files to the underlying server, leading to remote code execution and full site compromise. The CVSS 3.1 score of 9.9 reflects the scope-changing impact achievable from a minimally privileged account; no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Webenvo WordPress theme (versions <= 0.0.6) allows authenticated low-privilege users (Subscriber role) to upload arbitrary files, leading to remote code execution and full site compromise. The CVSS 9.9 score reflects scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary file upload in the Unlimited Elements for Elementor (Premium) WordPress plugin versions 2.0.6 and earlier allows authenticated users with Contributor-level privileges to upload arbitrary files, leading to remote code execution on the underlying WordPress host. Reported by Patchstack and rated CVSS 9.9 with a scope-changing impact, no public exploit identified at time of analysis but the low privilege bar makes this a high-priority issue for any site that permits Contributor accounts.
Arbitrary file upload in the WishList Member X WordPress plugin versions 3.29.0 and earlier allows authenticated subscriber-level users to upload malicious files, with a CVSS 9.9 score reflecting scope change and full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the low privilege requirement (subscriber is the lowest authenticated WordPress role) makes this trivially reachable on any site permitting user registration. The vulnerability was disclosed via Patchstack and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
Arbitrary file upload in the Restaurt WordPress theme versions 1.0.4 and earlier allows authenticated users with Subscriber-level privileges to upload arbitrary files, potentially leading to remote code execution on the WordPress host. The CVSS 9.9 score reflects scope-changed impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Arbitrary file upload in the PT Luxa Addons WordPress plugin (versions 1.2.2 and earlier) allows authenticated users with low-privilege Subscriber accounts to upload attacker-controlled files to a WordPress site, leading to remote code execution and full site compromise. The scope-changed CVSS 9.9 reflects that a minimally privileged WordPress user can pivot to code execution affecting the entire web server. No public exploit identified at time of analysis.
PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.
Unauthenticated PHP Object Injection in the EMV "The Hospital" WordPress theme (nrghospital) through version 1.8.1 lets remote attackers trigger deserialization of attacker-controlled data, which can be chained with available POP gadgets to achieve full compromise of the host site. CVSS 9.8 reflects unauthenticated network exploitability with high CIA impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated PHP object injection in the Themeton 'The Barber Shop' WordPress theme (versions up to and including 1.9) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.8, though no public exploit identified at time of analysis and EPSS data was not provided. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class historically abused for RCE in WordPress plugin/theme ecosystems.
PHP object injection in the Themeton Lagom WordPress theme (versions up to and including 2.0) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to full site compromise. The flaw is reported by Patchstack and carries a critical CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.
Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated privilege escalation in the ThemeGrill Registration Form for WooCommerce WordPress plugin (versions <= 1.0.9) allows remote attackers to elevate privileges without credentials, potentially gaining administrative control over the WordPress site. With a CVSS of 9.8 and no public exploit identified at time of analysis, the flaw is reported by Patchstack and tagged as a Privilege Escalation issue in the WordPress plugin ecosystem.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
Privilege escalation in the WordPress plugin SMS Alert Order Notifications (by Cozy Vision Technologies) versions 3.9.4 and earlier allows low-privileged users - specifically Subscriber-level accounts - to elevate their permissions on the WordPress site. Patchstack catalogued this as an authorization/authentication-bypass class issue (CWE-863). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. No public exploit identified at time of analysis, but the unsafe-deserialization class (CWE-502) historically yields fast weaponization once a usable POP chain is published.
Authentication bypass in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote unauthenticated attackers to compromise affected sites with high impact to confidentiality, integrity, and availability. The flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. Given the plugin's role in customizing WordPress login flows, a successful attacker could obtain administrator-level access to the underlying site.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation in the Support Ticket Management System WordPress plugin (versions 1.9 and earlier) by Theme Passion allows remote unauthenticated attackers to elevate privileges on affected WordPress sites. With a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and is tracked in the Patchstack database. Successful exploitation likely yields administrator-level access to the WordPress instance, enabling full site takeover.
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)