Remote code execution in PTC Windchill PDMlink and PTC FlexPLM allows unauthenticated network attackers to execute arbitrary code via deserialization of untrusted data. All releases prior to 11.0 M030 are affected, as are all CPS versions, and no public exploit identified at time of analysis. Reported by PTC themselves, the flaw carries a CVSS 4.0 base score of 9.3 (critical) reflecting high impact across confidentiality, integrity, and availability without requiring authentication or user interaction.
Server-side request forgery in Gotenberg v8.33.0 and earlier allows remote unauthenticated attackers to coerce the server into making arbitrary outbound HTTP(S) requests and to disclose local image files by uploading a crafted DOCX to the /forms/libreoffice/convert endpoint. The flaw stems from LibreOffice automatically resolving external and local resources referenced in <img> tags during conversion, exposing internal networks and on-disk image files. Publicly available exploit code exists via the vendor's GHSA-2mrg-35hw-x3x9 advisory, though no CISA KEV listing or EPSS data is available at time of analysis.
Remote code execution in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows unauthenticated attackers to run arbitrary code by sending a specially crafted web request to the device's HTTP interface. The flaw was reported through CISA's ICS-CERT coordination process and carries a CVSS 4.0 base score of 9.3, but there is no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.
Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in `mpls_do_error` within `sys/netmpls/mpls_input.c` (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. A publicly available exploit exists per the Argus Systems advisory; this vulnerability is not confirmed as actively exploited in the CISA KEV catalog, and the CVSS 4.0 score is 6.9.
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.
Code execution in AzeoTech DAQFactory versions 21.1 and prior is achievable when a user opens a maliciously crafted .ctl project file, triggering a CWE-843 type confusion that corrupts memory. The flaw was reported through CISA ICS-CERT, which is significant because DAQFactory is HMI/SCADA software where engineering project files are routinely shared between integrators and operators. There is no public exploit identified at time of analysis, but the file-borne delivery pattern is well-suited to phishing or supply-chain handoffs targeting OT engineers.
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found.
Persistent local denial of service in Google Android (Wear OS) is possible due to a missing permission check declared in AndroidManifest.xml, allowing a co-resident unprivileged app to invoke a protected component and render device functionality unavailable. No user interaction or elevated privileges are required, but exploitation is local rather than remote despite the headline CVSS 4.0 score of 10.0. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. No public exploit identified at time of analysis, and the vector's Exploit Code Maturity is rated Unproven.
Prototype pollution in deepstream.io versions prior to 10.0.5 allows an authenticated client with write permission to any record to corrupt the Node.js Object prototype by submitting record-update messages whose path contains tokens such as __proto__, constructor, or prototype. Because deepstream's permission valve and record-transition pipeline both invoke setValue with the attacker-controlled path, polluting the prototype can taint subsequent permission and transition logic and lead to privilege escalation across all connected clients. No public exploit identified at time of analysis, though the upstream commit (54b8e29) and patch tests publicly demonstrate the exact vulnerable path semantics.
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers corrupt the server stack in all versions prior to 4.10.0. An attacker-controlled uint16_t nonce_len value (up to 65535) read from an OAuth access token is passed straight into memcpy() against a 256-byte stack buffer before any AES-GCM authentication, so no OAuth key or valid token is required to write up to 735 bytes past the buffer. Publicly available exploit code exists (SSVC: PoC) but it is not in CISA KEV, EPSS is low at 0.36% (27th percentile), and exploitation is gated on the non-default --oauth mode being enabled.
Hostname validation bypass in Node.js (versions 22.22.3, 24.16.0, and 26.3.0) lets attackers smuggle embedded NUL bytes through the dns and net subsystems, truncating a hostname after the NUL so that application-level allowlists, SNI checks, or destination filters validate one host while the runtime resolves or connects to another. The Node.js project rates this specific issue Medium and shipped the fix in its June 2026 security release; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.28%, 20th percentile), and it is not in CISA KEV. Note a significant signal conflict: the aggregate input score of CVSS 9.8 with an 'Authentication Bypass' tag is far above the vendor's own Medium rating for this CVE and appears to be an inflated pre-NVD auto-score.
Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. No public exploit identified at time of analysis, but the trivially guessable default credentials make discovery and abuse straightforward once the CQL port is reachable.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Unauthenticated remote command execution affects InHand Networks IR912 and IR915 industrial cellular routers running firmware V1.0.0.r20042 and earlier, where the file upload function fails to sanitize input and passes attacker-controlled data to a shell context. Successful exploitation yields code execution as root on the device. No public exploit identified at time of analysis, but the CVSS 9.8 rating and network-reachable file upload endpoint make this a high-priority patching target for any operator with these routers exposed to untrusted networks.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... TO PROGRAM. No public exploit identified at time of analysis; CVSS 4.0 base score is 9.4 (Critical) and an upstream fix is available.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System) lets remote attackers read, modify, or delete arbitrary database records by tampering with HTTP parameters that are concatenated into legacy mysql_query() calls. The project ships with no authentication mechanism and no released versions, so any deployment exposing it to the network is fully compromisable; no public exploit identified at time of analysis, though CISA SSVC rates the technical impact as total and automatable.
Remote code execution in iba ibaPDA and ibaDatCoordinator allows unauthenticated network attackers to gain full system control by exploiting an unsafe deserialization flaw (CWE-502). The CVSS 4.0 score of 9.3 reflects network-reachable exploitation with no privileges or user interaction and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack profile makes it a high priority for industrial environments running these data acquisition products.
Credential exposure in Worksnaps client application before version 1.6.20260201 allows attackers who obtain the binaries to extract hardcoded AWS root credentials and S3 bucket identifiers, granting access to production cloud resources containing sensitive user desktop screenshots. The flaw was disclosed by SEC-VLab (SEC Consult) and a vendor-patched build is available; no public exploit identified at time of analysis, though credential extraction from distributed binaries is trivial once the artifact is obtained.
Unauthenticated SQL injection in Nur-Alam39's bus-ticket PHP application (no released versions; latest commit 459cabd) allows remote attackers to extract arbitrary data from the bus_service database via the busid POST parameter in bus_info.php. The flaw is exacerbated because the application connects as MySQL root with an empty password. No public exploit identified at time of analysis, though the description includes a working UNION-based payload demonstrating trivial exploitability.
Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL server to inject arbitrary HTML into pgAdmin's interface via ErrorResponse messages and EXPLAIN plan fields rendered through html-react-parser. Because the injection executes inside pgAdmin's own DOM, an attacker can render convincing phishing dialogs or redirect the top-level tab via iframe srcdoc, bypassing standard X-Frame-Options and frame-ancestors protections. No public exploit identified at time of analysis, but the vendor has shipped a multi-layer fix in 9.16.
Stored cross-site scripting in jupyter_server's nbconvert HTTP handlers allows a malicious notebook to execute JavaScript in the Jupyter origin, leading to session token theft, full /api/* control, and kernel remote code execution. The NbconvertFileHandler and NbconvertPostHandler render notebook-authored HTML without a CSP sandbox directive, and combined with HTMLExporter's non-sanitizing default, any display_data HTML payload runs with the victim's authority. No public exploit identified at time of analysis, but the CVSS 4.0 base score is 9.3 and a vendor patch is available in v2.20.0.
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. No public exploit identified at time of analysis, but the upstream fix in PR #3360 confirms the defect and CVSS 4.0 scores it 9.3 (Critical).
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 and trivial logic flaw make this a priority fix.
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty template syntax via unsanitized user input, exposing sensitive server-side values like database credentials and encryption keys. On versions 5.4.0 through 5.7.1, the flaw escalates to remote code execution by abusing registered Smarty modifiers (unserialize, file_get_contents) to drop a webshell and execute commands as the web server user. Publicly available exploit code exists via the Sansec research writeup, though no public exploit identified at time of analysis in CISA KEV.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
External initialization in Kirby CMS (getkirby/cms <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets a remote unauthenticated attacker complete the Panel installation and create the first admin user on not-yet-installed sites. The flaw is a bypass of Kirby's isLocal safeguard: when a site sits behind a reverse proxy that emits the Forwarded: for=..., X-Client-IP, or X-Real-IP header, Kirby wrongly treats the forwarded external request as local and permits admin creation. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor rates it critical (CVSS 4.0 base 9.1) and a full source fix is public.
Authentication bypass in Webmin's miniserv.pl HTTP server (versions prior to 2.641) allows remote unauthenticated attackers to impersonate any user, including root/admin, by sending a forged HTTP header that spoofs an SSL client certificate Distinguished Name. The flaw maps to CWE-290 (Authentication Bypass by Spoofing) and is rated CVSS 4.0 9.2 (Critical); a vendor-released fix exists in 2.641, but no public exploit is identified at time of analysis and the issue is not currently listed in CISA KEV.
{:ok}. No public exploit identified at time of analysis, and the issue is fixed in 1.2.0.
Cleartext Bluetooth Low Energy transmission in the Apollo Pharmacy Blood Glucose Monitoring System (Model APG-01 BT) allows an attacker within BLE radio range to passively sniff wireless traffic and recover patient glucose readings and related health data. The flaw is a CWE-319 cleartext-transmission issue affecting a consumer medical device, disclosed via CISA ICS-CERT advisory ICSMA-26-169-01. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Denial-of-service in the Apollo Pharmacy Blood Glucose Monitoring System (model APG-01 BT) allows an attacker within Bluetooth Low Energy radio range to seize the device's single BLE connection slot, blocking the legitimate patient app or clinician from pairing and reading glucose measurements. The flaw is rooted in missing authorization (CWE-862) on connection acceptance and was disclosed through CISA's ICS Medical advisory ICSMA-26-169-01. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the upstream commit 5985276 widens drl to uint32_t.
Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). No public exploit identified at time of analysis, but the issue was disclosed by Wordfence with detailed source-line references making weaponization straightforward.
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.37%, 29th percentile), and CISA SSVC currently scores exploitation as 'none.'
Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8.1.2, allowing remote attackers to cause denial-of-service and potentially achieve remote code execution when a victim processes a crafted MagicYUV-encoded media file. No public exploit identified at time of analysis, but the broad deployment of FFmpeg across media players, transcoding pipelines, browsers, and server-side processing makes this a high-priority patch. EPSS and CISA KEV data were not provided in the input.
SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inject SQL via the description field of Domain, Domain Constraint, Foreign Table, Language, Event Trigger, and View dialogs, where Jinja templates wrapped the value in single quotes instead of passing it through the qtLiteral escape filter. Sixteen template sites plus ten related pgstattuple/pgstatindex identifier sinks share the defect; injected SQL executes as the connected PostgreSQL role, and if that role can use COPY ... TO/FROM PROGRAM it pivots to OS command execution on the database host. No public exploit identified at time of analysis, and the vendor notes the bug does not cross a privilege boundary since the same user already has direct SQL access via the Query Tool.
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose `next` URL parameter is passed unsanitized into `router.push`. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to execute arbitrary operating system commands by supplying a malicious IP address parameter that is passed unsanitized to exec(). The flaw was reported by CERT-PL and an upstream fix is available; no public exploit identified at time of analysis, and the CVSS 4.0 score of 8.6 reflects high impact on the vulnerable system with limited subsequent-system effect.
Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggering HPACK dynamic table insertions under memory pressure. The flaw lives in hpack_dht_insert() in src/hpack-tbl.c, where the return value of hpack_dht_defrag() is not validated; when the memory pool is exhausted defrag returns NULL and the subsequent dereference crashes the worker. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file write in HKUDS Nanobot's WhatsApp bridge (versions 0.1.5.post3 and prior) allows remote unauthenticated attackers to write attacker-controlled content to arbitrary filesystem locations by sending a WhatsApp document message with a path-traversal sequence in its fileName field. Because both the destination path and the file content are attacker-controlled, exploitation yields a write-anywhere primitive that can be escalated to remote code execution (e.g., by overwriting authorized_keys or shell startup files). No public exploit identified at time of analysis; a fix is planned for version 0.1.5.post4.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).
Path traversal in PraisonAI's MultiAgentMonitor component (versions <= 1.5.114) lets remote attackers who can supply agent identifiers read, write, or overwrite arbitrary files on the host by embedding '../' sequences in agent IDs. The flaw, disclosed by VulnCheck and tracked as GHSA-766v-q9x3-g744, enables information disclosure, denial of service, and potential code execution in multi-agent AI deployments; no public exploit identified at time of analysis but a detailed PoC is included in the advisory.
Arbitrary shell command execution in PraisonAI before 4.5.128 allows authenticated UI users to bypass the human-in-the-loop approval gate because the Chainlit chat and code UI modules hardcode approval_mode='auto' after loading administrator config from PRAISON_APPROVAL_MODE. Once auto-approved, prompts to the LLM agent reach subprocess.run with shell=True, and the existing blocklists only filter command chaining operators - leaving single destructive commands (rm -rf, curl, dd, chmod) executable. No public exploit identified at time of analysis beyond the vendor PoC; not currently listed in CISA KEV.
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by chaining the unbounded StepThroughItemsBlock loop with MediaDurationBlock, which downloads videos to a temporary directory and never cleans them up. No public exploit identified at time of analysis, but the flaw is trivially triggerable through the normal agent-building UI in any AutoGPT instance reachable by an untrusted user.
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining the StepThroughItemsBlock with the ScreenshotWebPageBlock to capture an unbounded number of screenshots into a temporary directory. No public exploit identified at time of analysis, but the attack requires no authentication and CVSS 4.0 rates availability impact as High (8.7).