Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on the host running the workflow automation platform by abusing the StepThroughItemsBlock to repeatedly drive FileStoreBlock downloads. The platform's `StepThroughItemsBlock` has no loop cap and `FileStoreBlock` enforces no working-directory disk quota, so an attacker can iteratively download moderately sized files (e.g., 100MB) until storage is exhausted. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-9fr4-9jj9-mhh6 confirms the issue and the fix in 0.6.63.
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthenticated users to fill disk space by abusing the LoopVideoBlock's unbounded loop count parameter. The platform writes the resulting oversized video to disk, exhausting available storage and crashing the host. No public exploit identified at time of analysis, but CVSS 4.0 rates this 8.7 (High) due to network reachability and unauthenticated trigger path.
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract sensitive database contents via the tarifflist.php module. The flaw stems from unsanitized concatenation of the POST tg[] array into a SQL query through implode(), and a CERT-PL-coordinated fix is upstream. No public exploit identified at time of analysis.
Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. No public exploit identified at time of analysis, but the upstream fix (PR #3335) confirms the issue and its trivial triggering condition.
Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. No public exploit identified at time of analysis, but the GHSA advisory publishes a complete attack flow making weaponization trivial.
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. No public exploit identified at time of analysis, but the vendor advisory confirms the issue and a fixed release is available.
Remote code execution in UBB.threads forum software (version 7.7.5 confirmed) is achievable by authenticated users holding template-edit privileges, who can abuse a path traversal weakness to read and write arbitrary files within the web application's privilege scope. CERT-PL reported the issue after vendor contact attempts failed, and there is no public exploit identified at time of analysis. The flaw escalates a routine administrative capability into full server compromise without requiring user interaction.
Authenticated blind SQL injection in UBB.threads forum software version 7.7.5 (and likely other versions) allows administrators with access to the Members section of the Control Panel to extract arbitrary database contents, including user credentials, via time-based or boolean-based SQLi techniques. Reported by CERT-PL after unsuccessful vendor contact, with no public exploit identified at time of analysis and no vendor-released patch.
Cross-site request forgery in UBB.threads forum software version 7.7.5 (and potentially earlier versions) allows remote attackers to coerce authenticated forum users - including administrators - into executing unintended state-changing actions by visiting an attacker-controlled page. The flaw was reported by CERT-PL after unsuccessful vendor contact, so no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high impact when an authenticated administrator is targeted, though exploitation requires active user interaction.
Stored cross-site scripting in Kirby CMS (getkirby/cms) lets an authenticated Panel editor inject markup that survives Dom::sanitize() and executes as JavaScript when content is rendered in the Panel or on the site frontend. The flaw affects the writer and list fields plus the Sane HTML/SVG/XML sanitization API, and versions ≤ 4.9.3 and 5.0.0-alpha.1 through 5.4.3 are vulnerable. No public exploit identified at time of analysis, and this is not in CISA KEV, but the vendor rates it high severity because a low-privileged editor can escalate to an admin session.
Local privilege escalation and arbitrary code execution affects Yandex Punto Switcher through version 4.5.0.583 due to an unquoted search path passed to WinExec when launching RunDll32.exe to invoke shell32.dll's Control_RunDLL with input.dll. An authenticated local attacker who can drop an executable into an earlier directory in the Windows search order can hijack execution and run code in the context of the affected user. No public exploit identified at time of analysis, but the technique (CWE-428) is well-understood and trivially weaponized.
Blind SQL injection in the David Lingren Media Library Assistant WordPress plugin (versions up to and including 3.35) allows authenticated low-privilege users to inject SQL via unsanitized input into a database query, with scope-changed impact reaching the underlying WordPress database. No public exploit identified at time of analysis, but the plugin's wide WordPress deployment footprint and the low privilege bar make this a meaningful risk for multi-author sites. Patchstack published the advisory; no fixed version is listed in the available data.
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands with the user's privileges when its workspace is opened, because custom task definitions in .theia/tasks.json or .vscode/tasks.json bypass the workspace trust gate. When the victim has also enabled AI chat with tool confirmation disabled via a workspace .theia/settings.json, the chain triggers automatically on the first chat message. No public exploit identified at time of analysis, but the attack pattern mirrors well-known VS Code workspace-trust bypass classes.
Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. The flaw is reported by the Eclipse Foundation and fixed in version 1.71.0.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Heap-buffer-overflow READ in OpenEXR 3.4.0 through 3.4.11 occurs in the HTJ2K decoder's ht_undo_impl() function when processing a crafted EXR file with mismatched codestream and channel widths, producing a deterministic crash and potential adjacent-heap memory disclosure. Any application that opens untrusted EXR files - including thumbnailers, asset pipelines, and the exrcheck utility - is reachable via the standard scanline-decode entry point. No public exploit identified at time of analysis, but the upstream fix is shipped in v3.4.12.
Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak heap memory or crash client applications by sending a crafted SSH_FXP_NAME response with an inflated link_len during READLINK or REALPATH operations. The library is embedded in many SSH/SFTP clients (curl, Git tooling, language bindings), so impact extends to anywhere libssh2 is used as a client. No public exploit identified at time of analysis, but a vendor patch (commit 2dae302) is available and the issue was reported by VulnCheck.
{signal} for abort support), the polluted prototype value flows into worker_threads.Worker and the attacker's exported function is invoked with every legitimate caller's task data. Publicly available exploit code exists (full PoC in the GHSA advisory), but no public exploit identified at time of analysis as in-the-wild abuse and the CVE is not in CISA KEV.
Cross-namespace privilege escalation in Strimzi Kafka Operator versions up to 1.0.0 allows tenants with namespace-scoped Kafka custom resource creation rights to read and write Secrets in any namespace where the Cluster Operator has been granted permissions. By abusing the documented `watchedNamespace` field within `Kafka.spec.entityOperator`, an attacker mints a token for the entity operator ServiceAccount in their own namespace and gains full CRUD on Secrets in the target namespace. No public exploit identified at time of analysis, but the attack is mechanically straightforward in any multi-tenant Strimzi deployment.
Local privilege escalation in the cifs-utils cifs.upcall helper allows low-privileged Linux users to gain root by abusing the kernel request_key interface to load a malicious NSS module inside an attacker-controlled mount namespace. The root-owned helper fails to drop privileges before performing user-name resolution, so the attacker's NSS module executes with full root capabilities. No public exploit identified at time of analysis, but the bug affects every supported Red Hat Enterprise Linux release (6 through 10) and OpenShift Container Platform 4, making it a high-priority hardening fix for any host with CIFS/SMB client functionality.
Response queue poisoning in Node.js http.Agent allows network-accessible attackers to corrupt the HTTP keep-alive connection pool via a TOCTOU race condition, causing responses to be delivered to the wrong request handler. Affected is Node.js v26.x prior to v26.3.1, as disclosed in the June 2026 security release. Exploitation requires high attack complexity due to the race window, and no public exploit has been identified at time of analysis; this is rated Low severity (CVSS 3.7) by the Node.js team.
Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.
Information disclosure in Microsoft Cost Management Interactive Experiences allows unauthenticated remote attackers to retrieve sensitive data over a network. The flaw carries a CVSS 3.1 base score of 7.5 with high confidentiality impact and no integrity or availability effects, and Microsoft has published an advisory with a fix. At time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.
Denial of service in Node.js 26.x (fixed in 26.3.1) arises from an unguarded integer overflow when computing WebCrypto cipher output buffer lengths, allowing remote attackers to crash a process that performs SubtleCrypto encrypt/decrypt operations on attacker-influenced data. Rated High by the Node.js project (CVSS 7.5, availability-only impact). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Node.js HTTP/2 lets a remote peer exhaust process memory by driving unbounded growth of the connection's originSet, the structure that tracks origins advertised via HTTP/2 ORIGIN frames. It affects the 22.x, 24.x and 26.x release lines up to and including Node 22.22.3, 24.16.0 and 26.3.0, and is fixed in the June 2026 security release (26.3.1). There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.51%), but availability impact is rated High.
Information disclosure in Microsoft 365 Copilot lets a remote, unauthenticated attacker reach a security-critical function that lacks an authentication check, exposing confidential data over the network. Classified CWE-306 (Missing Authentication for Critical Function) and rated CVSS 7.5, the flaw was reported by Microsoft and a vendor patch is available; there is no public exploit identified at time of analysis, though CISA's SSVC framework flags the issue as automatable with total technical impact. EPSS probability is low (0.50%, 39th percentile), indicating no current evidence of widespread exploitation.
Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).
Multipart form-data field injection in the npm package http-proxy-middleware (versions 3.0.4-3.0.6 and 4.0.0-4.1.0) lets remote attackers smuggle additional form parts past gateway-side validation by embedding CRLF sequences in body values, causing the proxy and backend to parse different field sets. The flaw lives in fixRequestBody's handlerFormDataBodyData helper, which concatenates user-controlled keys and values directly into the multipart wire format without neutralizing \r\n. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified as actively used in the wild and no CISA KEV listing.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device.
Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. There is no public exploit and it is not in CISA KEV; the vendor rates it high severity for affected sites.
Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.
Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. The vendor has shipped a fix in DFIR-ORC v10.3.0, which adds ACL hardening on extraction directories.
Session ID generation in Mojolicious::Sessions::Storable through version 0.05 relies on predictable, low-entropy inputs - a SHA-1 hash seeded with Perl's built-in rand(), epoch time, a heap memory address, and the server PID - making session identifiers guessable by a network attacker. Successful exploitation enables session hijacking, allowing an attacker to impersonate authenticated users without possessing their credentials. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the flaw is structurally significant on low-traffic, single-worker deployments where PID and timing entropy are minimal.
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.
Path traversal in SEPPmail Secure Email Gateway versions before 15.0.5 allows authenticated remote attackers to write files outside the intended directory by manipulating attachment filenames processed during encrypted PDF generation. Files can be placed in web-accessible locations, enabling potential webshell deployment and integrity compromise. No public exploit identified at time of analysis; the issue was reported by NCSC.ch and is fixed in 15.0.5.
Missing authorization in Kirby CMS lets authenticated users read the full content and metadata of pages they are not permitted to access via the /api/site/find REST route. It affects sites where a user role has the pages.access permission disabled (through user blueprints, model blueprint options, or a combination), on Kirby <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3. No public exploit identified at time of analysis; the flaw is read-only and cannot be used for write access, and the CVSS 4.0 vector rates confidentiality impact High (score 7.1).
Information disclosure in PraisonAI before 1.5.115 allows authenticated agents to read other agents' system prompts and conversation history by exploiting missing uniqueness enforcement on agent identifiers in the MultiAgentLedger component. An attacker who can register an agent with a colliding ID receives the same ledger instance as the victim, breaking tenant isolation in multi-agent deployments. No public exploit identified at time of analysis, though the upstream GHSA advisory (GHSA-766v-q9x3-g744) publishes a working proof-of-concept demonstrating the collision.
Agent impersonation in Woodpecker CI 3.0.0 through 3.14.0 allows any authenticated agent to assume the identity of any other agent on the same server by injecting a forged agent_id into outgoing gRPC metadata. The server validates the JWT correctly but then trusts the client-supplied agent_id over the cryptographically verified one, enabling cross-tenant job hijacking and integrity compromise of CI pipelines. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. No public exploit has been identified at time of analysis; EPSS risk is low (0.17%, 7th percentile) and CISA SSVC rates exploitation as none.
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform users to crash the host by abusing the AddAudioToVideoBlock and StepThroughItemsBlock workflow components. By looping MediaDurationBlock through unbounded StepThroughItemsBlock iterations against URLs that trigger screenshots, attackers fill the working directory with undeleted temporary media files until disk space is exhausted. No public exploit identified at time of analysis, and EPSS data was not supplied.
Database-resource exhaustion in UBB.threads forum software (confirmed in version 7.7.5) allows an authenticated low-privileged user to deny service to the entire application by issuing concurrent profile-view requests. The flaw, reported by CERT-PL and tracked as CWE-405 (Asymmetric Resource Consumption), produces high availability impact (CVSS 4.0 VA:H, 7.1) with no confidentiality or integrity loss. There is no public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.
Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.
Backend routing bypass in http-proxy-middleware allows unauthenticated external attackers to redirect HTTP requests to unintended backends by sending a crafted Host header that acts as a superstring of a configured host+path router key. The vulnerable substring matching logic (`hostAndPath.indexOf(key) > -1` in `src/router.ts`) affects npm package versions 0.16.0 through 3.0.5 and 4.0.0 through v4.0.0-beta.5, enabling bypass of tenant isolation, backend segmentation, or access-control boundaries enforced through proxy routing rules. Publicly available exploit code exists in the GitHub Security Advisory GHSA-64mm-vxmg-q3vj, with vendor-confirmed fixes released as versions 3.0.6 and 4.1.0.
MFA bypass in Webmin prior to 2.641 enables remote attackers holding valid credentials to circumvent multi-factor authentication entirely by supplying the literal string 'webmin' as the HTTP User-Agent header, causing the server to accept basic authentication without requiring a session cookie or a second factor. The affected CPE covers all Webmin releases before 2.641, and the impact extends well beyond the low integrity score assigned by the official CVSS - Webmin is a full server administration panel, meaning successful authentication grants control over the underlying host. No public exploit code or CISA KEV listing has been identified at time of analysis; the issue was reported by CISA-CG and patched in the 2.641 release.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
HTTP header injection (CRLF injection) in Kirby CMS's `Kirby\Http\Remote` class allows attackers who can influence outgoing request header values to inject or override arbitrary HTTP headers sent to upstream services. Affected are sites running Kirby versions up to 4.9.3 or 5.0.0-alpha.1 through 5.4.3 where custom code, plugins, or integrations pass user-controlled data into the `headers` option of `Remote` requests - the default Kirby installation is not affected. The attack targets the remote service receiving the manipulated request, enabling overrides of security-critical headers such as `Authorization`, `Host`, or `Cookie`, with downstream effects including unauthorized API access or upstream cache poisoning. No public exploit code and no CISA KEV listing have been identified at time of analysis; the 'RCE' tag in the source data appears to be a misclassification of this CWE-93 flaw.
Unauthenticated remote file disclosure in Webmin (all versions prior to 2.641) exposes the contents of any .conf file residing within module directories. The root cause is a flawed regular expression (CWE-185) that was intended to restrict accessible file paths but can be bypassed with a crafted request, allowing unauthenticated network attackers to read configuration files that may contain credentials, API keys, or other sensitive deployment data. No public exploit or CISA KEV listing has been identified at time of analysis, though the zero-authentication, network-accessible attack surface makes this straightforward to probe at scale.