NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Comodo Chromodo Browser 52.15.25.664 contains an unquoted service path vulnerability in the ChromodoUpdater service that runs with SYSTEM privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Fortitude HTTP 1.0.4.0 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
RealTimes Desktop Service 18.1.4 contains an unquoted service path vulnerability in the rpdsvc.exe binary that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
TFTP Broadband 4.3.0.1465 contains an unquoted service path vulnerability in the tftpt.exe service binary that allows local attackers to execute arbitrary code with system privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Matrix42 Remote Control Host 3.20.0031 contains an unquoted service path vulnerability in the FastViewerRemoteService and FastViewerRemoteProxy services that allows local users to execute arbitrary. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Malwarebytes 4.5 contains an unquoted service path vulnerability in the MBAMService executable that allows local attackers to escalate privileges by injecting malicious code into the system root. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Vembu StoreGrid 4.0 contains an unquoted service path vulnerability in the RemoteBackup and RemoteBackup_webServer services that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Realtek High Definition Audio Driver 6.0.1.6730 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by placing a malicious executable in the service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Winstep 18.06.0096 contains an unquoted service path vulnerability in the Winstep Xtreme Service that allows local attackers to escalate privileges. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). Publicly available exploit code exists in the GHSA-98m9-hrrm-r99r advisory itself; no public exploit identified at time of analysis in the active-exploitation sense, and impact is limited to availability - no RCE, auth bypass, or data disclosure, despite the input tags listing those categories.
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guest_adult parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Modules (all versions) allows unauthenticated remote attackers to halt the module's communication function by flooding its Ethernet port with packets. The high packet rate overwhelms internal anomaly-detection processing and stops communications - a critical impact for the industrial control environments these PLCs operate in. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects high availability impact in operational technology contexts.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module (versions 1.000 and prior) allows a remote unauthenticated attacker to crash the device by rapidly opening many TCP connections, which trips an integer overflow in the EtherNet/IP connection-management logic and triggers improper memory access. No public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a meaningful operational-technology (OT) concern for plants relying on the affected PLC module. Reported by the vendor and tracked in vendor PSIRT advisory 2026-002, JVN VU#97140216, and CISA ICS advisory ICSA-26-169-05.
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.
Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.
Authentication bypass in CoreWCF (NuGet CoreWCF.Primitives) versions prior to 1.8.1 and 1.9.0-1.9.1 allows remote unauthenticated attackers to forge SAML 1.1 and SAML 2.0 assertions and impersonate any principal - including administrative identities - that the trusted STS could issue tokens for. The flaw stems from improper SAML token signature validation (CWE-290) in FederatedSecurityTokenManager, and only the trusted STS's public certificate (discoverable by design) is required. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the CVSS 10.0 score with scope change reflects severe trust-boundary impact.
Source-address spoofing in ProxySQL 2.0.0 through 3.0.8 lets any TCP peer that can reach the MySQL frontend port forge the client IP seen by the query-rule engine, bypassing routing and ACL controls. The flaw stems from incorrect parsing of the HAProxy PROXY protocol v1 `UNKNOWN` token, whose address fields the specification requires receivers to ignore. No public exploit identified at time of analysis, but the vendor advisory describes the attack mechanics in detail and version 3.0.9 ships the fix.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
Command injection in the Network-AI npm package (network-ai < 5.9.1) lets any agent or caller granted a wildcard allowlist entry such as `git *`, `npm *`, or `node *` execute arbitrary shell commands as the orchestrator process. The flaw stems from `SandboxPolicy.isCommandAllowed` glob-matching the entire command string while `ShellExecutor` runs it through `/bin/sh -c`, so shell metacharacters like `;`, `|`, and `$(...)` smuggle additional commands past the sandbox. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis in the wild and no CISA KEV listing.
Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other JetBrains tools) lets an actor obtain administrative access by going through direct database access, per JetBrains' own advisory. Classified under CWE-306 (Missing Authentication for a Critical Function) and vendor-scored CVSS 9.8, it affects all builds before the fixed 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 releases. There is no public exploit identified at time of analysis and the EPSS probability is low (0.44%, 35th percentile), but full administrative compromise is the stated technical impact.
Account takeover in JetBrains Hub is possible through predictable restore codes, affecting all versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429. Remote unauthenticated attackers can guess or predict the restore codes used for account recovery, enabling them to seize control of arbitrary user accounts. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the high impact of full account compromise across an identity management platform.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers.
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. As a cloud-hosted service, mitigation is largely Microsoft-managed rather than a customer-applied patch.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no public exploit was identified at time of analysis and it is not listed in CISA KEV. Reported by SUSE through GitHub Security Advisory GHSA-mhc6-2gfq-xx62.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Host command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instruction) are propagated to the created container without validation; when a downstream plugin consumes those labels for operations (notably the restart-monitor's binary:// logger path), an attacker-controlled label value becomes an arbitrary command executed with host-root privileges. Affected releases are all containerd versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2, meaning any environment that pulls and runs an untrusted image on a node using a label-consuming plugin is exposed to full container-to-host escape. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, so this is a high-severity, responsibly-disclosed flaw rather than one with confirmed active exploitation.
Remote code execution in NI grpc-device 2.17.0 and earlier is possible when an attacker sends a specially crafted Moniker protobuf message to the sideband streaming API, triggering an untrusted pointer dereference (CWE-822). The flaw is reachable without authentication or user interaction over the network, yielding a CVSS 4.0 base score of 9.3. No public exploit identified at time of analysis, but vendor advisories from NI and the upstream GitHub Security Advisory GHSA-ww59-ghm9-mm63 are published.
Unauthenticated network access to NI grpc-device 2.17.0 and earlier is possible when the server is deployed without TLS configuration and bound to a non-loopback interface, exposing instrument control services to anyone on the local network. The flaw stems from insecure default credentials behavior and aligns with CWE-306 (missing authentication for a critical function). No public exploit identified at time of analysis, though the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact under default-prone deployments.
Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. Reported by AWS Security; no public exploit identified at time of analysis, though the vendor advisory (GHSA-f962-v9hr-pfg5) documents a detailed reproduction path, and it is not listed in CISA KEV.
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a victim's email address before that email is verified, then lock the legitimate owner out by enabling two-factor authentication on the squatted account. The flaw stems from a CWE-640 weak password recovery / account-binding logic issue and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering with HTTP responses returned to the client, which the application trusts to decide whether verification succeeded. Successful exploitation enables fraudulent 2FA enrollment and account takeover, and no public exploit has been identified at time of analysis though VulnCheck has published an advisory describing the response-manipulation technique.
Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), where URL-encoded path separators bypass filename validation and allow arbitrary file write outside the upload directory. Any actor holding a valid, non-expired, upload-enabled shared-folder token - tokens explicitly designed to be shared publicly - can overwrite users/users.txt to plant an admin account and, depending on configuration, achieve remote code execution. No public exploit identified at time of analysis, but the upstream fix in v3.16.0 documents the exact bypass, lowering the bar for weaponization.
Missing authentication in the Tilt HUD HTTP server (Go package github.com/tilt-dev/tilt, versions 0.20.8 through 0.37.3) lets an unauthenticated network attacker trigger developer-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state including the session token, and proxy authenticated calls into the Tilt apiserver. Exploitation is only possible when Tilt is bound to a non-loopback address (via 'tilt up --host 0.0.0.0' or TILT_HOST), not in the safe default loopback configuration. No public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch exists in v0.37.4.
Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.