The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. No CISA KEV listing is present, but the trivial complexity and available POC make opportunistic abuse realistic against multi-tenant or shared Gophish deployments.
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Memory corruption in the Advanced Linux Sound Architecture (ALSA) user-space library (alsa-lib) before 1.2.16.1 allows local attackers to crash audio-dependent processes by feeding maliciously crafted configuration text to parse_def() in src/conf.c. The flaw is a double-free reachable through nested compound or array config blocks, leading to a NULL-pointer write or invalid read; publicly available exploit code exists (reported by VulnCheck), but the issue is not on the CISA KEV list.
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Cross-workspace automation execution in Budibase (npm @budibase/server, all versions before 3.39.9) lets a builder-authenticated attacker run their own automations inside any other workspace on the same instance by overwriting the server-derived appId. The public, unauthenticated webhook trigger endpoint mass-assigns the raw POST body over internal parameters, and because Execute Script steps run JavaScript, this escalates to arbitrary code execution and full data theft in the victim's context. A detailed proof-of-concept is published in the vendor advisory (GHSA-rgvg-3wpc-h44p); publicly available exploit code exists, though it is not listed in CISA KEV and EPSS exploitation probability is modest at 0.41% (33rd percentile).
Remote code execution in Autodesk Fusion Desktop's MCP (Model Context Protocol) extension allows attackers to execute arbitrary code with current user privileges when a victim visits a malicious webpage while Fusion is running with the MCP extension enabled. The flaw is rated CVSS 9.6 (Critical) due to its network-reachable nature and scope change, though successful exploitation requires user interaction (visiting a crafted page) and the non-default MCP extension being enabled. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.
Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.
Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.
Unauthenticated privilege escalation in AVideo (composer/wwbn/avideo) versions below 29.0 allows any user who can solve a CAPTCHA to self-grant upload, streaming, meeting-creation, and email-verified status during account registration. The root cause is that `set_api_signUp` in `plugin/API/API.php` applies admin-controlled permission parameters (`emailVerified`, `canUpload`, `canStream`, `canCreateMeet`) unconditionally across both its authenticated (APISecret) and anonymous (CAPTCHA) code paths, bypassing the `isAPISecretValid()` guard that correctly protects equivalent admin operations elsewhere in the codebase. A working proof-of-concept curl sequence is publicly documented in the GitHub security advisory GHSA-8j8m-p79x-g4jm; no active exploitation has been confirmed by CISA KEV at time of analysis.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. No public exploit identified at time of analysis, but the high CVSS score (9.3) reflects the pre-authentication nature of the attack and the federated-identity context, where script execution in the OpenAM origin can compromise SSO sessions.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
Pie Register WordPress plugin versions before 3.8.4.10 generates account verification tokens with insufficient randomness, enabling unauthenticated remote attackers to predict or enumerate valid tokens and activate registered accounts without receiving the associated verification email. This effectively bypasses the email-as-ownership-proof step in the registration flow, allowing account takeover of any pending registration. A publicly available exploit exists per WPScan; SSVC flags the attack as automatable with partial technical impact, though no confirmed active exploitation appears in CISA KEV at time of analysis.
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into fetching arbitrary internal URLs via the /crawl, /crawl/stream, /md, and /llm endpoints. The product's internal-address blocklist can be bypassed using IPv6-mapped IPv4 notation (e.g., ::ffff:169.254.169.254), exposing cloud metadata services and internal infrastructure. No public exploit identified at time of analysis, but the GHSA advisory and a VulnCheck write-up document the flaw in detail.
Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.
Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.
Prototype pollution in the npm package scim-patch (versions <= 0.9.0) allows authenticated SCIM provisioning clients to mutate Object.prototype process-wide by submitting a PATCH operation whose value object contains a key such as `__proto__.someProp` or `constructor.prototype.someProp`. Because the side effect persists for the lifetime of the Node process and leaks into every plain object, downstream code that checks flags like `req.user.isAdmin` against unpolluted plain objects can suffer privilege escalation, logic bypass, or denial of service. Publicly available exploit code exists (proof-of-concept in the GHSA advisory and now in the package's test suite); no public exploit identified as in-the-wild use at time of analysis.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric names or values to inject arbitrary statsite protocol commands by smuggling newlines, colons, and pipe characters that the library fails to sanitize. The flaw maps to CWE-93 (CRLF Injection) and affects any application that forwards untrusted input into metric reporting. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.
Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.
Session hijacking in Chainlit before 2.10.1 allows remote attackers with a valid victim sessionId to inherit an authenticated user's session via the WebSocket restore_existing_session path, which fails to verify session ownership. Successful exploitation grants the attacker the victim's roles and permissions, enabling unauthorized tool invocation and access to restricted data. No public exploit identified at time of analysis; EPSS is low (0.30%) and the issue is not listed in CISA KEV.
Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpoint by rotating the client-supplied device_id parameter, defeating per-device throttling. Sustained abuse writes unbounded rows into the channel_devices table, exhausting database resources and degrading or denying service to legitimate users. No public exploit identified at time of analysis, but the attack is trivial to script given CVSS 4.0 AV:N/AC:L/PR:N/UI:N.
Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.
SQL injection in Dell Wyse Management Suite (WMS) versions prior to 2605 allows authenticated low-privileged remote attackers to manipulate backend database queries, leading to unauthorized data access and potential integrity or availability impact. The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability under low attack complexity, though no public exploit identified at time of analysis. The flaw is tagged with 'Authentication Bypass' implications, suggesting the SQLi could be leveraged to escalate beyond the attacker's initial low-privilege context.
Authenticated SQL injection (CWE-89) in Dell Wyse Management Suite (WMS) before version 2605 lets a low-privileged remote user inject crafted SQL into application queries, yielding unauthorized read/write access to the management database with high impact to confidentiality, integrity, and availability. Tracked as EUVD-2026-38345 and disclosed by Dell in advisory DSA-2026-247, it carries CVSS 3.1 8.8 but has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), with CISA SSVC reporting no known exploitation.
Server-Side Request Forgery in IBM Watson Speech Services Cartridge (versions 4.0.0 through 5.3.1) lets an authenticated attacker coerce the system into issuing crafted requests to internal or external hosts, enabling internal network enumeration and pivoting toward follow-on attacks. The weakness lives in the embedded IBM Sterling File Gateway component used by the speech runtimes (GHSA-rr7j-v2q5-chgv). No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and CISA SSVC marks exploitation as none, so this is a patch-priority issue rather than an emergency.
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in ArubaSign prior to v4.6.6 stems from overly permissive ACLs applied at installation, granting the 'Everyone' group write access to the main executable and supporting files under C:\Program Files. An unprivileged local user can swap these binaries for malicious payloads that subsequently execute under the privileges of any user (potentially Administrator or SYSTEM) who later launches the application. No public exploit identified at time of analysis and the issue is not on CISA KEV.
Man-in-the-middle attacks against LY Corporation's Central Dogma server can compromise mirrored Git repositories in versions of the centraldogma-server-mirror-git module prior to 0.84.0, because the embedded SSH client accepts any host key presented over git+ssh:// connections. An on-path attacker between Central Dogma and the upstream Git server can impersonate that server, inject malicious commits, and silently poison every downstream consumer that reads from the mirror. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Command injection in TP-Link Archer and TL-MR series routers allows an adjacent unauthenticated attacker on the same broadcast domain to execute arbitrary commands with elevated privileges by supplying crafted DHCP option responses. The flaw resides in DHCP client option processing during device initialization and is most reliably triggered when the router is in factory-default or unconfigured state. No public exploit identified at time of analysis, but the vendor (TP-Link) has confirmed the issue and released firmware patches.
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_self endpoint with arbitrary app_id values to enumerate private rollout channels, confirm the existence of tenant applications, and extract subscription/billing status. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-level abuse against default deployments. The flaw enables cross-tenant reconnaissance that can seed further targeted attacks against high-value Capgo users.
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.
Command injection via untrusted Markdown rendering in the Angular Language Service VS Code extension (versions prior to 21.2.4) allows attackers to execute arbitrary commands on a developer's host when the developer hovers over and clicks a crafted JSDoc tooltip. The client trusts all rendered Markdown (isTrusted: true) while the language server fails to sanitize JSDoc content, enabling embedded command: URIs to fire from malicious source files or npm dependencies. No public exploit identified at time of analysis, but the supply-chain reach via npm packages makes this a notable developer-workstation risk.
Authentication bypass in SafeLine SL6 and SL6+ elevator emergency intercom devices allows an attacker within Bluetooth Low Energy range to reach the configuration service without credentials and gain administrative control. The flaw was disclosed by SCHUTZWERK (SA-2025-001), carries a CVSS 4.0 score of 8.7 (adjacent network, low complexity, no privileges, no user interaction), and currently has no public exploit identified at time of analysis.