Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself.
Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.
Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.
Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.
Cross-workspace automation execution in Budibase (npm @budibase/server, all versions before 3.39.9) lets a builder-authenticated attacker run their own automations inside any other workspace on the same instance by overwriting the server-derived appId. The public, unauthenticated webhook trigger endpoint mass-assigns the raw POST body over internal parameters, and because Execute Script steps run JavaScript, this escalates to arbitrary code execution and full data theft in the victim's context. A detailed proof-of-concept is published in the vendor advisory (GHSA-rgvg-3wpc-h44p); publicly available exploit code exists, though it is not listed in CISA KEV and EPSS exploitation probability is modest at 0.41% (33rd percentile).
Remote code execution in Autodesk Fusion Desktop's MCP (Model Context Protocol) extension allows attackers to execute arbitrary code with current user privileges when a victim visits a malicious webpage while Fusion is running with the MCP extension enabled. The flaw is rated CVSS 9.6 (Critical) due to its network-reachable nature and scope change, though successful exploitation requires user interaction (visiting a crafted page) and the non-default MCP extension being enabled. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.
Multiple chained vulnerabilities in Gaudire's Assassin Game platform allow an authenticated low-privileged player to tamper with other users' accounts, escalate to administrator, defraud city-council-awarded prizes, trigger denial-of-service, and perform server-side request forgery via the /addJugador endpoint. With CVSS 4.0 base score 9.4 (Critical) and scope-changing impact across confidentiality, integrity, and availability, the flaws stem from systemic input validation failures (CWE-20). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. No public exploit identified at time of analysis, but a vendor patch is available and the high CVSS 4.0 score of 9.4 reflects broad cross-tenant impact.
Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Reflected cross-site scripting in OpenIdentityPlatform OpenAM versions 13.0.0 through 16.1.0 allows remote attackers to inject arbitrary HTML/JavaScript into the OAuth 2.0/OpenID Connect authorization endpoint response when the form_post response mode is used. The flaw resides in the FormPostResponse.ftl template, which insufficiently sanitizes user-supplied parameters such as state before reflecting them into the rendered HTML. No public exploit identified at time of analysis, but the high CVSS score (9.3) reflects the pre-authentication nature of the attack and the federated-identity context, where script execution in the OpenAM origin can compromise SSO sessions.
Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into fetching arbitrary internal URLs via the /crawl, /crawl/stream, /md, and /llm endpoints. The product's internal-address blocklist can be bypassed using IPv6-mapped IPv4 notation (e.g., ::ffff:169.254.169.254), exposing cloud metadata services and internal infrastructure. No public exploit identified at time of analysis, but the GHSA advisory and a VulnCheck write-up document the flaw in detail.
Sensitive information disclosure in Gaudire's Assassin Game application allows unauthenticated remote attackers to retrieve personally identifiable information (PII) - including email addresses and phone numbers - through the application's API. The exposure also extends to the local database, which holds data on minors and municipal users, significantly elevating privacy and regulatory risk. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 and CWE-200 classification mark this as a high-priority data exposure issue.
HTTP request smuggling in IBM WebSphere Application Server 8.5/9.0 and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6 allows unauthenticated remote attackers to bypass security controls, spoof identities, escalate privileges, and access sensitive information. IBM has released fixes and SSVC currently rates exploitation as 'none' with EPSS at 0.35% (27th percentile), but the CVSS 9.1 rating and total technical impact warrant prompt patching given the product's enterprise footprint. No public exploit identified at time of analysis.
Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.
Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.
Prototype pollution in the npm package scim-patch (versions <= 0.9.0) allows authenticated SCIM provisioning clients to mutate Object.prototype process-wide by submitting a PATCH operation whose value object contains a key such as `__proto__.someProp` or `constructor.prototype.someProp`. Because the side effect persists for the lifetime of the Node process and leaks into every plain object, downstream code that checks flags like `req.user.isAdmin` against unpolluted plain objects can suffer privilege escalation, logic bypass, or denial of service. Publicly available exploit code exists (proof-of-concept in the GHSA advisory and now in the package's test suite); no public exploit identified as in-the-wild use at time of analysis.
Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric names or values to inject arbitrary statsite protocol commands by smuggling newlines, colons, and pipe characters that the library fails to sanitize. The flaw maps to CWE-93 (CRLF Injection) and affects any application that forwards untrusted input into metric reporting. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.