Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.
Authentication bypass in Evoke Systems' Evoke CSMS (EV Charging Station Management System) lets remote unauthenticated attackers connect to its WebSocket endpoints and impersonate legitimate charging stations. Because the OCPP-style WebSocket channel performs no authentication, an attacker can read sensitive station/session data and issue unauthorized commands, leading to privilege escalation and potential compromise of the broader charging backend. CVSS 4.0 rates this 9.3 (Critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though it is the subject of a CISA ICS advisory (ICSA-26-176-02).
Arbitrary file write leading to remote code execution in FlowiseAI Flowise (versions <= 2.2.7) lets unauthenticated remote attackers overwrite any file on the host via the /api/v1/document-store/loader/process endpoint. The fileName parameter is passed unsanitized into path.join() inside storageUtils.ts, so ../ sequences escape the storage directory; overwriting package.json injects a malicious start script that executes on the next application restart. Publicly available exploit code exists (vendor GHSA PoC overwriting package.json), and the issue carries a CVSS 4.0 base score of 10.0; no public active-exploitation listing was identified at time of analysis.
Arbitrary file upload in Daan.Dev's OMGF Pro WordPress plugin (versions through 5.2.6) lets remote attackers upload files of dangerous types, enabling webshell deployment and full site/server takeover. The CVSS 3.1 base score is 10.0 with a scope-changed vector, and the vector's PR:N indicates the flaw is reachable without authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. This was reported by the vendor (Rapid7) with a fix in 1.0.3; there is no public exploit identified at time of analysis, and EPSS sits at a modest 0.55% (42nd percentile).
Remote OS command injection in Rapid7's InsightConnect AWK Plugin (versions below 1.2.2 on Linux) lets attackers run arbitrary operating-system commands through the process_string action's text or expression parameters, which are unsafely concatenated into a shell command. The CVSS 9.8 rating reflects full confidentiality, integrity, and availability loss with no privileges or user interaction required by the vector. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA SSVC marks exploitation as none, so risk today is potential rather than observed.
OS command injection in Rapid7's InsightConnect Translate (TR) Plugin on Linux lets remote attackers run arbitrary shell commands by injecting into the 'text' or 'expression' parameters of the TR action, which are concatenated into a shell command without sanitization (CWE-78). All plugin versions before 2.0.3 are affected. There is no public exploit identified at time of analysis and EPSS is low (0.55%), but the flaw yields full system compromise per the vendor's own SSVC 'total' technical-impact rating.
OS command injection in Rapid7's InsightConnect Ping Plugin (versions before 1.0.4) on Linux lets attackers run arbitrary operating-system commands by injecting shell metacharacters into the host parameter of the plugin's ping action, which is concatenated into a shell command without proper sanitization. Any actor able to influence the host input flowing into this SOAR plugin gains full code execution on the plugin's runtime host. There is no public exploit identified at time of analysis, EPSS is low (0.55%), and CISA's SSVC marks exploitation as 'none' and the flaw as not automatable, so risk is real but not yet observed in the wild.
Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.
Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.
Remote code execution affects Dell Wyse Management Suite in all versions prior to WMS 5.5 HF1, stemming from the application's acceptance of extraneous untrusted data alongside trusted data (CWE-349). Per the provided CVSS vector (PR:N), a remote unauthenticated attacker could potentially achieve full code execution against the management server, though the Dell description text characterizes the actor as 'low privileged' - a discrepancy worth verifying. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote denial of service in the Linux kernel's iSER (iSCSI Extensions for RDMA) target driver (IB/isert) allows an unauthenticated attacker on the RDMA fabric to crash a storage target node by sending an undersized iSCSI login PDU. The isert_login_recv_done() handler subtracts the 76-byte ISER_HEADERS_LEN from the received byte count without a lower bound, producing a negative signed login_req_len that is later sign-extended into a multi-gigabyte memcpy() length, causing a faulting out-of-bounds copy. Because the login phase precedes iSCSI authentication, no credentials are required; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%).
Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.
Use-after-free read in the Linux kernel's IPv6 SIT (IPv6-in-IPv4) tunnel transmit path lets a stale inner-IPv6-header pointer be dereferenced after GSO offload processing relocates the skb head, exposing freed kernel memory or crashing the host. The flaw affects systems running SIT tunnels in ipip6_tunnel_xmit(), where iptunnel_handle_offloads() may call pskb_expand_head() and move the buffer while the code keeps reading the old iph6 pointer. There is no public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and the issue is not in CISA KEV. The vendor-tagged impact is Information Disclosure, which is materially narrower than the assigned CVSS 9.8.
Incorrect tunnel matching in the Linux kernel's IPv6 Virtual Tunnel Interface (vti6) lets the vti6_tnl_lookup() fallback path select the wrong tunnel when an exact match fails, because the wildcard-search loops omitted checks that a candidate tunnel actually holds a wildcard local or remote address. On hosts configured with multiple vti6 tunnels sharing the ip6n->tnls_r_l hash table, hash collisions can cause inbound IPv6/IPsec packets to be associated with an unintended tunnel, enabling traffic misdirection and information disclosure. There is no public exploit identified at time of analysis, EPSS probability is low (0.18%), and the issue is not in CISA KEV; the upstream fix is available across multiple stable kernel branches.
Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver allows the XDP fast-path to write past the real packet buffer on hardware using short BM pools. The driver hard-codes PAGE_SIZE as the XDP frame size even when short-pool buffers are smaller, so bpf_xdp_adjust_tail() can legitimately grow a frame beyond its actual allocation, corrupting adjacent memory or later tripping skb tailroom checks. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis; despite the auto-assigned 9.8 CVSS, realistic exploitation is constrained to systems running an XDP program on affected Marvell hardware.
Memory corruption in the Linux kernel's Marvell mvpp2 (PPv2) Ethernet driver arises from an incorrect RX buffer-recycling order: when mvpp2_rx_refill() fails after the current buffer has already been handed to XDP or attached to an skb, the driver still returns that buffer to the hardware Buffer Manager (BM) pool, allowing the NIC to DMA into memory the RX ring no longer owns. Systems running Marvell Armada SoCs with the mvpp2 driver and XDP or skb RX processing are affected; the fix reorders the refill to complete before the buffer is handed off. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the CVE is not listed in CISA KEV despite the inflated 9.8 NVD score.
Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.
Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.
Out-of-bounds buffer access in the Linux kernel's AF_RXRPC (rxrpc) networking subsystem allows a remote attacker who can send crafted RxRPC-over-UDP traffic to trigger improper reads of the SACK table when an incoming ACK packet is deliberately fragmented. AF_RXRPC wrongly assumes skb_condense() always linearizes the packet before parsing soft-ACKs in rxrpc_input_soft_acks(), but skb_condense() can silently no-op, leading to access of a non-flat buffer and in-place modification of the received skbuff. No public exploit identified at time of analysis; EPSS is low at 0.17% (7th percentile) and this is not in CISA KEV.
Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.
Arbitrary file read and write in FlowiseAI Flowise (versions 2.2.8 through 3.0.5) lets remote unauthenticated attackers traverse the filesystem because the chatflowId and chatId parameters are never validated as UUIDs or numbers. By supplying a path-traversal value such as '../../../../../tmp' as the chatflow id, an attacker can write controlled files via the /api/v1/chatflows endpoint and read arbitrary files via /api/v1/get-upload-file and /api/v1/openai-assistants-file/download - and the file-write primitive can be escalated to remote code execution. A proof-of-concept is published in the GHSA advisory, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.
Remote code execution in Flowise (versions 2.2.7-patch.1 through pre-3.0.6) lets attackers run arbitrary OS commands by abusing the Custom MCP feature, which is intended to spawn local MCP servers via tools like npx. Because the default installation runs with no authentication (unless FLOWISE_USERNAME/FLOWISE_PASSWORD are set) and lacks role-based access control, an attacker can POST a crafted JSON payload bearing the 'x-request-from: internal' header to /api/v1/node-load-method/customMCP and fully compromise the host container. Publicly available exploit code exists in the GHSA advisory, including a reverse-shell payload via nc.
Out-of-bounds memory access in the Linux kernel's netfilter subsystem allows attackers to leak adjacent kernel memory or crash the host by sending packets that traverse MAC-based matching paths (`xt_mac`, `ip6t_eui64`, the `bitmap:ip,mac`/`hash:ip,mac`/`hash:mac` ipset types, and `nf_log_syslog`) which call `eth_hdr(skb)` without first confirming the skb carries a full Ethernet header. Affected kernels span the 5.15 through 7.1 stable trees prior to the fixed releases, and the impact is information disclosure and denial of service rather than code execution. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.17% (7th percentile).
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where a malicious agent can write files outside the protected workspace. Cursor canonicalizes a Write target to confirm it stays in-workspace, but when canonicalization fails it insecurely falls back to the raw path and writes without approval; an agent can deliberately force this failure via an in-workspace symlink pointing outside the workspace (target missing or read permission stripped) to write arbitrary files under the user's privileges. Overwriting the cursorsandbox helper then causes later commands to run unsandboxed, yielding full RCE with no user interaction beyond a benign prompt. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, where agent terminal commands run in a sandbox that grants write access to the command's working directory. By manipulating the working_directory parameter, a malicious or prompt-injected agent can cause the sandbox to expose writable paths outside the intended workspace, then overwrite the cursorsandbox helper so subsequent commands execute outside the sandbox entirely. There is no public exploit identified at time of analysis, but the vendor rates this 9.3 (CVSS 4.0) with high confidentiality, integrity, and availability impact and notes it requires no user interaction beyond a benign prompt.
Unauthenticated arbitrary file upload in Flowise (versions through 2.2.7) lets remote attackers write malicious files to arbitrary locations on the server via the whitelisted /api/v1/attachments endpoint when storageType is set to local (the default). Because the chatId and chatflowId parameters are vulnerable to path traversal, an attacker can escape the intended upload directory and drop a webshell or other executable payload, leading to remote code execution and full server compromise. No public exploit identified at time of analysis, but the flaw is trivially reachable (CVSS 4.0 9.3) and was reported by VulnCheck with a vendor security advisory.
Stored code injection in ToolJet self-hosted (prior to 3.20.178-lts) lets any authenticated builder-role user - available on the free tier - overwrite a globally-shared marketplace plugin with arbitrary JavaScript that runs server-side with full Node.js capabilities (require, process). Because the poisoned plugin executes whenever any user on the instance runs a query that uses it, a single low-privileged account achieves remote code execution and an instance-wide supply-chain compromise. The flaw carries a CVSS 4.0 score of 9.4; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.
Authentication bypass in Flowise on-premise (npm package 'flowise', version 3.0.1 and earlier) lets unauthenticated remote attackers POST to the /api/v1/account/register endpoint to self-provision arbitrary user accounts and then log in, obtaining full API access without any prior credentials. The endpoint is open by default and the registration request is reusable, so an attacker can repeatedly create privileged ('type':'pro') accounts. A working proof-of-concept exists (publicly available exploit code exists via the VulnCheck/GHSA advisory), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact.
Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. SSVC rates technical impact as total and a proof-of-concept is referenced, but there is no public exploit weaponization and EPSS exploitation probability is very low (0.11%); it is fixed in 0.8.5.
Pre-authentication remote code execution in File Browser before 2.63.6 lets unauthenticated attackers run arbitrary OS commands when the optional Hook Authentication feature is enabled. Because login credentials are interpolated into an external shell command via os.Expand without sanitization, shell metacharacters placed in the username or password field at the login screen execute on the server before authentication occurs. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-m93h-4hw7-5qcm) confirms the flaw and CVSS 4.0 rates it 9.3 (Critical).
SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.
SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
SQL injection in the WordPress "Meta Data Filter & Taxonomy Filter" (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.7, allowing remote attackers to inject arbitrary SQL into backend queries without authentication. Per the provided CVSS vector (PR:N), exploitation requires no login, and the high CVSS base score of 9.3 reflects network reachability plus a scope change. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS data supplied, so prioritization rests on the CVSS signal alone.
Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.
Out-of-bounds uninitialized-memory read in the Linux kernel SCTP stack lets an unauthenticated network peer trigger the receive path to read up to 16 bytes past a truncated ASCONF address parameter. The flaw lives in __sctp_rcv_asconf_lookup() in net/sctp/input.c, which validates only the ADDIP and parameter headers before calling af->from_addr_param(), trusting the parameter's declared length without bounding the full address against the chunk. No public exploit is identified at time of analysis, and EPSS exploitation probability is low at 0.18% (8th percentile); the issue is already patched upstream and classed as information disclosure.
Out-of-bounds read in the Linux kernel's RDMA/SRP initiator (ib_srp) driver lets a malicious or compromised SRP storage target that an initiator has logged into trigger a kernel memory over-read by returning an SRP_RSP with SRP_RSP_FLAG_SNSVALID and an attacker-controlled 32-bit resp_data_len that is never validated against the bytes actually received. With resp_data_len near 0xFFFFFFFF the sense-copy source lands gigabytes past the receive buffer, faulting the kernel for a denial of service and potentially disclosing adjacent kernel memory into the sense buffer. No public exploit is identified at time of analysis and EPSS is low (0.18%), but exploitation requires the privileged position of a trusted SRP target on the InfiniBand/RoCE fabric.
Authentication bypass and privilege escalation in File Browser (versions 2.0.0-rc.1 and later) lets a remote unauthenticated attacker impersonate any account - including admin - by sending a single forged HTTP header when the server runs with proxy authentication (auth.method=proxy). The same flaw doubles as an unauthorized account-creation primitive, since supplying a non-existent username silently provisions a new user. Scored CVSS 9.1 (CWE-287); no public exploit identified at time of analysis, though the underlying behavior has been openly documented for years.