Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-execution rights break out to the host as root even when privileged mode is disabled. The runner passes a workflow's container.options string straight into the Docker job container's HostConfig and only forces the Privileged flag off, leaving dangerous options like --pid=host, --cap-add, and --security-opt intact. Publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV.
Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt memory when libavcodec decodes a crafted stream using the RASC FourCC. The decoder performs 32-bit reads/writes at the row cursor before the NEXT_LINE boundary check and validates DLTA regions in pixel rather than byte units, letting a DLTA run on a PAL8 frame write and read several bytes past the row allocation. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.
Privilege escalation in MyBB 1.8.40 lets a limited Admin Control Panel (ACP) user who holds only the delegated user-management permission promote any account into the Administrators usergroup (gid 4), gaining the full Administrator permission set. The flaw stems from the user module exposing the Administrators group as an assignable option while the datahandler's verify_usergroup() unconditionally returns true, performing no authorization check on the target group. Publicly available exploit code exists (VulnCheck), though the issue is not listed in CISA KEV and has no public evidence of active exploitation.
Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH server corrupt memory in any connecting client on 32-bit platforms. The publickey subsystem reads an attacker-supplied 32-bit attribute count and multiplies it by the attribute structure size without bounds checking, so the allocation integer-overflows to an undersized buffer that the parsing loop then writes past. Publicly available exploit code exists; this is a CWE-190 integer overflow with no public exploit identified in CISA KEV, so it is not confirmed actively exploited.
Free of an uninitialized, attacker-influenceable pointer in libssh2 through 1.11.1 allows a malicious SSH server to corrupt memory in any connecting client that uses the publickey subsystem. The publickey list is grown via SSH2_REALLOC without zero-initializing new entries, so a server-induced parse failure that reaches the cleanup path causes libssh2_publickey_list_free to operate on an uninitialized attrs pointer. Publicly available exploit code exists (reported by VulnCheck); no public evidence of active exploitation, and it is not listed in CISA KEV.
Authorization scope bypass in RustDesk lets a peer holding only a FileTransfer authorization inject keyboard and mouse input and invoke the screenshot and display-capture handlers, escalating a limited file-transfer session into full interactive remote control and screen surveillance. The defect arises because RustDesk gates incoming control messages on per-capability flags that a file-transfer session never clears, rather than on the session's authorized connection type. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.
Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the `ipv6_get_data_primitive` function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. A publicly available exploit proof-of-concept exists; this vulnerability is not currently listed in the CISA KEV catalog.
HTTP request/response smuggling in nghttpx (the reverse proxy component of nghttp2 through 1.69.0) allows unauthenticated remote attackers to poison shared backend keep-alive connections by crafting an HTTP/1.1 Upgrade request that simultaneously carries a Content-Length header and body. When nghttpx forwards this ambiguous message to a backend and re-adds Connection and Upgrade headers while passing Content-Length verbatim, a backend that resolves the parsing ambiguity in the attacker's favor treats the body as a separate, attacker-controlled HTTP request - enabling cross-client response-queue poisoning. A publicly available proof-of-concept exploit exists; no CISA KEV listing at time of analysis.
Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.
Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.
SQL injection in yashpokharna2555's restaurent-management-system exposes the /forgotpassword.php endpoint to unauthenticated remote exploitation via the POST email parameter, allowing attackers to execute arbitrary SQL against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required, and a public exploit is referenced in GitHub issue #3. The project has no versioning scheme and the maintainer has not responded to the disclosure, meaning no patch is available and all deployed instances remain vulnerable.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.
Mark-of-the-Web protection is bypassed in 7-Zip for Windows 26.02 and earlier when extracting crafted RAR5 archives, allowing an attacker to strip the Internet-zone marker (ZoneId=0) and spoof the extracted file's data stream content - directly defeating SmartScreen and Windows attachment warnings. The bypass exploits a gap between 7-Zip's exact-string guard ('Zone.Identifier') and the NTFS-canonical equivalent (':Zone.Identifier:$DATA') that a RAR5 STM record can supply; a second STM record ('::$DATA') additionally overwrites the default file data stream for content spoofing. A publicly available proof-of-concept exists; no vendor-released patched version has been confirmed at the time of analysis.
SQL injection in the JoomCCK content-construction-kit extension for Joomla (versions 1.0 through 6.4.0) lets remote attackers read arbitrary database contents by injecting into a front-end controller task that concatenates an unescaped request parameter into two SQL statements. The flaw is reachable over the network without authentication or user interaction, and SSVC rates it automatable with total technical impact; however, there is no public exploit identified at time of analysis and EPSS is low at 0.28% (20th percentile).
Authenticated arbitrary file deletion in the Frontend File Manager Plugin (nmedia-user-file-uploader) for WordPress versions through 23.6 lets Subscriber-level users delete any file on the server, including wp-config.php, which can cascade into full site takeover. The flaw stems from a case-sensitivity gap in input sanitization within the wpfm_file_meta_update AJAX handler that allows attacker-controlled paths to reach unlink() unchecked. Reported by Wordfence with a CVSS of 8.1; no public exploit identified at time of analysis and the issue is not on CISA KEV.
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() implementation, where a timed-out DNS query is retried without cancelling the prior query, leaving a callback holding a pointer into a stack frame that goes out of scope after getaddrinfo() returns. A network-delivered DNS response matched by its spoofable 16-bit transaction id, or the resolver's own delayed timeout work, then writes through that stale pointer, enabling crashes or reused-stack corruption. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; exploitation is gated by a timing/race window reflected in CVSS AC:H.
Denial-of-service in xiaozhi-esp32 MQTT firmware (versions up to 2.2.6) allows a remote attacker to crash the device's MQTT session handler by sending a crafted goodbye message containing a non-string session_id field. The MQTT Goodbye Handler in mqtt_protocol.cc fails to validate the cJSON type of the session_id node before dereferencing its valuestring member, producing undefined behavior that terminates the session. A public proof-of-concept exists (GitHub issue #2022), but attack complexity is rated high (AC:H) and the vulnerability is not listed in the CISA KEV catalog, suggesting exploitation requires deliberate effort rather than opportunistic scanning.
Deployment authentication token weakness in SimStudioAI Sim up to 0.6.92 leaks a truncated SHA-256 derivative of the encrypted deployment password inside base64-encoded auth cookies, enabling offline hash cracking and potential token forgery against password-protected deployments. The vulnerable Password Protection Handler embeds only the first 8 hex characters (32 bits) of an unsalted SHA-256 hash of the encrypted password directly in the unprotected token payload - a CWE-328 use of weak hash - allowing an attacker who obtains the cookie to brute-force the narrow hash space and fingerprint or bypass deployment authentication. No patch has been merged; fix PR #4760 is pending acceptance, and a public proof-of-concept is available at https://github.com/simstudioai/sim/issues/4759.
NULL pointer dereference in the Zephyr Bluetooth LE Audio Basic Audio Profile unicast client crashes devices running Zephyr v4.3.0 and v4.4.0 (and earlier) when connected to a malicious or buggy remote ASCS server. The handler unicast_client_ep_qos_state() writes attacker-controlled QoS fields through stream->qos without verifying the pointer is non-NULL - a condition that legitimately exists during the window between bt_bap_stream_config() and unicast_group_add_stream(). No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but CVSS adjacency (AV:A) and no-auth (PR:N) make it exploitable by any device within Bluetooth LE radio range acting as a rogue ASCS server.
Authorization bypass in GLPI 11.0.5 through 11.0.7 exposes restricted documents to unauthorized network-based access via a manipulable docid parameter in the document download handler. The vulnerability resides in the Document::canViewFile authorization check within front/document.send.php, where an attacker can tamper with the docid argument to circumvent document-level access controls and retrieve files they are not permitted to view. No public exploit has been identified at time of analysis, and EPSS data was not provided; however, the remote network vector with no required privileges raises concern for exposed GLPI deployments.
Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.
Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.
Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.
Improper response routing in xiaozhi-esp32 firmware up to version 2.2.6 allows any authenticated WebSocket client to receive MCP (Model Context Protocol) responses intended for other connected clients, enabling cross-client information disclosure and low-integrity interference. The flaw resides in the ParseMessage function within main/mcp_server.cc, where the MCP Response Handler broadcasts responses globally to all connected WebSocket clients on port 8080 rather than routing replies back to the originating client. A public proof-of-concept is available via GitHub issue #2020; no active exploitation has been confirmed in CISA KEV, and the CVSS 4.0 score of 2.3 reflects high attack complexity and limited overall impact in this niche IoT context.
Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.
Missing authorization in MLflow's Experiment-scoped Label Schema CRUD API allows a remote, low-privileged attacker to perform unauthorized read, create, update, or delete operations on label schema resources. The vulnerability stems from a pre-release feature that was disclosed before its authentication handlers were implemented - a GitHub maintainer confirmed: 'The auth handlers will be added before the release.' A proof-of-concept is publicly available via the referenced GitHub issue. Despite network accessibility, the CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope, and no CISA KEV listing has been issued.
Credential storage in DocsGPT up to 0.18.0 uses AES-CBC - an unauthenticated cipher mode - allowing a low-privilege authenticated attacker to tamper with encrypted credential blobs without detection, as the application performs no integrity or authenticity verification before decrypting. The root cause (CWE-345) is the absence of authenticated encryption: CBC provides confidentiality only, with no MAC or HMAC binding, and the legacy implementation also lacked any user_id binding, enabling potential cross-user credential replay. Publicly available exploit code exists (CVSS 4.0 E:P), though no confirmed active exploitation (not in CISA KEV); the upstream fix in PR #2331 migrates to AES-GCM with user_id-bound AAD but has not yet been merged.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. No exploit code is publicly available and this vulnerability is not listed in CISA KEV; the upstream fix has been committed but a tagged patched release version has not been independently confirmed.
Weak hash usage in SkyPilot's User ID Handler (versions up to 0.12.0) allows remote attackers with high-complexity access to manipulate user identity integrity by exploiting the `username.encode` function in `sky/users/server.py`. The vulnerability (CWE-328) results in a low-integrity impact on the vulnerable system, with no confidentiality or availability impact per the CVSS 4.0 vector, though the VulDB-assigned 'Information Disclosure' tag suggests the weak hash may additionally expose derivable username data. A public exploit exists (CVSS 4.0 E:P modifier confirmed), but no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
Insufficient data authenticity verification in volcengine OpenViking's Local VectorDB Primary-key Label Handler (versions up to 0.3.21) allows a remote attacker with low-privilege access to manipulate the ID argument passed to the str_to_uint64 function, potentially enabling limited tampering with vector database primary-key label data. The attack vector is network-accessible but rated highly complex, with CVSS 4.0 score of 2.3 reflecting constrained, low-severity impact across confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been identified; an upstream fix is pending via an unmerged pull request.
Path traversal in RAGapp's Knowledge File Handler (versions up to 0.1.5) allows authenticated low-privilege users to read, write, or delete files outside the intended data/ directory by supplying crafted filenames containing sequences such as '../' to the upload or remove file API endpoints. The vulnerability exists in the FileHandler.upload_file and FileHandler.remove_file functions in src/ragapp/backend/controllers/files.py, where client-supplied filenames were interpolated directly into file paths without sanitization. A proof-of-concept exploit has been publicly disclosed; however, no vendor-released patched version is available as of analysis date - only an unmerged upstream pull request (PR #294) addresses the issue.
Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. Publicly available exploit code exists; no patched release has been confirmed at time of analysis.
Incorrect authorization in khoj's Conversation Sharing Handler exposes private agent configurations to authenticated low-privileged users in versions up to 2.0.0-beta.28. The conversation.agent parameter is passed through shared conversation copy paths in src/khoj/routers/api_chat.py without verifying the requesting user's permission to access that agent, allowing leakage of private agent personality instructions and system prompts across trust boundaries. A proof-of-concept has been published (CVSS 4.0 E:P); the vulnerability is not in CISA KEV, and no officially released patch version has been confirmed.