Denial-of-service in xiaozhi-esp32 MQTT firmware (versions up to 2.2.6) allows a remote attacker to crash the device's MQTT session handler by sending a crafted goodbye message containing a non-string session_id field. The MQTT Goodbye Handler in mqtt_protocol.cc fails to validate the cJSON type of the session_id node before dereferencing its valuestring member, producing undefined behavior that terminates the session. A public proof-of-concept exists (GitHub issue #2022), but attack complexity is rated high (AC:H) and the vulnerability is not listed in the CISA KEV catalog, suggesting exploitation requires deliberate effort rather than opportunistic scanning.
Deployment authentication token weakness in SimStudioAI Sim up to 0.6.92 leaks a truncated SHA-256 derivative of the encrypted deployment password inside base64-encoded auth cookies, enabling offline hash cracking and potential token forgery against password-protected deployments. The vulnerable Password Protection Handler embeds only the first 8 hex characters (32 bits) of an unsalted SHA-256 hash of the encrypted password directly in the unprotected token payload - a CWE-328 use of weak hash - allowing an attacker who obtains the cookie to brute-force the narrow hash space and fingerprint or bypass deployment authentication. No patch has been merged; fix PR #4760 is pending acceptance, and a public proof-of-concept is available at https://github.com/simstudioai/sim/issues/4759.
Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.
Cross-site scripting in yashpokharna2555/restaurent-management-system allows remote unauthenticated attackers to inject arbitrary client-side script via the Username argument in login_register.php's Registration Handler. The payload executes in the browser of any user who subsequently views the tainted data - most likely an administrator reviewing registered accounts. A public exploit exists per VulDB and GitHub issue #4; no public exploit identified as confirmed actively exploited (CISA KEV). The CVSS 4.0 base score of 2.1 reflects the limited scope and required victim interaction, but the availability of a POC elevates practical risk for any deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the appointment management endpoint to remote database manipulation via the unsanitized `editid` parameter in `/appointment.php`. Authenticated low-privileged users can craft malicious SQL payloads to read, modify, or corrupt appointment and patient records in the underlying database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references); no CISA KEV listing at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/ajaxmedicine.php` endpoint to database manipulation via the unsanitized `medicineid` parameter, exploitable by any low-privilege authenticated user over the network. A public proof-of-concept has been published on GitHub, materially lowering the barrier to exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of public exploit code, a medical data context, and low attack complexity makes this a credible risk for any organization running this software.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated administrators to database manipulation via the `loginid` parameter in `/adminprofile.php`. The CVSS 4.0 vector (PR:H) confirms exploitation is constrained to authenticated high-privilege sessions, limiting mass exploitation risk despite network accessibility. A public proof-of-concept exploit has been disclosed on GitHub, lowering the technical barrier for targeted abuse by insiders or credential-compromised actors.
Cross-site scripting in code-projects Project Management System 1.0 allows a remote authenticated attacker to inject malicious scripts via the /mail.php Mail Compose Page, targeting other users who interact with the crafted mail content. The CVSS 4.0 vector (PR:L/UI:P) confirms exploitation requires a low-privileged authenticated session and passive victim interaction, limiting scope but not eliminating risk in shared environments. A public proof-of-concept exploit has been disclosed on GitHub; no KEV listing and no vendor patch have been identified at time of analysis.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.
Improper response routing in xiaozhi-esp32 firmware up to version 2.2.6 allows any authenticated WebSocket client to receive MCP (Model Context Protocol) responses intended for other connected clients, enabling cross-client information disclosure and low-integrity interference. The flaw resides in the ParseMessage function within main/mcp_server.cc, where the MCP Response Handler broadcasts responses globally to all connected WebSocket clients on port 8080 rather than routing replies back to the originating client. A public proof-of-concept is available via GitHub issue #2020; no active exploitation has been confirmed in CISA KEV, and the CVSS 4.0 score of 2.3 reflects high attack complexity and limited overall impact in this niche IoT context.
Improper authorization in VoltAgent's Memory REST API allows an authenticated user to read another user's private conversation history by substituting a victim's conversationId in requests to the handleGetMemoryConversation endpoint. All VoltAgent versions up to and including 2.1.17 are affected; the CVSS 4.0 base score of 2.3 reflects high attack complexity and limited confidentiality impact. No public exploit confirmed active exploitation (CISA KEV absent), but a proof-of-concept is publicly available via GitHub issue #1315, and a fix PR (#1317) remains pending acceptance with no released patched version confirmed at time of analysis.
Missing authorization in MLflow's Experiment-scoped Label Schema CRUD API allows a remote, low-privileged attacker to perform unauthorized read, create, update, or delete operations on label schema resources. The vulnerability stems from a pre-release feature that was disclosed before its authentication handlers were implemented - a GitHub maintainer confirmed: 'The auth handlers will be added before the release.' A proof-of-concept is publicly available via the referenced GitHub issue. Despite network accessibility, the CVSS 4.0 score of 1.3 reflects high attack complexity and limited impact scope, and no CISA KEV listing has been issued.
Credential storage in DocsGPT up to 0.18.0 uses AES-CBC - an unauthenticated cipher mode - allowing a low-privilege authenticated attacker to tamper with encrypted credential blobs without detection, as the application performs no integrity or authenticity verification before decrypting. The root cause (CWE-345) is the absence of authenticated encryption: CBC provides confidentiality only, with no MAC or HMAC binding, and the legacy implementation also lacked any user_id binding, enabling potential cross-user credential replay. Publicly available exploit code exists (CVSS 4.0 E:P), though no confirmed active exploitation (not in CISA KEV); the upstream fix in PR #2331 migrates to AES-GCM with user_id-bound AAD but has not yet been merged.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. No exploit code is publicly available and this vulnerability is not listed in CISA KEV; the upstream fix has been committed but a tagged patched release version has not been independently confirmed.
Weak hash usage in SkyPilot's User ID Handler (versions up to 0.12.0) allows remote attackers with high-complexity access to manipulate user identity integrity by exploiting the `username.encode` function in `sky/users/server.py`. The vulnerability (CWE-328) results in a low-integrity impact on the vulnerable system, with no confidentiality or availability impact per the CVSS 4.0 vector, though the VulDB-assigned 'Information Disclosure' tag suggests the weak hash may additionally expose derivable username data. A public exploit exists (CVSS 4.0 E:P modifier confirmed), but no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
Insufficient data authenticity verification in volcengine OpenViking's Local VectorDB Primary-key Label Handler (versions up to 0.3.21) allows a remote attacker with low-privilege access to manipulate the ID argument passed to the str_to_uint64 function, potentially enabling limited tampering with vector database primary-key label data. The attack vector is network-accessible but rated highly complex, with CVSS 4.0 score of 2.3 reflecting constrained, low-severity impact across confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been identified; an upstream fix is pending via an unmerged pull request.
Path traversal in RAGapp's Knowledge File Handler (versions up to 0.1.5) allows authenticated low-privilege users to read, write, or delete files outside the intended data/ directory by supplying crafted filenames containing sequences such as '../' to the upload or remove file API endpoints. The vulnerability exists in the FileHandler.upload_file and FileHandler.remove_file functions in src/ragapp/backend/controllers/files.py, where client-supplied filenames were interpolated directly into file paths without sanitization. A proof-of-concept exploit has been publicly disclosed; however, no vendor-released patched version is available as of analysis date - only an unmerged upstream pull request (PR #294) addresses the issue.
Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. Publicly available exploit code exists; no patched release has been confirmed at time of analysis.
Incorrect authorization in khoj's Conversation Sharing Handler exposes private agent configurations to authenticated low-privileged users in versions up to 2.0.0-beta.28. The conversation.agent parameter is passed through shared conversation copy paths in src/khoj/routers/api_chat.py without verifying the requesting user's permission to access that agent, allowing leakage of private agent personality instructions and system prompts across trust boundaries. A proof-of-concept has been published (CVSS 4.0 E:P); the vulnerability is not in CISA KEV, and no officially released patch version has been confirmed.