Denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers crash the device by triggering a buffer overflow in the gohead web-management component's sub_487330 (FUN_00487330) function. The CVSS vector indicates unauthenticated network exploitation with availability-only impact, EPSS is low at 0.22% (13th percentile), and no active exploitation is recorded, though a public technical write-up of the flawed function exists on GitHub.
Remote denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows an unauthenticated attacker to crash the device by triggering a buffer overflow in the gohead/sub_444C8C function of its embedded web management service. The flaw impacts availability only - no code execution, data disclosure, or integrity loss is indicated - and CVSS rates it 7.5 (High). No public exploit identified at time of analysis, though a GitHub reverse-engineering report documents the vulnerable function; EPSS is low at 0.22% (13th percentile) and it is not on the CISA KEV list.
Denial of service in the UTT nv518G security gateway (firmware nv518GV3 v3.2.7-210919-210919/161313) lets a remote, unauthenticated attacker crash or hang the device by triggering uncontrolled resource consumption in the gohead/sub_445C5C (FUN_00445c5c) handler of the built-in GoAhead-style web management daemon. No public exploit is identified in the source data, though a GitHub technical write-up reverse-engineering the vulnerable function is available; EPSS is low (0.20%, 10th percentile) and the CVE is not on CISA KEV, so exploitation is theoretical rather than confirmed. Impact is limited to availability (network outage of the gateway) with no confidentiality or integrity loss.
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).
Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.
HTTP request smuggling in Ruby's WEBrick HTTP server through v1.9.2 allows remote attackers to desynchronize front-end/back-end request parsing by exploiting how WEBrick reparses a Content-Length value supplied in chunked trailers back into the canonical request state. Any deployment fronting WEBrick with a proxy, load balancer, or CDN that disagrees on message length can have requests smuggled past it, enabling request routing manipulation and information disclosure. Publicly available exploit code exists (SSVC exploitation status: poc), though EPSS remains low at 0.16% and it is not on CISA KEV.
Denial-of-service in the simplesamlphp/saml2 PHP library (and its saml2-legacy variant, used by SimpleSAMLphp) allows unauthenticated remote attackers to exhaust CPU/memory by submitting SAML messages containing malicious XPath transforms in XML Signature elements. The fix restricts the number of transforms and rejects XPath transforms entirely, permitting only the transform algorithms named in the SAML 2.0 Core specification. No public exploit has been identified at time of analysis and the flaw carries CVSS 7.5 (availability-only impact); it is not in CISA KEV.
Remote denial of service in the Zebra Zcash full-node (zebrad) up to and including v4.4.1 lets an unauthenticated peer deterministically crash any synced node running the standard Linux dual-stack configuration. By completing a P2P handshake over IPv4 to a `[::]` listener and then advertising a single invalid mempool transaction (e.g. a coinbase), the attacker triggers a reachable-assertion panic in the address book after a 30-second batch flush, and `panic = "abort"` terminates the process. No public exploit has been identified at time of analysis, but the advisory documents the full reproduction path; the crash is repeatable after every restart, enabling persistent downtime.
Denial of service in the JSONata JavaScript query/transformation library (npm 'jsonata') before 2.2.0 allows remote attackers to hang the event loop by supplying crafted, non-matching date strings to the $toMillis function, whose ISO-8601 validation regex is vulnerable to superlinear (catastrophic) backtracking. Any application that evaluates user-provided JSONata expressions or feeds attacker-controlled data into $toMillis is exposed. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but EPSS/exploitation likelihood aside, the CVSS 7.5 (A:H) reflects a clean availability-only impact.
Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access to crash or render the application unavailable by sending malformed input that the application fails to properly validate (CWE-20). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (C:N/I:N/A:H), with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.
Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.
Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Uncontrolled memory consumption in open62541's OPC UA Discovery Service allows a remote, unauthenticated attacker to crash or degrade servers by abusing the GetEndpoints request handling. Because the endpointUrl field length is never validated, an attacker can advertise a string up to ~4.09 GB and stream it across incomplete message chunks that the server buffers in RAM indefinitely until the SecureChannel times out, exhausting available memory. The flaw is pre-session and works against any encryption configuration; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. Publicly available exploit code exists in the advisory (miri/ASan PoC tests); no active exploitation is reported (not in CISA KEV) and no EPSS score was provided.
Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.
Authentication/authorization bypass in SimpleSAMLphp's SAML Service Provider ACS handler allows a lower-trust but trusted IdP to satisfy login state that was created for a different, expected IdP. Because the ACS only logs (rather than rejects) a mismatch between the saved ExpectedIssuer and the actual response issuer, and because the code accepts an unsigned samlp:Response/@InResponseTo when the signed assertion lacks its own InResponseTo, an attacker holding a signed IdP-initiated assertion from IdP B can bind it to SP state intended for IdP A. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is conditional on multi-IdP deployments where authorization depends on the selected IdP.
Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to initiate a connection to a hostile server and accept the transfer.
Cross-tenant entry takeover in Craft CMS 5.7.0 through 5.9.20 lets a low-privileged author overwrite another user's existing entry by smuggling a numeric id through the newAttributes parameter of the bulk-duplicate element action. Because the duplication routine re-applies attacker-controlled attributes after nulling the primary key, a UPDATE is executed against the victim's row instead of an INSERT, letting the attacker rewrite the victim's title, slug, authorId, postDate, and UID. No public exploit identified at time of analysis and it is not in CISA KEV; the flaw is fixed in version 5.9.21.
Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the reflected nature and no-authentication requirement make it a practical phishing-driven threat.
Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation hinges on successful social engineering of an authenticated victim (UI:R).
Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.
Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.
Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.
Stored/reflected Cross-Site Scripting in the Optimole WordPress image-optimization plugin (versions 4.2.7 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in the browser of any user who views the affected content. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1, the flaw carries a scope-changing impact (S:C) but requires victim interaction (UI:R). At the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV; no EPSS value was supplied.
Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through Patchstack's vulnerability database.
Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-site scripting in the Modula PRO WordPress gallery plugin (versions through 2.10.8) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view or interact with attacker-influenced content. Reported by Patchstack and rated CVSS 7.1 with a scope change, the flaw requires user interaction but no authentication; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script runs in the security context of the WordPress site rather than the vulnerable component alone. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored/reflected cross-site scripting in the Survey Maker WordPress plugin (versions 5.2.2.5 and earlier by AYS Pro) lets unauthenticated remote attackers inject JavaScript that executes in a victim's browser after they interact with a crafted page or survey. The CVSS scope-change flag (S:C) indicates the injected script escapes the plugin's context to affect the wider WordPress site, potentially reaching authenticated admin sessions. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a plausible-impact issue rather than a confirmed active-exploitation event.
Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.
Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in the Search Atlas SEO WordPress plugin (versions 2.6.6 and earlier, distributed under the 'metasync' slug) lets an unauthenticated attacker inject script that executes in a victim's browser session when they follow a crafted link. Rated CVSS 7.1 with an elevated score due to a scope change, the flaw affects any WordPress site running the vulnerable plugin and can lead to session hijacking, admin action forgery, or redirection. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.
Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.
Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.