Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.
Reflected cross-site scripting in the Automotive Car Dealership Business WordPress theme (versions 13.3.3 and earlier by ThemeSuite) lets unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) confirms network-based, unauthenticated exploitation that requires user interaction and crosses a security scope boundary. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV.
Reflected Cross-Site Scripting in the Automotive Listings WordPress plugin (versions 18.6 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1 (scope-changed, low impact across confidentiality, integrity, and availability), the flaw requires user interaction but no authentication. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Reflected cross-site scripting in the NativeChurch WordPress theme (versions 4.8.8.2 and earlier, by imithemes) allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (7.1) reflects a scope change with limited confidentiality, integrity, and availability impact, and requires victim interaction. No public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed through Patchstack's WordPress vulnerability database.
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link. Reported by Patchstack, the flaw carries CVSS 7.1 with a scope change, reflecting cross-context impact; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.
Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.
Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.
Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.
Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.
Unauthenticated arbitrary file read/write in Recce OSS server (DataRecce, PyPI package 'recce') affects DuckDB-backed deployments exposed to untrusted networks, where the query run API executes attacker-supplied SQL without authentication. By abusing DuckDB filesystem primitives an attacker can read and write files accessible to the server process, enabling local file disclosure, tampering with dbt/Recce artifacts, and injection of stored XSS into browser-served static files. No public exploit identified at time of analysis; the issue is fixed in Recce v1.50.0.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.
Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.
Denial of service in Conform's `parseSubmission` future API allows remote attackers to exhaust server CPU by submitting FormData or URLSearchParams payloads containing many unique field names. Affecting the @conform-to/dom npm package used in React/Remix form-handling stacks, the flaw stems from the parser repeatedly scanning submitted entries during name-based value lookups, producing worst-case super-linear (effectively quadratic) synchronous work per request. There is no public exploit identified at time of analysis and no CISA KEV listing; impact is availability degradation rather than data exposure, despite the input's mislabeled 'Information Disclosure' tag.
Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.
HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. This is a defense-control-bypass flaw with no CVSS score assigned and no public exploit identified at time of analysis.