Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.
Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.
Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.
Server-side request forgery in the mcp-wiki/wiki-summary component of AIAnytime Awesome-MCP-Server (up to commit a884bb51) allows a remote, low-privileged attacker to manipulate the `url` argument in `mcp-wiki/src/mcp_wiki/server.py`, causing the server to issue arbitrary HTTP requests to internal or external resources on the attacker's behalf. Successful exploitation can expose internal services, cloud metadata endpoints, or other backend infrastructure inaccessible from the public internet. A publicly available exploit exists (POC confirmed via GitHub issue #35); this CVE is not currently listed in CISA KEV. The CVSS 4.0 score of 5.3 reflects a moderate severity with low-privilege authentication required and partial confidentiality, integrity, and availability impact.
Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote attackers to bypass access controls on restricted methods. Affects all versions up to and including 3.13.0-beta.2. No public exploit identified as actively exploited (not in CISA KEV), but a publicly available proof-of-concept exists, lowering the barrier for exploitation against any exposed GoClaw deployment.
Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.
Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.
Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.
Insufficient session expiration in SourceCodester Online Boat Reservation System 1.0 allows a remote, low-privileged attacker to reuse a previously issued session token after it should have been invalidated, gaining unauthorized access to authenticated application functionality. The CWE-613 root cause indicates the application fails to properly terminate sessions on logout or timeout. A publicly available exploit demonstrates the flaw, as confirmed by a Medium writeup linked in the references.
Unrestricted file upload in SourceCodester Syllabus-Aligned Learning Management and Examination System 1.0 allows low-privileged remote attackers to upload arbitrary file types via the upload_files.php endpoint, with potential for remote code execution through PHP webshell deployment given the application's PHP runtime environment. The vulnerability is rooted in CWE-434 and carries a network-accessible attack vector with no special configuration required beyond a valid user account. A public proof-of-concept exploit is confirmed available on Pastebin; no CISA KEV listing has been identified at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/paymentdischarge.php` endpoint to database manipulation via the unsanitized `patientid` parameter. Low-privileged authenticated attackers can exploit this remotely with no user interaction required, achieving limited read, write, and availability impact against the underlying database. No public KEV listing, but a proof-of-concept exploit is publicly disclosed on GitHub, meaningfully lowering the bar for opportunistic exploitation in any internet-exposed deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /payment.php endpoint to database manipulation via an unsanitized `patientid` parameter, exploitable by any authenticated low-privilege user over the network. The CVSS 4.0 vector (PR:L, AV:N) confirms remote exploitation is feasible with only a basic account, and partial confidentiality, integrity, and availability impact is expected against the underlying database. Publicly available exploit code exists on GitHub, materially lowering the skill threshold for exploitation despite the moderate 5.3 CVSS score.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the `/apartment-visitor/search-result.php` endpoint to remote exploitation via the `searchdata` POST parameter, allowing low-privileged authenticated attackers to read, modify, or partially disrupt underlying database contents. A public proof-of-concept exploit exists on GitHub, lowering the skill barrier for opportunistic attacks against any internet-facing deployment. No CISA KEV listing has been confirmed, and the CVSS 4.0 score of 5.3 reflects a limited partial-impact scope; however, the POC's availability meaningfully elevates real-world exploitation probability above what the score alone suggests.
SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.
SQL injection in itsourcecode Hospital Management System 1.0 allows remote attackers with low-level privileges to manipulate the `loginid` parameter in `/patientlogin.php`, enabling unauthorized database read, modification, or deletion operations. The vulnerability scores 5.3 on CVSS 4.0 and is compounded by a publicly available proof-of-concept exploit published on GitHub, materially lowering the barrier to opportunistic attack. No CISA KEV listing has been identified, but the public POC and low attack complexity make any internet-exposed deployment an actionable target.
SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.
SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate the `editid` parameter in `/patientorder.php`, potentially exposing or modifying patient order records and underlying database contents. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and that a public exploit has been disclosed via GitHub. While the base impact metrics are rated Low across confidentiality, integrity, and availability, the sensitivity of healthcare data in scope and the trivially available proof-of-concept raise practical risk above what the numeric score alone suggests.
SQL injection in code-projects Internship Management System 1.0 exposes authenticated employer accounts to database query manipulation via the `Current` parameter in the password change endpoint (`employer/details/change_password.php`). The flaw carries a CVSS 4.0 score of 5.3, is rooted in unsanitized PHP input passed directly into SQL queries (CWE-89), and has a publicly available proof-of-concept exploit on GitHub. No public exploit identified as confirmed in CISA KEV, but the combination of low attack complexity and public PoC meaningfully raises real-world exploitation likelihood against any internet-exposed deployment.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a remote low-privileged attacker to manipulate database queries via the `ID` POST parameter in the `cancel_order` function of `classes/Master.php`. The flaw is a classic CWE-89 unsanitized parameter passed directly into a SQL statement, enabling data extraction, modification, or potential authentication bypass within the application database. A publicly available proof-of-concept exploit exists (GitHub issue linked in references), raising the practical risk beyond the conservative CVSS 4.0 base score of 2.1.
SQL injection in SourceCodester Multi-Vendor Online Grocery Management System versions 1.0 and 5.7.26 allows remote authenticated attackers to manipulate backend database queries through unsanitized POST parameters passed to the `save_shop_type` function in `classes/Master.php`. A public proof-of-concept exploit is available via GitHub, lowering the exploitation barrier for any actor who has obtained application credentials. The CVSS 4.0 score of 2.1 reflects partial confidentiality, integrity, and availability impact rather than full database compromise, and no patch has been confirmed available at time of analysis.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 enables remote, low-privilege authenticated attackers to manipulate backend database queries via the `apartmentno` parameter in `/apartment-visitor/add-apartment.php`. The CVSS 4.0 score of 2.1 reflects a constrained impact scope (low C/I/A on the vulnerable system, no downstream system impact), but the presence of a publicly available proof-of-concept lowers the exploitation bar significantly. Real-world impact could extend beyond the CVSS score if the database user holds elevated permissions, potentially enabling unauthorized data extraction or record manipulation across the application's dataset. No public exploit identified via CISA KEV; no vendor patch identified at time of analysis.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
Heap-based buffer overflow in radare2's Java binary parser (all versions up to 6.1.6) allows a local, low-privileged attacker to crash the tool by supplying a crafted Java class file with a malformed Line Number Table attribute. The vulnerable function `r_bin_java_inner_classes_attr_calc_size()` in `shlr/java/class.c` miscalculates buffer sizes, resulting in a heap write beyond allocated bounds and a denial-of-service outcome. A public proof-of-concept exists via GitHub issue #26043; no active exploitation has been confirmed by CISA KEV, and impact is confined to availability with no confidentiality or integrity effects.
Use-after-free in radare2's regprofile handler crashes the application for local users on versions up to 6.1.6. The vulnerable function r_core_seek_arch_bits in libr/core/disasm.c mismanages memory during architecture bit-seeking operations, allowing a local attacker with standard user privileges to trigger application termination. No confidentiality or integrity impact is present; this is a denial-of-service class finding with a publicly available proof-of-concept and no confirmed active exploitation in the wild.
Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.
Insufficiently random temporary file naming in markdownify-mcp (zcaceres, versions through 1.1.0) exposes transiently written content to local users who can predict or race the generated file path. The saveToTempFile function in src/Markdownify.ts affects the webpage-to-markdown, youtube-to-markdown, and bing-search-to-markdown conversion pipelines, allowing a co-located attacker to read converted content before cleanup. No active exploitation has been confirmed (not in CISA KEV), though a proof-of-concept is publicly available; the overall risk is low given the local-only, high-complexity attack requirements reflected in the CVSS 4.0 score of 2.0.
Buffer overflow via improper null termination in Pardus Pen affects versions up to and including 4.1.5, with a fix available in 4.2.1. A local, low-privileged user who interacts with crafted input can trigger a CWE-170 null termination error causing out-of-bounds memory reads, resulting in limited confidentiality exposure and availability disruption. No public exploit code and no CISA KEV listing are associated with this CVE; the vulnerability was disclosed by TR-CERT (Turkey's national CERT) and carries a low CVSS base score of 3.9.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes the order confirmation endpoint to authenticated remote attackers who can manipulate the unsanitized `invoice_no` POST parameter to alter backend SQL queries. Exploitation is constrained to authenticated customer accounts (PR:L per CVSS 4.0 vector) but requires no additional configuration or user interaction. A public proof-of-concept has been released via GitHub Gist (E:P), lowering the technical bar for abuse despite a low CVSS 4.0 score of 2.1; no confirmed active exploitation or CISA KEV listing exists at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientreport.php` endpoint to remote manipulation via the `editid` parameter, allowing an authenticated attacker to craft arbitrary SQL statements against the backend database. The CVSS 4.0 base score is 2.1 (Low), reflecting constrained confidentiality, integrity, and availability impact, with no scope change to adjacent systems. Publicly available exploit code exists (E:P per the CVSS 4.0 threat metric), though no active exploitation has been confirmed via CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the patient database to authenticated low-privilege attackers via the `patientname` parameter in `/patientprofile.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L) confirms network-accessible exploitation with no attack complexity, while the E:P supplemental metric confirms publicly available proof-of-concept exploit code. No vendor patch has been released, leaving deployments reliant on compensating controls; however, real-world risk is bounded by the product's extremely limited production footprint as an educational PHP project.
Cross-site scripting in stumasy's dictionary notes feature allows a low-privileged, remote attacker to inject malicious JavaScript via the unsanitized `reference` argument of the `add_definition` function. The vulnerability affects the PHP web application at commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be and earlier, with exploit code publicly disclosed via VulDB submission 849495. Real-world impact is constrained by the requirement for prior authentication and victim interaction, but no vendor patch exists and the project maintainer has not responded to the responsible disclosure.
Uncontrolled memory allocation in HdrHistogram versions up to 2.2.2 allows a local low-privileged attacker to cause denial of service by passing a crafted byte buffer to the AbstractHistogram.decodeFromByteBuffer method with a malicious numberOfSignificantValueDigits value. The affected Java library fails to validate this argument before using it to drive heap allocation, allowing JVM memory exhaustion in any application that processes attacker-influenced histogram data. Publicly available exploit code exists; no patch has been released as the project maintainer has not responded to the coordinated disclosure.
State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.
Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). Publicly available exploit code exists (CVSS 4.0 E:P), though no active exploitation is confirmed and the vulnerability is not listed in the CISA KEV catalog.
Integer overflow in radare2's hexpairs parser crashes the process for local low-privilege users on versions up to 6.1.6. The flaw exists in the `cmd_anal_opcode` function within `libr/core/cmd_anal.inc.c` and produces only a low availability impact with no confidentiality or integrity consequences. Publicly available exploit code exists, but the local-only attack vector and trivial impact class make this a low-priority finding for most deployments. No active exploitation has been confirmed and this vulnerability is not listed in CISA KEV.
Integer overflow in radare2's binary analysis function exposes local users on systems running version 6.1.6 or earlier to limited confidentiality, integrity, and availability impacts. The flaw resides in the `core_anal_bytes` function within `libr/core/cmd_anal.inc` and requires only low-privilege local access to trigger via crafted binary input. A public proof-of-concept exploit has been disclosed, though no confirmed active exploitation (CISA KEV) is recorded; the CVSS 4.0 score of 1.9 reflects the tightly constrained local-only attack surface and limited impact scope.