The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.
Remote command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 lets an authenticated user with application write permissions inject OS commands through deployment-handling fields such as dockerfile_location, achieving arbitrary code execution on the deployment host and exfiltrating secrets via deployment logs. The flaw scores CVSS 9.9 because command injection breaks out of the application context to compromise the underlying server (scope change), exposing environment variables and other applications' secrets. No public exploit has been identified at time of analysis, but the fix is available in tagged release v4.0.0-beta.469.
Remote code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets an unauthenticated network attacker run arbitrary code in the context of the current user via improper input validation (CWE-20), with no user interaction and a scope change to other components. Adobe rates this maximum severity (CVSS 10.0) and self-reported it; there is no public exploit identified at time of analysis and it is not yet listed in CISA KEV. Given ColdFusion's long history of mass-exploited RCE flaws, patching should be treated as urgent despite the current absence of a public PoC.
Remote code execution in the Langroid Python LLM-agent framework allows an attacker who can influence LLM prompts to escape the intended sandbox and run arbitrary OS commands on the host. The flaw affects TableChatAgent.pandas_eval() and the VectorStore base class, which pass LLM-generated expressions to Python's eval() with an empty locals dict but an unscrubbed globals dict, leaving __builtins__ implicitly available. A full working proof-of-concept is included in the advisory (publicly available exploit code exists); CVSS is scored 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), though real-world exploitation is gated on the non-default full_eval=True setting.
Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbitrary commands as the container runtime user. The server passes request-supplied browser_config.extra_args directly into Chromium's launch arguments, enabling argument injection (CWE-88) of a malicious child-process launcher combined with --no-zygote. Because the Docker API is unauthenticated by default and CVSS is scored 10.0, a single crafted HTTP request achieves full container compromise; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Complete database export and overwrite in the 9router npm application is possible for any authenticated user via the /api/settings/database endpoint, which is guarded only by the ALWAYS_PROTECTED session check (JWT or CLI token). A low-privileged attacker can GET the full database - including plaintext API keys, OAuth tokens, and OIDC client secrets - and POST an attacker-crafted database that wipes and replaces all tables, including the password hash, yielding total takeover. No CISA KEV listing exists and no standalone exploit is published, but the advisory (GHSA-qvfm-67h2-2qfx) includes detailed reproduction steps, and the default password '123456' makes obtaining the required session trivial in unhardened deployments.
Privilege escalation in the Plesk web hosting control panel lets an authenticated low-privileged user abuse an improper authorization flaw in the XML API to inject arbitrary configuration directives, achieving arbitrary file write as root and full compromise of the underlying server. Rated CVSS 9.9 with a scope change, this turns any valid panel account into root on the host; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via a hidden vendor backdoor: after normal MD5-based login fails, the /bin/httpd login() routine at 0x4c88b8 falls back to a plaintext strcmp() against the 'sys.rzadmin.password' config value, granting role=2 (admin) with any username. Reported through CERT/CC (VU#213560), it is not in CISA KEV and has no public exploit identified at time of analysis, with a low EPSS score of 0.24% (15th percentile). The flaw is a classic CWE-912 hidden-functionality backdoor mapped to CVSS 9.8.
Arbitrary file write in Apache IoTDB DataNode (versions 1.3.3 up to but not including 2.0.8) allows attackers who can reach the internal DataNode RPC port to smuggle path-traversal sequences in an uploaded Trigger JAR filename, writing files outside the Trigger installation directory with the IoTDB process's privileges. Because the write is attacker-controlled, it can plausibly be escalated to remote code execution by overwriting configuration or startup artifacts. There is no public exploit identified at time of analysis, and the EPSS score is low (0.15%, 4th percentile), consistent with exploitation being gated on an exposed internal port rather than a default-reachable service.
Server-side template injection in Formie, a forms plugin for Craft CMS 5 (verbb/formie 3.0.0-beta.1 through 3.1.26), allows unauthenticated attackers to inject Twig syntax through request-controlled inputs that Hidden fields use as dynamic default values. When a public form contains a Hidden field seeded from the User Agent, Referer, Current URL, a query parameter, or a cookie, the attacker-supplied value reaches Craft's Twig rendering layer and is evaluated server-side, potentially yielding information disclosure, application-state modification, or remote code execution. No public exploit identified at time of analysis, though the flaw is tagged RCE/SSTI and rated CVSS 9.8.
OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.
Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. CVSS is 9.6 (Critical); no public exploit is identified at time of analysis and it is not listed in CISA KEV, but a fix commit and GHSA advisory are published.
Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.
Sensitive information exposure in Prog Management System (developed by PROG MIS) allows unauthenticated remote attackers to access a specific page that discloses the database account name and password. With valid database credentials leaked, an attacker gains a direct path to full compromise of the backing database and any data it holds. There is no public exploit identified at time of analysis, but the flaw is trivially exploitable given the CVSS 4.0 score of 9.3 (critical) and reported unauthenticated network vector.
Credential exposure and authentication bypass in PROG MIS's ERP App lets unauthenticated remote attackers log in using hard-coded credentials, then read application source code and extract the backing database account and password. Because the leaked database credentials grant direct access to the data tier, a single successful login can escalate into full compromise of the application's stored data. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and the CWE-798 root cause make this a high-priority fix for any organization running this Taiwanese ERP product.
Authentication bypass in BeyondTrust Remote Support (and the related Privileged Remote Access product) lets an unauthenticated remote attacker defeat access controls in the appliance's authentication subsystem and log in as arbitrary accounts, including highly privileged ones. Rated CVSS 4.0 9.2 (critical) and tracked as CWE-287 (Improper Authentication), the flaw is pre-authentication and network-reachable but is gated by a specific authentication configuration being enabled, reflected in the vector's Attack Requirements (AT:P). No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.
Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 9.3 (Critical) and low privilege requirement make this a high-priority issue for multi-tenant Biloop deployments.
Prompt-to-Cypher injection in Langroid's Neo4jChatAgent (pip package langroid <= 0.65.4) lets anyone who can influence the agent's prompt — directly, or indirectly through content pulled in via RAG — steer arbitrary Cypher into the Neo4j driver with no validation or opt-out gate, allowing unauthorized read, modification, and full destruction of all graph data, plus a LOAD CSV SSRF/remote-fetch primitive. When APOC or dbms.security procedures are granted to the database role, the same primitive escalates to OS-command and filesystem access, making it RCE-equivalent and matching the Critical parent issue CVE-2026-25879. No public weaponized exploit is identified at time of analysis, though the GHSA advisory documents a static grep-based reproduction; no KEV or EPSS signal is present in the source data.
Pre-authentication access-control bypass in BeyondTrust Remote Support and Privileged Remote Access appliances lets a network-positioned attacker abuse improper authentication-data validation to reach the appliance and take over accounts, including privileged ones. Exploitation only works when a specific authentication configuration is enabled, and success requires overcoming meaningful attack conditions (CVSS 4.0 AC:H/AT:P). No public exploit has been identified at time of analysis and it is not on CISA KEV, but the pre-auth nature and privileged-access role of these appliances make it high-priority for internet-exposed deployments.
Unauthenticated payment bypass in FOSSBilling 0.6.0 through 0.7.2 lets a remote attacker mark any unpaid invoice as paid and credit the associated client's account balance with a single crafted HTTP request to the IPN callback endpoint (/ipn.php), provided the Custom payment adapter is enabled. The flaw stems from missing authentication (CWE-306) on a financially critical callback, so no credentials or user interaction are needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates it 9.2 (CVSS 4.0) and a patched release (0.8.0) is available.
Missing authorization on Cilium's Envoy admin socket lets any local user on a cluster node reach privileged Envoy admin endpoints when L7 (Layer 7) network policy functionality is enabled. Affecting Cilium 1.17.x before 1.17.14, 1.18.0-1.18.7, and 1.19.0-1.19.1 in both embedded and standalone Envoy models, it carries a CVSS 9.2 (scope-changing) rating and allows dumping TLS secrets, disrupting cluster traffic, or killing the Envoy proxy. No public exploit identified at time of analysis, and there is no workaround - only upgrading resolves it.
Arbitrary file read and write via archive extraction in the Node.js @xhmikosr/decompress library (and the unmaintained upstream decompress package) lets a crafted tar, tar.gz, tar.bz2, or zip archive escape the intended output directory. The flaw combines unchecked hardlink/symlink targets, a broken string-prefix containment check that allows escape into sibling directories, and mode application that preserves setuid/setgid/sticky bits - enabling attackers to read sensitive files, overwrite files outside the target, and plant privileged binaries when extraction runs as root. No public exploit identified at time of analysis, but the closely related upstream CVE-2020-12265 demonstrates the exploitability of this class.
Authentication bypass in the default SFTP server component shared across Ciena's 6500 S-Series, 6500 T-Series, PTS, and CPL packet-optical transport platforms allows a remote, unauthenticated attacker to reach the underlying filesystem and read or modify system files. Rated CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and classified as CWE-288, the flaw undermines the primary access control on management-plane file transfer. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Arbitrary code execution in ownCloud Core (ownCloud 10 Classic server, all versions before 10.15.3) allows an administrator to abuse an exposed dangerous method in the Updater component to run code on the server host. Any actor holding administrative credentials - legitimately, or via session hijack/credential theft/CSRF against an admin - can convert web-app admin rights into full server compromise. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-issued GHSA-hvcx-ph66-mmvw advisory and the fix in 10.15.3 are the primary confirmation.
Server-Side Request Forgery in the Anti-Virus for ownCloud extension (versions before 1.2.3, shipping with ownCloud 10 prior to 10.15.3) lets an authenticated high-privileged user coerce the server into issuing attacker-controlled requests, with a scope-changed CVSS of 9.1 reflecting reach into internal systems. The flaw was reported through ownCloud's security advisory program (GHSA-3wg4-mg27-hj4w); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor-released patch exists: Anti-Virus for ownCloud 1.2.3 / ownCloud 10.15.3.
Improper TLS certificate validation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) lets a network-positioned attacker intercept and tamper with supposedly encrypted communications. Because APROL fails to properly verify certificates (CWE-295), an adversary able to sit between components can decrypt sensitive process data and inject manipulated messages. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the CVSS 4.0 base score of 9.1 reflects the high confidentiality and integrity impact.
Privilege escalation to root command execution in Coolify (self-hosted PaaS) prior to 4.0.0-beta.471 lets any authenticated user holding the lowest-privilege team 'member' role run arbitrary OS commands as root on every server Coolify manages. The flaw lives in the GetLogs Livewire component, whose $container public property is unsanitized and lacks the #[Locked] attribute, so any team member can tamper with it over the Livewire wire protocol. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low authentication barrier and full CIA impact make it high priority for any multi-tenant Coolify deployment.
Authenticated remote code execution in FOSSBilling 0.6.10 through 0.7.2 lets an admin-privileged user inject arbitrary PHP into config.php via the Config::prettyPrintArrayToPHP() method, which fails to escape single quotes in string configuration values. Because config.php is pulled in through a bare include on every HTTP request, injected code runs persistently on all subsequent requests. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 4.0 base score is 8.9, elevated by the persistent, server-wide impact once an admin account is abused.
Authenticated command injection in Coolify (self-hostable PaaS) before 4.0.0-beta.471 lets any user with rights to add file storage execute arbitrary OS commands on the host. The LocalFileVolume::saveStorageOnServer routine assembles shell commands from user-controlled fs_path and parent_dir values without escaping, and submitFileStorage never validates the file-mount path before volume creation, so injected shell metacharacters run when the storage is saved. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; risk stems from the low bar (PR:L) and full-compromise impact.
Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network connect to the cluster (route) or leafnode listener and be silently dropped into the privileged no_auth_user account, bypassing the separate route/leafnode authorization. Any server configured with no_auth_user is affected up to the fixed releases (v2.11.16, v2.12.7, v2.14.0), enabling cross-account message injection over the internal route protocol. No public exploit identified at time of analysis, though the vendor's own regression test demonstrates the exact attack.
Command injection in Coolify self-hosted PaaS versions prior to 4.0.0-beta.474 allows an authenticated user to run arbitrary OS commands inside the PostgreSQL database container by supplying malicious postgres_user or postgres_db values that are interpolated into shell-form healthcheck commands (CWE-78). Because the CVSS vector is PR:L/UI:N with full high impact to confidentiality, integrity, and availability, any user able to create or configure a database can achieve container-level code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
OS command injection in Coolify (self-hosted server/app/database management platform) versions 4.0.0-beta.471 through 4.0.0-beta.473 lets an authenticated team member run arbitrary shell commands on the underlying host. A regression weakened the SHELL_SAFE_COMMAND_PATTERN allowlist so that ampersands were permitted in custom Docker Compose build, start, and pre/post-deployment command fields, enabling command chaining. The issue is fixed in 4.0.0-beta.474; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x. The HashiCorp Vault and AWS Secrets Manager KeyLifecycleManager implementations (and a legacy-migration path in the file-based manager) read post-quantum key metadata back with a raw ObjectInputStream.readObject() lacking any ObjectInputFilter or allow-list, so a principal able to write to the key backend can plant a gadget object that executes during normal key-lifecycle operations. No public exploit has been identified at time of analysis and EPSS is low (0.19%), but SSVC rates technical impact as total; this is an incomplete-remediation follow-on to CVE-2026-40048.
Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
Denial-of-service in BeyondTrust Remote Support and Privileged Remote Access appliances lets an unauthenticated remote attacker exhaust or crash the network communication subsystem, taking the appliance offline. The flaw is pre-authentication and network-reachable (CVSS 4.0 8.7, availability-only impact), but affects availability only - no confidentiality or integrity loss. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Cross-workspace agent hijacking in Coder (self-hosted cloud development environment platform) lets a user with template-authorship or external-provisioner privileges rebind another user's workspace app to an attacker-controlled agent. By submitting a crafted CompleteJob payload referencing a known victim app UUID, the attacker causes later app traffic - including IDE and terminal sessions - to be proxied through their own workspace, enabling interception. No public exploit is identified at time of analysis; it is not listed in CISA KEV. Fixed in v2.34.2, v2.33.8, v2.32.7, and v2.29.17.
SQL injection in PROG MIS's Prog Management System allows unauthenticated remote attackers to inject arbitrary SQL commands and read arbitrary database contents. The flaw carries a CVSS 4.0 base score of 8.7 (High) and requires no authentication, privileges, or user interaction, but its impact is limited to confidentiality (data disclosure) rather than data modification or service disruption. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Taiwan's TWCERT.
Denial of service in vLLM inference servers prior to 0.24.0 allows remote unauthenticated attackers to hang an inference worker indefinitely by submitting a single request with an adversarial regular expression via the structured_outputs.regex API parameter. The pattern is passed to grammar compiler backends (xgrammar with no guard, outlines with structural-but-not-complexity validation) where nested quantifiers trigger exponential state-space expansion (ReDoS). No public exploit identified at time of analysis, though the trivial request-based trigger makes weaponization straightforward.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).
Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the GitHub Security Advisory rates it CVSS 4.0 8.7 (High).
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a malicious or compromised HTTP server exhaust a client's memory and force an out-of-memory crash. When decoding a chunked response, Mint buffers every byte of the current chunk in an unbounded iolist and withholds it from the caller until the full declared chunk length arrives, so a server that advertises a huge chunk size (e.g. 0x7FFFFFFF ≈ 2 GiB) and then dribbles bytes slowly drives client memory arbitrarily high. This CWE-770 flaw is a denial-of-service only (VA:H, no confidentiality or integrity impact) with no public exploit identified at time of analysis and no CISA KEV listing.