SQL injection in CodeAstro Ecommerce Website 1.0 exposes the `/customer/my_account.php?my_wishlist` endpoint to database manipulation via the unsanitized `delete_wishlist` parameter, allowing remote attackers with a valid customer account to read or modify backend database contents. The CVSS 4.0 vector (PR:L) confirms exploitation requires an authenticated customer session, constraining the attack surface to registered users. A public proof-of-concept exploit has been released, no public exploit identified as confirmed actively exploited (not in CISA KEV), though the low barrier to exploitation once authenticated elevates practical risk.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes backend database contents to authenticated low-privileged remote attackers via the unsanitized `fromdate` parameter in `/apartment-visitor/report.php`. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low-privilege credentials. Publicly available exploit code has been published on GitHub (github.com/lilukun337/cve/issues/7), though no active exploitation has been confirmed by CISA KEV. The injection enables read and limited write access to the underlying database, with a moderate combined impact score of 5.3.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the visname parameter in /apartment-visitor/visitor-entry.php. The flaw, classified as CWE-89, yields partial confidentiality, integrity, and availability impact against the vulnerable system. A publicly available proof-of-concept exploit exists on GitHub, lowering the skill bar for exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the application's database to remote authenticated attackers through the unsanitized `editid` parameter in `/apartment-visitor/edit-apartment.php`. Low-privilege authenticated users can manipulate this parameter to read, modify, or partially disrupt database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified in CISA KEV at time of analysis), making this a realistic risk for any internet-exposed deployment of this PHP application.
SQL injection in CodeAstro Apartment Visitor Management System 1.0 allows authenticated remote attackers to manipulate database queries through the `remark` parameter of `/apartment-visitor/action-visitor.php`. A low-privileged user can extract, modify, or delete underlying database contents. A public proof-of-concept exploit has been disclosed on GitHub (no public exploit identified as CISA KEV, but POC availability lowers the bar for exploitation).
Cross-site request forgery in imhamzaazam ecommerceFlask allows a remote, unauthenticated attacker to induce authenticated victims into executing unauthorized state-changing actions against the application. The vulnerability exists in an unspecified function of the Flask-based e-commerce application up to commit cb7d9e24c30a99379651b7493b32048126ef402b, with no patch released and the project maintainer not yet responding. A publicly available proof-of-concept exploit has been disclosed via a GitHub issue, and the application's rolling release model means no fixed version can be identified.
Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.
Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.
Heap-based buffer overflow in GPAC's MP4Box component allows a local low-privileged attacker to crash the application by supplying a crafted MP4 file. The vulnerable function `sgpd_del_entry` in `src/isomedia/box_code_base.c` mishandles the `data` argument during Sample Group Description Box parsing, triggering an out-of-bounds heap write. A public proof-of-concept exploit exists; however, the vulnerability is not in CISA KEV and the CVSS 4.0 score of 4.8 reflects limited availability-only impact with no confidentiality or integrity compromise.
Null pointer dereference in GPAC 26.02.0's nhmldump_send_frame function (src/filters/write_nhml.c) allows a local, low-privileged attacker to crash the application by supplying crafted media input to the NHML write filter. Impact is strictly limited to availability - a process-level denial of service with no confidentiality or integrity implications. A publicly available proof-of-concept exploit exists (GitHub issue #3596), though the vendor itself characterizes this class of issue as 'more bugs than vulns,' contextualizing it as a robustness fix rather than an urgent security incident.
Use-after-free in radare2's r_core_bin_load function (libr/core/cfile.c) affects all versions up to and including 6.1.6, allowing a local low-privileged user to trigger memory corruption resulting in a denial of service. A public proof-of-concept exists (GitHub issue #26049), confirmed by the CVSS 4.0 E:P exploitability modifier, though the vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation is known. The CVSS 4.0 score of 4.8 (Medium) reflects the strictly local attack vector, limited availability impact, and absence of confidentiality or integrity compromise.
Integer overflow in radare2's `r_str_word_get0set` function (libr/util/str.c) allows a local low-privileged attacker to crash the application on versions up to 6.1.6. The CWE-190 integer wraparound can produce a buffer overflow condition, degrading availability of the radare2 analysis session. A public proof-of-concept exists (GitHub issue #26047), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 score of 1.9 reflects genuinely minimal real-world risk given its local-only, low-impact nature.
Integer overflow in radare2's pb Print Command Handler affects all versions through 6.1.6, exploitable locally by a low-privileged user to crash the radare2 process. The flaw resides in the cmd_print function within libr/core/cmd_print.inc and results in availability impact only - no confidentiality or integrity loss is indicated. Publicly available exploit code exists per the GitHub issue tracker, though no active exploitation has been confirmed via CISA KEV.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.
OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.
Heap exhaustion in OP-TEE OS (versions 3.3.0 through 4.10.x) allows a low-privileged normal-world local caller to progressively degrade and ultimately deny service to all trusted applications running in the secure world. The root cause is a missing bitmask application in `cleanup_shm_refs()` that causes `mobj_reg_shm` reference objects to accumulate indefinitely on internal lists without being released. No public exploit code has been identified at time of analysis, and EPSS data was not supplied; however, the flaw is structurally straightforward to trigger through normal TEE invocation with non-contiguous shared memory parameters, making it feasible for any process with TEE access to exhaust the secure heap over time.
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. On releases before 4.19.0, the most severe impact is full SMTP host redirection: the producer reconnects to an attacker-controlled server and authenticates with the endpoint's configured credentials, resulting in credential theft. On 4.19.0 through pre-4.21.0, host redirection is blocked, but attackers can still weaken transport security (disabling STARTTLS, manipulating SSL trust, or injecting a SOCKS proxy) and intercept outgoing mail content. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Command injection in Coolify's MongoDB backup handler (versions 4.0.0-beta.451 through 4.0.0-beta.470) allows a highly privileged attacker who controls backup configuration to inject OS-level shell commands via unsanitized metacharacters in MongoDB collection names. The attack requires an already-administrative account capable of modifying backup inputs, substantially limiting the realistic threat surface. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the vendor released a fix in v4.0.0-beta.471.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding oracle, allowing a local attacker to recover RSA plaintext by adaptively querying the oracle. Affected are optee_os versions 4.5.0 through 4.10.x built with Hisilicon HPRE support (CFG_HISILICON_ACC_V3=y) on Arm TrustZone-based platforms. No public exploit code or CISA KEV listing exists; exploitation is constrained by local access requirements and the high query volume characteristic of Bleichenbacher-class attacks.
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon HPRE hardware crypto driver, enabling a local attacker to recover RSA-OAEP plaintext through approximately 1000-2000 adaptive chosen ciphertext queries. The root cause is a non-constant-time `memcmp()` used for label hash verification combined with distinguishable error paths - classic CWE-208 timing side-channel conditions. Impact is heavily constrained by a non-default build requirement: only Hisilicon D06 (plat-d06) hardware built with `CFG_HISILICON_ACC_V3=y` is exposed, and no public exploit or active exploitation has been identified at time of analysis.
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to NXP CAAM-equipped platforms with the RSA driver enabled.
FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0 fails to validate IPN-supplied payment amounts against invoice totals, enabling authenticated clients to underpay invoices while having them marked as fully paid. The PayPal IPN field `mc_gross` is credited directly to the client balance without cross-checking the corresponding invoice amount, and a pre-existing $0.05 floating-point epsilon in the credit-payment logic expands the exploitable gap to $0.04 per invoice. No public exploit code exists and the vulnerability is not in CISA KEV; however, the attack is trivially executable by any registered client on a system with the PayPalEmail adapter enabled.
FOSSBilling prior to version 0.8.0 exposes sensitive administrative data to low-privileged staff accounts through an asymmetric access control flaw: write-side admin API endpoints correctly enforce fine-grained permissions, but their corresponding read endpoints lack any authorization guards entirely. Any authenticated staff user can call these read endpoints over the network and retrieve data beyond their intended access scope. No public exploit code has been identified and the vulnerability is not in CISA KEV; risk is primarily an insider-threat scenario within organizations with staff-level access to the billing platform.
Path traversal in NousResearch hermes-agent 2026.5.29.2 allows low-privilege authenticated remote attackers to read files outside the intended directory by supplying crafted path traversal sequences in the `Name` argument of the `skill_view` function within `tools/skills_tool.py`. Impact is confined to limited confidentiality exposure - no integrity or availability effect - consistent with the CVSS 4.0 score of 2.1 (Low). A public exploit has been disclosed (CVSS E:P), though no active exploitation has been confirmed via CISA KEV.
{from}/sendMail path segment, rewriting both path and query string of the outbound request. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 1.26.3.
Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.