Unauthenticated arbitrary file upload in the Balbooa Forms extension for Joomla lets remote attackers upload executable server-side scripts and achieve full remote code execution. The flaw carries a maximum CVSS 4.0 base score of 10.0 with a scope change, meaning a successful upload compromises the underlying host beyond the vulnerable extension. No public exploit identified at time of analysis, though a third-party write-up (mysites.guru) documents the flaw and the supplied CVSS metadata asserts observed attack activity.
Denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4, lets remote attackers hang a worker thread by submitting a ~300-byte attribute selector with an unterminated quoted value (e.g. '[a="xxxx...'), triggering catastrophic regular-expression backtracking in the VALUE pattern of css_parser.py. Any Python service that passes untrusted selector strings to soupsieve.compile() or Beautiful Soup's .select()/.select_one() is affected, and each added byte roughly doubles CPU time, so a handful of concurrent requests can exhaust all workers. Publicly available exploit code exists (a working PoC is embedded in the advisory), but no exploit is identified as being used in active attacks and it is not listed in CISA KEV.
Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.
Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to download other users' form submissions. The plugin generates temporary CSV files during email-notification processing but fails to reliably delete them, leaving them publicly accessible in the wp-content uploads directory under predictable, enumerable filenames. Publicly available exploit code exists and the flaw is automatable per CISA SSVC, though EPSS remains low at 0.14%; not listed in CISA KEV.
Least-privilege violation in the D-Link DIR-823G router (firmware 1.0.2B05_20181207) stems from insecure configuration of the Boa web server via /etc/boa/boa.conf, allowing an authenticated remote attacker to abuse over-broad privileges to compromise confidentiality, integrity, and availability. Publicly available exploit code exists, but the CVSS 4.0 vector rates attack complexity high (AC:H) and vendor guidance notes exploitation is difficult; there is no public exploit identified as actively exploited (not in CISA KEV). EPSS data was not supplied, but the low-privilege network vector combined with full CIA impact makes this a meaningful risk on exposed devices.
Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin versions before 3.5.0, enabling them to read onboarding status data, modify plugin settings, and send emails from the WordPress site to arbitrary addresses. The flaw arises because the capability check is conditioned on an attacker-controllable HTTP request header - omitting or altering that header disables the authorization gate entirely. A publicly available proof-of-concept exploit exists, and SSVC assessment confirms the attack is automatable; however, this vulnerability is not in CISA KEV, and EPSS sits at 0.14%, suggesting limited observed exploitation despite the low barrier to entry.
Reflected XSS in YesWiki's Bazar widget handler allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by sending a crafted URL containing a double-quote-breaking payload in the `id` GET parameter. The handler at `tools/bazar/handlers/__WidgetHandler.php` performs no authentication or access-control check before rendering the vulnerable template, and `strip_tags()` is misused as an output encoder - it removes tags but leaves double quotes intact, enabling attribute injection across two sinks (`data-formid` and `data-iframeUrl`). A working proof-of-concept was validated on the official doryphore 4.6.5 release; no public exploit identification as KEV-confirmed active exploitation exists at time of analysis, but a complete PoC with exact payloads is publicly available as part of the advisory.
Unauthenticated remote code execution in Ruflo (an agent meta-harness for Claude Code and Codex) before 3.16.3 arises because the default docker-compose deployment exposes the MCP bridge's POST /mcp and POST /mcp/:group endpoints with no authentication. A network attacker can send a JSON-RPC tools/call to the terminal_execute tool to gain an interactive shell inside the bridge container, exfiltrate provider API keys, and tamper with AgentDB learning-store patterns. Rated CVSS 10.0 with a scope change; no public exploit identified at time of analysis, and it is not in CISA KEV.
Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.
SQL injection in Inrove BiEticaret e-commerce platform before v3.3.57 allows remote unauthenticated attackers to inject arbitrary SQL commands (CWE-89) through improperly neutralized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation yields full read/write access to the backing database (C:H/I:H/A:H, CVSS 9.8). This flaw was reported by TR-CERT (Turkey's national CERT); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in Xerte Online Tools (versions before 3.14.6 and before 3.15.5) allows an attacker with access to the tools server settings to repoint the configured antivirus scanner binary path to a PHP interpreter, so that subsequently uploaded PHP content is passed to that interpreter and executed on the server. The input CVSS scores this 9.8 (unauthenticated network vector), but the described attack path hinges on modifying server-side settings, which typically requires administrative access — a contradiction worth flagging. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.
Temporary connection denial-of-service in the RTSP service of the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an unauthenticated remote attacker wedge an individual TCP connection by sending an RTSP request that declares a Content-Length but includes no message body. The malformed parser enters a body-waiting state and silently swallows all further data on that socket until a server-side timeout closes it. Despite an NVD CVSS of 9.8 and an 'Information Disclosure' tag, the described behavior is a single-connection availability nuisance with no confidentiality or integrity impact; no public exploit is identified at time of analysis and EPSS is low at 0.18% (8th percentile).
WebView sandbox escape in the PayRange 7.0.7 mobile payment app allows a network attacker to inject arbitrary JavaScript into the app's embedded WebView when chained with a separate SSL/TLS bypass, then invoke privileged JavaScript-to-native function calls to break out of the sandbox and perform dangerous actions on the victim's device. Affected users are those running PayRange 7.0.7 who can be induced to open attacker-influenced content while an attacker holds a man-in-the-middle position. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile), indicating no observed mass exploitation despite the 9.6 CVSS rating; the issue is documented in CERT/CC VU#152953.
SQL injection in code-projects Interview Management System 1.0 exposes the application to remote, unauthenticated database manipulation via the ID parameter in /inc/classes/View.php. An attacker with network access can read, modify, or partially disrupt data stored in the underlying database with no authentication required and no user interaction needed. A public exploit exists (referenced via GitHub at https://github.com/susususua-AI/CVE/issues/2), though no active exploitation has been confirmed by CISA KEV as of this analysis.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows unauthenticated remote attackers to manipulate the Username parameter on /login.php, potentially bypassing authentication or extracting database contents. A publicly available proof-of-concept exploit exists, published via a GitHub issue and documented in VulDB entry 377116. No CISA KEV listing is present, but the combination of network accessibility, no authentication requirement, and a live POC makes this a practical risk for any exposed deployment.
Unauthenticated remote code execution in Hermes WebUI before version 0.51.788 lets remote attackers run arbitrary shell commands by reaching the product's embedded terminal API without any credentials. Because of a missing authentication check (CWE-306), an attacker chains four sequential unauthenticated HTTP requests to create a session, attach a PTY shell, and inject commands, executing code as the server process user. Reported by VulnCheck with a CVSS 4.0 base score of 9.3; a vendor patch is available and no public exploit code has been identified at time of analysis.
Guest-to-host privilege escalation in varstored, the Xapi (XenServer/XCP-ng/Citrix Hypervisor) toolstack daemon that services UEFI variable requests for VMs, allows a malicious guest to corrupt control flow in the host-side process. Missing compiler barriers on a buffer shared with in-guest OVMF create a time-of-check/time-of-use race (CWE-367) that, in default builds, lets the attacker control an index into a jump table - yielding attacker-influenced execution in the toolstack. Tracked as Xen Security Advisory XSA-478 with a CVSS 4.0 base score of 9.4; no public exploit identified at time of analysis and not listed in CISA KEV.
Denial-of-service and database-corruption in Xen's XAPI toolstack (the XenAPI management layer used by XCP-ng and Citrix/XenServer Hypervisor) lets clients that submit object updates crash the database event thread or write strings that permanently prevent the database from loading. Three distinct input-validation defects are covered by XSA-474: notifications built from unsanitised input, a UTF-8 encoder that follows Unicode 3.0 while dependent libraries enforce the stricter 3.1 spec, and a total absence of sanitisation for Map/Set object updates. No public exploit has been identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 9.4.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-27464) is exposed to userspace with no security descriptor, leaving it fully accessible to any unprivileged user on a Windows guest. Because XenBus mediates communication between the guest and the hypervisor's device backend, an unprivileged local user can abuse this open interface to gain elevated privileges and potentially impact the guest and the virtualization layer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is documented in Xen Security Advisory XSA-468.
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is exposed to userspace with no security descriptor, leaving it fully accessible to unprivileged users. Any low-privileged local user on an affected Windows guest can interact with this facility to gain elevated control over the system. This is one of three sibling issues (alongside CVE-2025-27462 XenCons and CVE-2025-27464 XenBus) disclosed in Xen Security Advisory XSA-468; no public exploit has been identified at time of analysis.
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Stored cross-site scripting in OceanicSoft ValeApp (all builds through 09072026) lets an attacker persist malicious script into the application so it executes in other users' browser sessions when they view the affected page. Reported by Turkey's national CERT (TR-CERT) and tracked in the ENISA EUVD, the flaw carries a vendor/CERT CVSS of 9.3 driven by a scope change and high confidentiality/integrity impact. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor was unresponsive to disclosure, so no fix is expected in the near term.
Authentication bypass in Hermes WebUI before 0.51.307 lets unauthenticated remote attackers reach onboarding endpoints that are supposed to be restricted to loopback traffic by spoofing an X-Forwarded-For header with a 127.0.0.1 value. Once past the origin check, an attacker can pivot to server-side request forgery against internal services and cloud metadata endpoints, overwrite LLM provider configuration and API keys, or start an OAuth device-code flow to mint persistent tokens saved in auth.json. A vendor patch exists; the flaw carries a CVSS 4.0 score of 9.3, but no public exploit code has been identified at time of analysis.
Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. A publicly available proof-of-concept exists per WPScan; EPSS is low at 0.14% (3rd percentile), suggesting limited observed exploitation despite automation feasibility confirmed by SSVC.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. A publicly available POC exploit exists, SSVC confirms the attack is automatable, and a vendor patch has been released at version 3.1.40.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.
Adversary-in-the-middle credential theft and privilege escalation affects Cloud Foundry UAA (User Account and Authentication server) prior to v78.13.0 and cf-deployment prior to v56.2.0, where LDAP StartTLS unconditionally disables TLS hostname verification. An attacker positioned on the network path between UAA and its LDAP directory can present any certificate issued by any trusted CA to impersonate the directory, harvesting the LDAP bind password plus every end-user password submitted during simple-bind authentication and injecting forged group memberships that grant attacker-controlled admin scopes. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS was not provided, but the CVSS 4.0 base score is 9.3 (Critical).
SQL injection in the AcyMailing newsletter/email-marketing extension for Joomla (all versions before 10.11.1) allows remote attackers to inject crafted database queries, resulting in unauthorized database access and data leakage. The high CVSS 4.0 score (9.2) reflects unauthenticated network reach and high confidentiality impact against the Joomla back-end database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a public disclosure write-up exists on mysites.guru.
Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. CISA's SSVC framework rates it not-exploited but automatable with partial technical impact.
Authentication bypass in the MERCURY MIPC252W IP camera (firmware v1.0.5 Build 230306 Rel.79931n) lets an attacker on the same local network replay a captured RTSP Digest authentication exchange to view the live video feed without knowing the device credentials. The root cause is that the RTSP server never expires or invalidates authentication nonces, so a sniffed nonce/response pair remains valid on new connections indefinitely. No public exploit is identified at time of analysis and EPSS is low (0.19%), but the barrier to abuse is minimal for anyone already positioned on the LAN.
{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.
Remote code execution in Metabase (open-source BI/analytics platform) versions 1.55.0 through the fixed releases arises because one database-creation code path failed to validate unsafe H2 JDBC connection properties, letting an authenticated administrator register a crafted H2 datasource and run arbitrary Java on the server host. Because the CVSS scope is Changed (S:C), successful exploitation escapes the application context and yields full host compromise. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the CVSS base score of 9.1 and RCE nature make it a high-priority patch for any exposed Metabase instance.
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malicious two-factor authenticator name that executes JavaScript in an administrator's browser when that admin impersonates the account and opens the 2FA delete confirmation dialog. Affected builds are Discourse before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, spanning the 2026.1.x through 2026.6.x release lines. There is no public exploit identified at time of analysis and the EPSS probability is low (0.39%), but the fix commit's regression test reveals the exact working payload, and successful exploitation runs in a full-admin context.
Cross-user remote code execution in Open WebUI before 0.10.0 lets an authenticated user run arbitrary code interpreter Python or invoke tools inside another logged-in user's session. The get_event_call handler dispatched execute:python and execute:tool Socket.IO events to any client-supplied session_id that was merely 'connected', so an attacker who harvested a victim's socket ID via the ydoc:document:join collaboration flow could hijack that session. A proof-of-concept is indicated in the SSVC data, though the flaw is not in CISA KEV and EPSS rates near-term mass exploitation low (0.28%, 19th percentile).
Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. No public exploit has been identified at time of analysis, and EPSS is low (0.25%), but CVSS is 9.0 with total technical impact per CISA SSVC.
Man-in-the-middle credential theft and root code execution affects the BOSH CLI (bosh-cli) prior to v7.10.4, which fails to verify the DAV blobstore server certificate during 'bosh create-env' and 'bosh delete-env' even though a valid CA certificate is present in the installation manifest. An adjacent network attacker who can intercept the operator's HTTPS upload can harvest Basic-auth credentials and the rendered-templates archive holding every bootstrap secret for the new BOSH Director, then replay those credentials against the target VM's agent to gain root code execution. There is no public exploit identified at time of analysis, but the vendor-rated CVSS 4.0 score of 8.9 reflects the high impact of a full Director compromise.
Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.
Full admin account takeover in Pimcore (Studio backend) before 2025.4.6 and 2026.1.6 lets an unauthenticated attacker who knows a valid admin username hijack that account by submitting a password-reset request with an attacker-controlled resetPasswordUrl; the server appends a genuine recovery token to that URL and emails it to the victim, so a single victim click leaks the token to the attacker, who authenticates via POST /pimcore-studio/api/login/token with full admin rights and bypasses 2FA. GitHub advisory GHSA-h854-c3m3-mh5v classifies this as an authentication bypass (CWE-640). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Missing authentication on Mockoon's admin API (commons-server admin-api.ts) prior to 9.7.0 lets any unauthenticated party who can reach the mock server port fully control the runtime. Because the admin routes are mounted on the same Express listener as user mock routes, enabled by default, serve Access-Control-Allow-Origin: * with write methods, and require no credentials, an attacker can read MOCKOON_* environment variables, write arbitrary process env vars, rewrite mock route bodies/statuses/headers, read transaction logs and SSE streams, and purge state. No public exploit identified at time of analysis; not listed in CISA KEV.
CPU-exhaustion denial of service in CPython's standard-library html.parser.HTMLParser lets remote attackers cause quadratic processing time by feeding a long, unterminated markup construct (comment, tag, PI, DOCTYPE, CDATA, or RAWTEXT element) incrementally in many small chunks. Any Python service that streams attacker-controlled HTML through HTMLParser.feed() is affected in all CPython versions before 3.16.0. There is no public exploit identified at time of analysis, but the fix, root cause (repeated buffer rescan and concatenation), and a triggering test case are publicly documented in the upstream pull request, making a working reproducer trivial to reconstruct.
Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial single-packet trigger and passive-monitoring exposure make it operationally significant for security teams running Zeek inline or on tapped traffic.
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. Publicly available exploit code exists in the advisory (including a time-based blind variant), but there is no public exploit identified as actively used in the wild and no CISA KEV listing.
Authenticated command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 allows a logged-in user to run arbitrary shell commands inside deployment containers by supplying malicious health-check parameters. The generate_healthcheck_commands() routine in ApplicationDeploymentJob.php interpolates the health_check_host, health_check_method, and health_check_path values straight into a shell command line, so any user able to configure an application's health check gains OS command execution during deployment. No public exploit identified at time of analysis, but the upstream fix and advisory (GHSA-4fhp-xqqp-w7vv) publicly document the vulnerable code path.
Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.
Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.
Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices.