Argument injection in Flux159 MCP Server Kubernetes before 3.9.0 lets remote attackers redirect kubectl operations to an attacker-controlled API server by smuggling a leading-dash `--server` flag through the resourceType and name parameters of the kubectl_get, kubectl_describe, and kubectl_delete structured tools. Because the injected values bypass the assertNoDangerousFlags check, the operator's bearer token is transmitted to the external server, enabling full Kubernetes cluster compromise. Reported by VulnCheck, it carries CVSS 4.0 9.3, has publicly available exploit code, and a vendor patch in release 3.9.0; there is no confirmed active exploitation.
Authentication bypass in the Hydro-Québec Le Circuit Électrique EV charging station backend lets remote unauthenticated attackers open connections directly to the charging-station WebSocket endpoint, which lacks proper access control (CWE-284), and leverage that access for privilege escalation. All backend versions prior to the June 2026 fix are affected, and the CVSS 4.0 base score of 9.3 (critical) reflects full compromise of confidentiality, integrity, and availability over the network with no privileges or user interaction. Reported through CISA ICS-CERT (ICSA-26-188-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated remote code execution in the PrestaShop ps_facetedsearch (layered navigation) module versions 3.0.0 through 4.0.3 allows a single crafted front-office request to fully compromise the shop and its underlying server. The module rebuilds price/weight slider filter values from the request URL and later reads them back through a native unserialize(), enabling PHP object injection whose gadget chain writes a PHP webshell into the module directory. No public exploit is identified at time of analysis, but the flaw is trivially reachable and rated CVSS 10.0.
Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.
Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.
Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.
Authentication bypass in the miniOrange OAuth Single Sign On - SSO (OAuth Client) WordPress plugin (versions up to and including 38.5.8) lets remote unauthenticated attackers abuse an alternate authentication path in the password-recovery flow to log in as arbitrary users, including administrators. Rated CVSS 9.8, the flaw grants full account takeover without credentials or user interaction; there is no public exploit identified at time of analysis, but the plugin's SSO role and low attack complexity make it a high-value target.
Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.
Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.
Authentication bypass via capture-replay in Apache IoTDB (1.0.0 through 2.0.9) lets attackers reuse stale credentials against the REST interface because Basic Authentication continues to accept cached credentials that should have been invalidated. An attacker who has captured or previously held valid credentials can keep authenticating after those credentials should have expired or been revoked, gaining full read/write control of the time-series database. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), so no active exploitation is indicated despite the 9.8 CVSS.
Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.
PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.
Stored/reflected cross-site scripting (CWE-79) affects the Drupal contributed module 'Mother May I' across all released versions (*.*), letting attackers inject script that executes in the browser context of other Drupal users. Because the module is a Drupal add-on rather than core, exposure is limited to sites that have installed it, and no public exploit has been identified. EPSS is low (0.15%, 5th percentile) and the flaw is not on the CISA KEV list, indicating no known active exploitation despite the vendor-assigned 9.8 rating.
Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. Affected sites are Drupal deployments running this LocalGov Drupal editorial-workflow module.
SQL injection in Semtek SEM-PMP through build 23042026 allows remote attackers to inject arbitrary SQL and, per the vendor description, escalate to operating-system command execution through the database layer. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating and is reachable over the network without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the combination of unauthenticated network reach and command-execution impact makes it a high-priority patching target.
SQL injection in Adam Retail Automation's MobilMen 20T retail-automation software (versions v3 through build 10072026) lets remote attackers inject arbitrary SQL through improperly neutralized input, yielding full read/write access to the backing database. Rated CVSS 9.8 by TR-CERT with an unauthenticated network-reachable vector, though no public exploit has been identified and it is not on CISA KEV. The vendor was contacted but did not respond, so no fix is available.
Cross-tenant account takeover in Prowler (cloud security platform) before 5.30.3 lets an authenticated attacker who operates a controlled SAML IdP obtain a tenant-scoped JWT for a victim tenant. The ACS finish logic in api/src/backend/api/v1/views.py derived the destination tenant from the user-asserted email domain rather than binding token issuance to the validated SAML configuration, so an attacker completing a legitimate SAML flow for their own domain while asserting a victim-domain email address receives a SAMLToken and JWT for the wrong tenant. Rated CVSS 9.6 (scope-changing); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api.py run arbitrary Python, because that value is interpolated directly into an f-string that is later executed as generated server code via subprocess.Popen(). The CVSS 4.0 base score is 9.4 and the vector requires high privileges (PR:H), meaning the attacker must already be able to reach and drive the deployment API. No public exploit has been identified at time of analysis and it is not on the CISA KEV list.
Server-Side Request Forgery in the guardrails-detectors component allows a remote attacker to submit a crafted XML Schema Definition (XSD) that forces the service to make attacker-directed requests, reaching cloud metadata services, the Kubernetes API, internal MinIO object storage, and other internal endpoints, and to read local files such as service account tokens and pod secrets. Because the flaw is blind SSRF chained to local file disclosure inside a container/Kubernetes context, an attacker can harvest credentials and pivot deeper into the cluster. No public exploit identified at time of analysis, but the CVSS 9.3 rating and scope-changing impact make this high priority for affected AI-guardrails deployments.
Root-level OS command execution in Dell PowerFlex Manager (versions prior to 5.1.0.1) lets a remote, high-privileged attacker inject operating-system commands during OS Repository processing, resulting in full appliance compromise. Because PowerFlex Manager orchestrates storage and HCI infrastructure, code execution as root also enables lateral movement into managed nodes. There is no public exploit identified at time of analysis, and Dell has released a fixed build (5.1.0.1) via advisory DSA-2026-066.
Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS base score is 9.3 and a vendor fix exists in 1.25.0.
Token theft via open redirect in the Authorizer identity server (authorizerdev/authorizer) lets an unauthenticated attacker steal a logged-in victim's OAuth/OIDC tokens. The /authorize endpoint fails to validate the redirect_uri against AllowedOrigins, so with response_type=token or id_token the server appends access_token, id_token, and refresh_token to any attacker-supplied URL via a 302 redirect. Detailed reproduction steps are public in advisory GHSA-h29v-hj44-q8cv, and the required client_id is trivially harvested from the unauthenticated /graphql meta query; no active exploitation is confirmed in CISA KEV at time of analysis.
Server-side request forgery in the file_type content detector of guardrails-detectors (a component shipped with Red Hat OpenShift AI/RHOAI) allows a remote attacker to submit an arbitrary XML Schema Definition (XSD) that the parser resolves without restriction, coercing the server into fetching attacker-chosen URLs or reading local files. Because the CVSS vector is AV:N/PR:N/UI:N with a changed scope and high confidentiality impact (base score 9.3), an unauthenticated attacker can pivot into internal networks and harvest secrets such as cloud provider credentials. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. Rated CVSS 4.0 9.3 (critical) with a network, unauthenticated vector; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attackers to coerce the server into making arbitrary internal requests. The /crawl/job and /llm/job endpoints accept caller-supplied webhook URLs without validating the destination, so an attacker can target private IP ranges, Docker network internals, or the cloud metadata endpoint (169.254.169.254) to reach otherwise unreachable services and harvest credentials. CVSS 4.0 rates it 9.2 (critical); no public exploit identified at time of analysis, and it is not listed in CISA KEV.
OS command injection as root in the R-SOFT DMS Optical Character Recognition (OCR) module lets an authenticated attacker run arbitrary shell commands. Multiple OCR command-execution functions accept user-controllable file paths and pass them unsanitized to the system shell over SSH, yielding full root-level compromise of the document management server. No public exploit has been identified at time of analysis, and the flaw is mitigated in the default web-upload flow because URL encoding neutralizes the injection, which is reflected in the high attack complexity (AC:H).
SQL injection in the Grav CMS Database plugin (grav-plugin-database) prior to 1.2.0 lets attacker-controlled table names reach a raw SQL query. The PDO::tableExists method interpolates its table argument directly into a query with no sanitization, escaping, quoting, or whitelisting, so any consuming plugin or developer code that forwards untrusted input into that method can execute arbitrary SQL against the configured database. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 9.2, with an attack-requirement (AT:P) reflecting the dependency on downstream code passing tainted table names.
Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.
Authentication bypass in the Drupal Commerce Guest Registration contributed module allows remote unauthenticated attackers to circumvent identity verification during the guest checkout/registration flow, per Drupal advisory SA-CONTRIB-2026-079. The CVSS 9.1 scoring (C:H/I:H) indicates an attacker can gain unauthorized access to or hijack account/order data without credentials or user interaction. No public exploit has been identified at time of analysis, and the low EPSS score (0.24%, 15th percentile) suggests exploitation is not yet widespread.
Arbitrary file write in Apache IoTDB (versions 1.0.0 through 2.0.9) lets remote attackers plant files anywhere the IoTDB process can write by abusing an unsafe API that fails to sanitize user-supplied pathnames. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with high confidentiality and integrity impact, and controlled file placement can escalate to code execution or overwrite of critical files. No public exploit has been identified at time of analysis, and EPSS is low (0.16%, 5th percentile) despite the 9.1 severity.
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components
Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restricted account such as the default guest user authenticate from a remote network when the broker sits behind a trusted PROXY-protocol path and the backend listener is loopback-bound. Because the loopback check evaluates the listener-side socket address (which appears as 127.0.0.1 to the local proxy) instead of the real client source carried in the PROXY header, the 'local only' restriction on guest is silently defeated across AMQP 0-9-1, AMQP 1.0, and the Stream Protocol. SSVC records a proof-of-concept; there is no CISA KEV listing and EPSS is low (0.34%, 26th percentile), indicating the flaw is potent but not yet mass-exploited.
Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1.11 and 4.2.0 to before 4.2.6) on Windows lets remote actors coerce the broker into outbound DNS and SMB connections to attacker-controlled UNC paths. The static file handler rabbit_mgmt_wm_static passes URL-encoded backslashes to erl_prim_loader:read_file_info before path validation, but only when multiple management extension plugins are enabled. No public exploit has been identified at time of analysis, and the EPSS score is low (0.28%, 20th percentile) despite the CVSS 10.0 rating.