Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated users to access the /callrec/statisticReportAction.do endpoint beyond their privilege level, enabling unauthorized read, write, and availability impact on sensitive call statistics and reporting data. The vendor was notified but did not respond, leaving version 9.7.0 unpatched. A proof-of-concept exploit is publicly available, raising immediate risk for any organization running this version of the software.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote authenticated low-privileged users to manipulate the role and group management endpoint (/callrec/roleAddAction.do), bypassing access controls without proper privilege checks. A publicly available exploit exists for this flaw, raising practical risk despite the relatively low CVSS 4.0 score of 2.1 (inflated downward by the E:P threat metric). The vendor was unresponsive to coordinated disclosure, meaning no official patch or acknowledgment exists at time of analysis.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows remote low-privileged users to manipulate the 'role' parameter in the /callrec/userAddAction.do endpoint, potentially enabling unauthorized role assignment during user creation. The vulnerability carries a CVSS 4.0 score of 2.1 with low-impact metrics across confidentiality, integrity, and availability, though the real-world risk of privilege escalation through role manipulation may be underrepresented by that score. A proof-of-concept exploit is publicly available; no vendor patch exists as the vendor did not respond to responsible disclosure.
Improper authorization in Eleveo Call Recording Software 9.7.0 exposes the /callrec/sendlogfile endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to log file functionality with confirmed confidentiality impact. The flaw (CWE-285) stems from missing or bypassable authorization checks on a sensitive operational endpoint within the call recording platform. A publicly available proof-of-concept exploit exists, and the vendor failed to respond to coordinated disclosure - no patch has been released.
Server-side request forgery in Sipeed PicoClaw up to version 0.2.9 allows remote attackers to manipulate the WebFetchTool.Execute function within the Guarded Web Fetch Flow component, causing the server to issue arbitrary outbound requests on behalf of the attacker. The vulnerability carries a CVSS 4.0 base score of 2.1, reflecting limited confidentiality, integrity, and availability impact with no subsequent-system scope change. A public exploit has been released (E:P confirmed), but no vendor patch exists - the upstream GitHub issue was closed automatically due to inactivity, not resolution.
Information disclosure in zhayujie CowAgent up to version 2.1.0 exposes sensitive data to low-privileged authenticated remote attackers through the BrowserTool._do_navigate function in the Browser Tool component. Publicly available proof-of-concept exploit code exists via a GitHub issue report, though no patch has been released as the project maintainer has not yet responded to responsible disclosure. The CVSS 4.0 score of 2.1 and impact limited to low confidentiality exposure place this at the lower end of priority, tempered by the authentication requirement and niche product footprint.
Missing authorization in Sipeed PicoClaw up to version 0.2.9 permits remote low-privileged attackers to invoke the rt.ReloadConfig function in pkg/channels/pico/pico.go by manipulating the message.send argument without proper authorization checks. The integrity and availability of the affected system are both at limited risk, as the CVSS 4.0 vector confirms no confidentiality exposure but allows unauthorized configuration reload or disruption. A public exploit exists (E:P), though the GitHub issue tracking the report was closed automatically due to inactivity, indicating no vendor remediation has been issued.
Incorrect authorization in Sipeed PicoClaw's MQTT Channel Handler (pkg/channels/mqtt/mqtt.go) through version 0.2.9 allows remote low-privileged attackers to bypass access controls by manipulating the `client_id` argument, enabling unauthorized access to MQTT channels belonging to other clients. A public proof-of-concept exploit exists via the referenced GitHub issue, elevating practical risk beyond the moderate CVSS 4.0 score of 5.3. No vendor patch has been released - the upstream GitHub issue was closed automatically due to inactivity - leaving affected deployments without an official remediation path.
Improper authorization in Eleveo Call Recording Software 9.7.0 allows low-privileged authenticated remote users to bypass access controls on the LDAP User Interface endpoint `/callrec/users_ldap.jsp`, exposing restricted LDAP directory user data without appropriate privilege verification. A public proof-of-concept exploit has been disclosed via Google Drive and the vendor has not responded to responsible disclosure, leaving no official patch or advisory available. The CVSS 4.0 base score of 2.1 reflects narrow confidentiality-only impact, but POC availability and vendor silence increase practical urgency for affected deployments.
Path traversal in halo-dev/halo through version 2.24.2 allows authenticated administrators to write files outside the intended theme directory by supplying a crafted `metadata.name` value during theme installation. The flaw resides in the `ThemeUtils.unzipThemeTo()` function in `ThemeUtils.java`, which fails to sanitize the metadata name before constructing extraction paths. A public proof-of-concept exploit exists, but real-world impact is substantially constrained by the PR:H prerequisite - the attacker must already hold admin-level credentials - yielding a CVSS 4.0 score of only 2.0 and no CISA KEV listing.
Stored cross-site scripting in MyEMS up to 6.4.0 allows a high-privileged attacker to inject malicious script via the `new_values['data']` argument in the `on_post` function of `myems-api/core/svg.py` within the Admin Backend, which then executes in a victim administrator's browser upon viewing the affected SVG content. The CVSS 4.0 score of 1.9 reflects the limited real-world impact: exploitation requires existing administrative access and victim interaction, constraining this to a privilege-abuse scenario rather than an external intrusion vector. A public proof-of-concept exists via GitHub issue #412, and a vendor-released patch is available in version 6.5.0.
Heap overflow in libarchive's PAX extended header parser allows exploitation via a maliciously crafted tar archive containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation of the affected system could result in a denial of service condition or, in more serious cases, arbitrary code execution under the privileges of the process invoking libarchive. No public exploit code or active exploitation has been confirmed at time of analysis, though a GitHub pull request (#3253) indicating an upstream fix is available suggests the issue is reproducible and patch-ready. The official CVSS score of 3.9 (Low) conflicts materially with the vendor-applied RCE tag, a discrepancy that warrants independent validation.
CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.
Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.
Server-Side Request Forgery in the Drupal OpenAI Provider module enables authenticated administrators to force the server to issue HTTP requests to attacker-controlled destinations, potentially reaching internal network resources beyond the intended API boundary. Affected versions span 0.0.0 through 1.1.1 and 1.2.0 through 1.2.2; a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-053. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and SSVC confirms exploitation status as none - all signals converge on a low operational priority despite the network-accessible attack vector.
Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. A vendor patch is available at version 4.0.6.
Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.
Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. No public exploit code has been identified and EPSS sits at the 3rd percentile, but the large Drupal deployment footprint elevates aggregate exposure even at low per-instance exploitation probability.
HTTP redirect handling in Apprise prior to 1.11.0 leaks user-configured secrets - including Authorization headers, bearer tokens, custom headers, and service API keys - by blindly resending them on redirected requests to attacker-controlled endpoints. Any deployment using Apprise's HTTP-based notification plugins or its HTTP attachment and config loaders (apprise/attachment/http.py, apprise/config/http.py) is affected. An on-path attacker or a compromised notification destination can silently harvest these credentials. No public exploit has been identified at time of analysis, and EPSS data is not present in the source intel, but the credential-theft impact on third-party service integrations elevates real-world risk above the Low CVSS score suggests.
Memory exhaustion in NanaZip's WebAssembly archive handler (prior to 6.5.1749.0) allows a crafted .wasm file to trigger multi-gigabyte heap allocations by supplying oversized 32-bit NameSize or Information.Size fields that are consumed without bounds validation in NanaZip.Codecs.Archive.WebAssembly.cpp. When a user opens or lists such an archive, NanaZip attempts to satisfy the inflated allocations via std::string or std::vector paths, exhausting process memory and causing a crash. No active exploitation or public exploit code has been identified at time of analysis; the impact is strictly limited to NanaZip process availability with no confidentiality or integrity consequence.
Process crash via uncaught C++ exception in NanaZip's .NET single-file bundle handler affects all versions prior to 6.5.1749.0 on Windows. The extraction buffer is sized from the bundle entry's Size field, which is validated only for sign - not against the actual file content - allowing a crafted archive to trigger an attacker-controlled allocation whose resulting std::bad_alloc or std::length_error propagates across the COM STDMETHODCALLTYPE ABI boundary and terminates the NanaZip process. Impact is limited to denial of service; no public exploit has been identified at time of analysis, and the vendor has released a fix in version 6.5.1749.0.
Memory exhaustion in NanaZip's UFS/FFS archive handler (all versions prior to 6.5.1749.0) allows a local low-privilege attacker to terminate the NanaZip process by delivering a crafted disk image that a user opens. The root cause is missing upper-bound validation of the `fs_fsize` fragment size field in the UFS superblock - unlike `fs_bsize`, which is checked against MINBSIZE, `fs_fsize` flows unchecked into indirect-block, directory, and extraction buffer allocation calculations, enabling a tiny image file to trigger multi-gigabyte heap allocation requests. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.4 (Low) reflects the constrained local, user-interaction-required attack path with availability-only impact.
NULL pointer dereference in NanaZip's custom archive handlers crashes the application when a user tests or extracts archives of seven specific formats. All NanaZip versions prior to 6.5.1749.0 are affected; the seven vulnerable handlers cover WebAssembly, ElectronAsar, Zealfs, Romfs, Ufs, Littlefs, and DotNetSingleFile archive types. Impact is limited to a process crash (denial of service) with no confidentiality or integrity consequence; no public exploit or active exploitation has been identified at time of analysis.
Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, with a CVSS 4.0 base score of 2.3 reflecting the narrow, non-default exploitation conditions captured by AT:P.
Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. A public proof-of-concept exploit has been released per VulDB, and the project maintainer has not yet responded to the coordinated disclosure filed via GitHub issue #2874.
Cookie attribute injection in elixir-plug's Plug library allows a remote attacker who can supply values reflected into `Set-Cookie` headers to inject the `;` delimiter and override attributes such as `Domain`, `Path`, `Secure`, and `HttpOnly`. Applications calling `Plug.Conn.put_resp_cookie/4` with user-controlled data - for example, reflecting a username or preference value - are exposed to session fixation and cookie tossing across five supported release lines (0.1.0 through 1.20.2). No public exploit code or CISA KEV listing is present at time of analysis, but the attack is mechanically straightforward wherever the vulnerable code pattern exists.
SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.