Command injection in the TRENDnet TEW-635BRM wireless router (firmware through 1.00.03) lets an authenticated remote attacker inject OS commands via the ipoa_ipaddr argument handled by the ipoa_test function in /sbin/rc during IPoA WAN connection setup. Publicly available exploit code exists (published via VulDB and a researcher write-up), and because the device runs its control logic as a privileged system process, successful injection yields full command execution on the router. The product has been end-of-life since 2011 and the vendor will not issue a fix, so exposure is permanent for still-deployed units; there is no CISA KEV listing or confirmation of active exploitation.
Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.
Local privilege escalation in SecureAge CatchPulse endpoint protection (versions up to and including 10.9.3) stems from a heap-based buffer overflow in the kernel driver saappctl.sys, where an authenticated local user can corrupt kernel heap memory to gain code execution at ring 0. Publicly available exploit code exists (demonstrated in a YouTube proof-of-concept), but there is no public exploit identified as being used in active attacks and the issue is not on CISA KEV. The CVSS 4.0 base score of 7.1 reflects local-only reachability but full compromise of confidentiality, integrity, and availability on the host once triggered.
OS command injection in the Comfast CF-WR631AX V3 WiFi router (firmware through 2.7.0.8) lets remote attackers execute arbitrary operating-system commands by manipulating the filename argument in the system_wl_upload_pic_file routine of the /usr/bin/webmgnt FastCGI backend. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation, and publicly available exploit code exists (E:P). It is not listed in CISA KEV, so there is no confirmed active exploitation, but the public disclosure lowers the barrier for opportunistic attacks against exposed devices.
Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.
Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.
Buffer overflow in the TRENDnet TEW-821DAP (firmware 1.12B01) wireless access point lets an authenticated remote attacker corrupt memory through the ssi-driven /goform/tools_nslookup handler (function sub_41EC14), enabling likely remote code execution or device crash. The device is end-of-life and the vendor has stated it cannot confirm or fix the issue, so no official patch is expected. A public technical write-up describing the overflow exists on GitHub (VulDB-coordinated disclosure), but there is no confirmed active exploitation in CISA KEV.
Buffer overflow in the TRENDnet TEW-821DAP (v1.0R, firmware 1.12B01) dual-band access point lets an authenticated remote attacker corrupt memory via the ssi handler sub_41EC14, reachable through the /goform/tools_nslookup endpoint. Supplying an oversized nslookup_target value overruns a fixed buffer (CWE-120), enabling denial of service and likely arbitrary code execution on the device. No public exploit has been identified at time of analysis; the product is end-of-life and the vendor states it cannot confirm the flaw.
Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).
Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated information disclosure in Capgo before 12.128.2 exposes confidential business metrics through the Supabase PostgREST /rest/v1/global_stats endpoint, which lacks row-level security enforcement. Any remote party holding only the public (anon) Supabase apikey - a value embedded in Capgo client apps and therefore trivially obtainable - can read MRR, total and plan-tier revenue, customer counts, and operational telemetry. Reported by VulnCheck via a GitHub security advisory; no public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 score of 8.7 reflects high confidentiality impact with no barriers to access.
Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.
Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.
Out-of-bounds stack write in the Zephyr RTOS IPv4 address parser (parse_ipv4() in subsys/net/ip/utils.c) lets an attacker corrupt memory when an application resolves an attacker-influenced "a.b.c.d:port" string, causing at minimum denial of service and potentially control-flow hijack on the affected embedded device. The defect exists in every release from v1.9.0 through v4.4.0 and is reachable through the standard socket resolver (zsock_getaddrinfo), DNS server-string configuration, and the eswifi Wi-Fi DNS-response path. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor fix (two upstream commits and advisory GHSA-532c-7g7f-jhmh) is available.
Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.
Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the Zephyr project has published advisory GHSA-3wqm-wgx2-9367 and an upstream fix.
Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.
Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.