Code injection in SonicCloudOrg sonic-agent through version 2.7.2 allows remote unauthenticated attackers to inject and execute arbitrary code via the ExchangeController endpoint, which bypasses or is excluded from the JWT Authentication Filter. The vulnerability carries a public proof-of-concept exploit named 'Unauth_ExchangeSend', confirming the endpoint is reachable without authentication. Critically, the affected product is end-of-life with no vendor support, and the maintainer did not respond to disclosure - no patch is forthcoming.
Unauthenticated remote password modification on H3C NX15 V100R017 routers allows any network-reachable attacker to overwrite the administrator password via the change_passwd function at the /api/login/modify endpoint, effectively seizing full administrative control of the device. The vulnerability stems from a missing authentication or authorization check on the password modification API (CWE-640), meaning no credentials or session token are required to invoke it. A public proof-of-concept exploit is available on GitHub, and no vendor patch has been identified at time of analysis.
Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.
Unauthenticated information disclosure in Capgo's /private/sso/check-domain endpoint exposes internal org_id and provider_id values to any network-reachable attacker. All Capgo deployments prior to version 12.128.2 are affected, with the vulnerable endpoint accessible without credentials. An attacker can systematically enumerate email domains against this endpoint to construct a detailed mapping of domains to organization UUIDs and SSO provider identifiers, enabling targeted reconnaissance against Capgo tenants - no public exploit identified at time of analysis.
SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.
Skillable's hosted SCORM lab launch endpoint at scorm.skillable.com enforces per-user lab allocation limits against a client-supplied userId query parameter that is never validated against the authenticated SCORM session token, enabling any enrolled learner to bypass rate limits, provision concurrent cloud VM lab instances at the course provider's expense, and exhaust another enrolled user's lab or exam allocation to deny them access. The vulnerability (CWE-639) was confirmed against the reporter's own account and a consenting fellow student on 2026-05-03; the vendor subsequently acknowledged in a private customer advisory that exam allocations and another learner's active session details are also reachable via the same mechanism. No fix is planned for the SCORM launch path; the vendor characterises the weakness as an inherent SCORM limitation and recommends migration to API or LTI 1.3 integrations. No public exploit code has been released, but the attack technique is trivially reproducible by any enrolled student with a proxy.
Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. No public exploit identified at time of analysis, and no CISA KEV listing; the physical-access prerequisite substantially constrains the realistic attacker population.
SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.
SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.
Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.
OS command injection in the TRENDnet TEW-821DAP wireless access point firmware enables authenticated remote attackers to execute arbitrary operating system commands by manipulating the Hostname parameter submitted to the /goform/system_ntp endpoint, processed by function sub_41FBD0. The device (v1.0R hardware, firmware 1.11B03) is confirmed end-of-life, and the vendor has explicitly declined to investigate or remediate the issue. No patch will be released; no public exploit code is confirmed at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
OS command injection in TRENDnet TEW-821DAP firmware 1.11B03 allows a network-adjacent authenticated attacker to execute arbitrary shell commands by manipulating the hostname, username, or password parameters in the DDNS configuration handler at /goform/tools_ddns. The affected product is officially end-of-life - the vendor has declined to issue a patch and disputes ability to confirm the vulnerability on the v1.0R hardware revision. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-78 vulnerability class is trivial to weaponize once firmware internals are mapped via the linked IOT research repository.
OS command injection in the TRENDnet TEW-821DAP 1.11B03 wireless access point allows authenticated remote attackers to execute arbitrary operating system commands by manipulating the nslookup_target or dns_server arguments passed to the DNS Lookup Handler at /goform/tools_nslookup (function sub_43F2C4). The affected device is end-of-life and the vendor has explicitly declined to patch it, stating they cannot confirm the vulnerability's existence for the TEW-821DAP v1.0R. No public exploit code or CISA KEV listing has been identified at time of analysis, though the network-accessible attack surface and EOL status make remediation by replacement the only viable long-term strategy.
SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.
Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.
SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.
Cross-site scripting in Akpali9 Attendance-Management-System allows a remote, low-privileged attacker to inject malicious JavaScript via the export_date parameter in absent.php, executing in the browser context of any victim user who interacts with attacker-crafted content. All versions up to commit 70b91fe38f4195b701a45f0edcd4f42d5f64aeee are affected; the project's rolling release model means no discrete patched version exists, and the vendor did not respond to disclosure. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function `nrf_wifi_event_proc_get_power_save_info()` blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating `num_twt_flows` against `WIFI_MAX_TWT_FLOWS`, enabling heap/stack corruption of approximately 40 bytes per excess entry. No public exploit code exists and the flaw is not listed in CISA KEV, but the adjacent-network attack vector and the indirect over-the-air influence path via a rogue AP manipulating TWT sessions make this a meaningful risk in Wi-Fi 6 (802.11ax) deployment environments running Zephyr with `CONFIG_NRF70_STA_MODE`.