Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.
Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.
Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Man-in-the-middle interception of Apache Airflow's Git provider (apache-airflow-providers-git before 0.4.1) is possible because git-over-SSH operations run with StrictHostKeyChecking=no by default, so no SSH host-key verification occurs. An attacker positioned on the network path between an Airflow worker and its Git server can impersonate the server to steal the SSH deploy key or inject malicious DAG content, leading to code execution on workers. No public exploit identified at time of analysis, and it is not listed in CISA KEV; CVSS is 8.1 (High) driven by high attack complexity (AC:H) requiring an on-path position.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation to SYSTEM in WinFsp (Windows File System Proxy) stems from an integer overflow (CWE-190) that a low-privileged local user can trigger to achieve system-level access on the host. The flaw crosses a privilege boundary (CVSS scope change) and is fixed in release v2.2B2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is theoretical but the SYSTEM-level impact makes it a meaningful local escalation risk.
Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.
Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.
Denial-of-service in Ollama's downloadBlob function lets remote, unauthenticated attackers crash affected installations by supplying malformed data that triggers an out-of-bounds array access. The flaw (ZDI-CAN-27277 / ZDI-26-403, CWE-129) carries a CVSS 7.5 with an availability-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.
Denial of service in MikroTik RouterOS 7.21.x (before 7.21.4) and 7.22.x (before 7.22.2) allows a remote unauthenticated attacker to crash the core inter-process communication layer by triggering an integer overflow in the unflatten() function of the bundled libumsg.so library. Successfully exploiting it disrupts device availability without touching data confidentiality or integrity. There is no public exploit identified at time of analysis, though a third-party research blog documents the underlying integer overflow; EPSS is low at 0.20% (10th percentile).
A Denial of Service (DoS) vulnerability exists in the receive loop of libmodbus 3.1.12 when running on Windows. The issue stems from improper timeout management during network read operations.
Denial of service in the Crypt::OpenSSL::X509 Perl module before 2.1.3 lets a malformed X.509 certificate crash any Perl process that parses it. Four helper functions (basicC, ia5string, auth_att, keyid_data) dereference NULL pointers returned by OpenSSL's X509V3_EXT_d2i() on unparseable extensions - and keyid_data/auth_att additionally deref an akid->keyid field that is legitimately NULL for an empty Authority Key Identifier (DER 30 00). There is no public exploit identified at time of analysis, but the fix commit and a clear crash mechanism are published; CVSS is 7.5 (availability-only).
Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.
Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Access key authentication bypass in Apollo ConfigService (com.ctrip.framework.apollo, versions < 2.5.2) lets an unauthenticated remote attacker read raw configuration data even when AccessKey/management-key authentication is enabled. The service mis-parses the appId on the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint as the literal string 'raw', so no matching secret is found and the signature check is skipped for the real target app. No public exploit identified at time of analysis; the flaw is fixed in Apollo 2.5.2.
Authentication bypass in Apollo (Ctrip apolloconfig) ConfigService allows an unauthenticated remote attacker to read protected configuration data from /configs and /configfiles endpoints even when AccessKey/management-key authentication is enabled. The flaw stems from ConfigService accepting a non-canonical appId variant (e.g. accented or trailing-space forms) that misses the AccessKey secret cache lookup - causing signature verification to be skipped - while the downstream release lookup still resolves the value to the real, protected app under equivalence-treating database collations. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the confidentiality-only impact drives the CVSS 7.5 (High) rating.
Unauthenticated retrieval of scanned identity documents affects the Decidim participatory-democracy platform (decidim-verifications) when the "Identity documents" verification method is enabled. The admin review UI renders verification_attachment images via variant_url(...), emitting signed /rails/active_storage/disk/ links that bypass Decidim's authorization controllers; because Active Storage service URLs are configured to remain valid for seven days, anyone who obtains such a URL can download the underlying ID scan without any Decidim session. No public exploit identified at time of analysis, though the vendor advisory (GHSA-3mvf-82qp-8qh5) includes step-by-step reproduction; not listed in CISA KEV and EPSS was not provided.
Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. No public exploit identified at time of analysis, and no CISA KEV listing; EPSS data was not provided in the source intelligence.
Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.
Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.
Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.
PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.
Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.
Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.
Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.
Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.
Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.
Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.
Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.
Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.
Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.
Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.
Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.
Sensitive information disclosure in Red Hat OpenShift AI's vllm-orchestrator-gateway component exposes bearer tokens and full chat payloads because the production binary writes all incoming Authorization headers and complete request bodies to persistent logs. Any user holding logging privileges can read these logs to harvest live credentials and potentially PII-laden conversation content. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Sensitive information disclosure in OpenBMB XAgent v1.0.0 and earlier allows remote unauthenticated attackers to read arbitrary files on the server by abusing a path traversal flaw in the file() endpoint of XAgentServer's workspace router. The user-controllable 'filename' parameter is concatenated into a file path without validation, so a crafted request escapes the intended workspace directory. SSVC lists exploitation as proof-of-concept and automatable=yes; publicly available exploit code exists via a referenced gist, though this is not confirmed as actively exploited in the wild.