Privilege escalation in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows a remote, unauthenticated attacker to bypass authorization checks and gain unauthorized read and write access. Because the CVSS vector marks scope as changed (S:C) with PR:N and no user interaction, the attacker can act beyond the ColdFusion application boundary, yielding the maximum CVSS base score of 10.0. No public exploit is identified at time of analysis, and EPSS is low at 0.24% (15th percentile), indicating no observed weaponization yet despite the critical rating.
SQL injection in Adobe ColdFusion 2023 (through Update 21) and ColdFusion 2025 (through Update 10) allows an authenticated attacker to inject crafted SQL and achieve arbitrary code execution in the context of the current user without any user interaction. The flaw carries a critical 9.9 CVSS with a changed scope, meaning impact extends beyond the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the total technical impact and low attack complexity make it a high-priority patch for internet-facing ColdFusion servers.
Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis.
Unauthenticated remote command execution on Rockwell Automation's 1715-AENTR EtherNet/IP Adapter arises from a network-accessible debug port that enforces no privilege controls, exposing intrusive CLI commands to any attacker who can reach the device. An unauthenticated remote actor can read and delete files, halt tasks, modify memory, and manipulate physical I/O states, giving full control over device confidentiality, integrity, and availability. Rated CVSS 4.0 10.0 (Critical) with subsequent-system impact; no public exploit has been identified at time of analysis.
Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.
Authentication bypass in Siemens Opcenter X (all versions before V2604) lets an unauthenticated remote attacker forge JSON Web Tokens by exploiting improper validation of the algorithm field in the JWT header. Because the application trusts the attacker-controlled 'alg' value, an attacker can craft tokens that impersonate any user - including administrators - yielding full unauthorized access to the manufacturing operations platform. Rated CVSS 10.0 with a scope-changing critical impact; no public exploit identified at time of analysis and it is not currently in CISA KEV.
Remote code execution in Microsoft Windows Admin Center allows an authenticated attacker to run arbitrary code over the network by exploiting a relative path traversal (CWE-23) flaw. Any user holding valid low-privilege credentials to the WAC gateway can leverage the traversal to break out of the intended file path and achieve full compromise (confidentiality, integrity, and availability impact all High). Microsoft has published a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack.
Code injection (CWE-94) in Adobe ColdFusion 2023 (Update 21 and earlier) and ColdFusion 2025 (Update 10 and earlier) allows a low-privileged, network-adjacent attacker to execute arbitrary code in the context of the current user without any user interaction. Because the CVSS scope is changed, successful exploitation can extend impact beyond the vulnerable component to the underlying host. There is no public exploit identified at time of analysis and the EPSS probability is low (0.43%, 35th percentile), but the near-maximum CVSS of 9.9 and Adobe's own PSIRT reporting make this a high-priority patch.
Privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an authenticated attacker to inject crafted SQL commands over the network and gain higher database privileges (CVSS 8.8). The flaw is a classic improper neutralization of special elements (CWE-89) reachable by any principal already holding low-level database access. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, though a vendor patch is available.
Authenticated remote code execution in Microsoft Windows Admin Center (CWE-77) lets an attacker with low-privilege access inject and run arbitrary commands over the network, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Fabric Data Warehouse allows an authenticated attacker to run arbitrary code over the network by triggering a stack-based buffer overflow (CWE-121). The flaw carries a CVSS 8.8 rating with high impact to confidentiality, integrity, and availability, and requires only low-privilege access with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available via MSRC.
Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated network attacker to abuse an improper authorization check to gain higher privileges within the SharePoint environment. The flaw is tagged as an authentication bypass and carries a CVSS 8.8, reflecting high impact to confidentiality, integrity, and availability from a low-privileged starting point. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an authenticated attacker corrupt heap memory to run arbitrary code across the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) shows low-privilege network exploitation with full confidentiality, integrity, and availability impact, and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege elevation in Microsoft's Windows Server Update Services (WSUS) role allows a network-based, low-privileged attacker to gain higher privileges due to a missing authentication check on a critical function (CWE-306). The flaw affects WSUS as shipped on Windows Server 2012 through 2025 (and client builds Windows 10 1607/1809), with a CVSS 3.1 base score of 8.8; Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, low-complexity nature makes this a high-priority patch for update-management infrastructure.
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker bypass authentication controls by tampering with data the framework wrongly assumes to be immutable (CWE-302). Microsoft reported and patched the flaw; there is no public exploit identified at time of analysis and it is not on CISA KEV. At CVSS 8.8 with PR:L, an authorized user can escalate to higher privileges over the network.
Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker gain higher privileges by abusing a flawed authentication algorithm implementation (CWE-303). Microsoft reported the flaw and has released a patch; there is no public exploit identified at time of analysis and it is not on the CISA KEV. The 8.8 CVSS reflects high confidentiality, integrity, and availability impact reachable over the network with only low prior privileges.
Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an already-authenticated network user gain higher privileges by exploiting a missing authorization check (CWE-862). Any low-privileged account with access to the SharePoint web application can abuse the flaw to perform actions reserved for higher-privileged roles, with full confidentiality, integrity, and availability impact per the CVSS 8.8 rating. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Microsoft Azure CycleCloud 8.9.1 allows an authorized (low-privileged) attacker to gain elevated privileges over the network by reaching a critical function that lacks an authentication check (CWE-306). Reported by Microsoft with a patch available and rated CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw enables full compromise of the CycleCloud instance's confidentiality, integrity, and availability, making it a high-priority patch for HPC-orchestration environments.
Cross-tenant data exposure in n8n-mcp (npm package, <= 2.56.0) lets an authenticated tenant on a shared multi-tenant HTTP instance read, delete, and destroy the automatic workflow version backups belonging to other tenants. Because each snapshot embeds full node definitions, the leaked data can include credential references and authorization headers, making this both a confidentiality and an integrity/availability failure. Rated CVSS 9.9 due to the scope change across tenant trust boundaries; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).
SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below the configured price on any form using a dynamically-sourced or hidden variable payment field, enabling financial fraud against site operators. The integrity bypass is confined to forms with variable pricing; fixed-price forms are explicitly unaffected. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 2.11.1 - though no CISA KEV listing confirms active mass exploitation at time of analysis.
Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.
Heap out-of-bounds read/write in OpenHTJ2K (High-Throughput JPEG 2000 reference codec) v0.18.4 and earlier lets an attacker corrupt heap memory by supplying a crafted J2K/JP2 codestream, with a confirmed heap information-leak primitive and vendor-claimed arbitrary code execution. The flaw is reached through every decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) and, notably, through a JPIP server's startup codestream load, making it network-reachable without user interaction. There is no public exploit identified at time of analysis, though the vendor changelog references non-public PoC files, and the issue is not listed in CISA KEV.
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp
Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing across a network. The scope-changed CVSS 3.1 rating of 8.7 (vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) reflects the ability to break out of the vulnerable component's security context and impact victim data. Microsoft has released patches; there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation as none.
Authentication bypass in Ciena Navigator Network Control Suite (NCS 8.1), Manage Control Plane (MCP ≤ 8.0), and Blue Planet components (Inventory, Orchestration, Route Optimization & Analysis, Unified Assurance & Analytics, Planner Plus) allows an unauthenticated network attacker to manipulate HTTP request paths and headers to reach protected functionality while also evading audit logging. Rated CVSS 9.8 with a fully remote, low-complexity, no-interaction vector, this flaw hands attackers administrative-level access to carrier-grade network control and orchestration platforms. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the trivial exploitation profile makes it a high-priority patch for affected operators.
Predictable default credentials in Ciena's Navigator Network Control Suite (NCS), Manage Control Plane (MCP), and Planner Plus OnPrem expose hidden system accounts used for internal software operations to remote attackers. These accounts carry limited permissions in isolation, but their known default passwords give an attacker a foothold that can be chained with other weaknesses to escalate privilege on the management system. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, so exploitation remains theoretical rather than demonstrated.
Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. Note the CVSS PR:N rating conflicts with the fact that Add/Update Project is normally an authenticated application feature.
Arbitrary file upload in the Podlove Podcast Publisher WordPress plugin (all versions through 4.5.1) allows remote attackers to place attacker-controlled files on the server via the image caching path, potentially escalating to remote code execution. The root cause is incomplete file-type validation in the plugin's image cache handling, where a cached file's extension was trusted rather than re-derived from the actual validated image type. Reported by Wordfence and fixed upstream; no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote code execution in the Microsoft ODBC Driver for SQL Server (shipped across Windows 10, Windows 11, and Windows Server 2012 through 2025) stems from a heap-based buffer overflow that lets an attacker run arbitrary code over the network. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scores it 9.8 and marks it unauthenticated, though as a database driver flaw the realistic trigger is a client connecting to a malicious or compromised SQL Server endpoint. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a high-severity but not yet actively-exploited issue.
Incorrect WHERE-clause evaluation in Perl's DBI::SQL::Nano (versions 1.42 up to 1.651) causes text-based '<=' and '>=' comparisons to be silently inverted, so range-filtered queries return the wrong set of rows. The flaw affects DBI's built-in fallback mini-SQL engine used by file-backed drivers (DBD::File, DBD::DBM, CSV-style) when SQL::Statement is absent, and applications that rely on such predicates for policy or authorization filtering may leak or mishandle records without any error. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the fix is available upstream in DBI 1.651.
OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system commands by supplying malicious job configuration parameters that a backend API passes unsanitized to the OS command line. Because Kylin runs as a distributed analytics engine, successful exploitation yields full host compromise with the privileges of the Kylin service account. Per the vendor CVSS (AV:N/PR:N), the flaw is scored as network-reachable and unauthenticated with high impact across confidentiality, integrity, and availability; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) allows an authenticated attacker to inject script that executes in another user's browser session across a network. CVSS is 8.7 with a scope change, reflecting that injected content escapes into the victim's authenticated context; there is no public exploit identified at time of analysis and CISA SSVC rates exploitation status as none. A vendor patch is available via Microsoft MSRC.
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.
Server-Side Request Forgery in Adobe Experience Manager (AEM as a Cloud Service, 6.5 LTS, and 6.5) lets a low-privileged, authenticated attacker coerce the server into issuing crafted requests that can escalate to arbitrary code execution in the current user's context and hijack the victim's account or session. The scope-changed CVSS 9.6 rating reflects that the SSRF pivots beyond the vulnerable component itself. No public exploit identified at time of analysis, and no CISA KEV listing; risk is driven by CVSS severity and Adobe's confirmation via advisory APSB26-74 rather than observed exploitation.
Sensitive file disclosure and potential account takeover in Adobe Experience Manager (AEM as a Cloud Service, 6.5, and 6.5 LTS) arises from unsafe XML External Entity (XXE) processing that Adobe classifies as leading to arbitrary code execution in the current user's context. A low-privileged, authenticated attacker (PR:L) can trigger the flaw remotely over the network with no user interaction, reading protected files and pivoting to elevated access or session control. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 9.6 CVSS score and scope-change make it a high-priority patch.
Remote code execution in the Microsoft 365 Copilot mobile apps for Android and iOS lets an unauthenticated attacker run code across a security boundary by getting a user to interact with crafted content (CWE-77 command injection). The CVSS 9.6 rating reflects network reach, low complexity, no privileges, and a changed scope with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, but a vendor patch is available and the flaw was self-reported by Microsoft.
Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.
Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker run arbitrary commands on the host with the privileges of the editor. Reported by Microsoft with a vendor patch available, the CVSS 3.1 score of 8.4 reflects full compromise of confidentiality, integrity, and availability via a local attack vector requiring no privileges or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
A vulnerability was detected in SourceCodester Simple and Nice Shopping Cart Script 1.0. This vulnerability affects unknown code of the file /admin/userproductdeletequery.php. Performing a manipulation of the argument user_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Unrestricted file upload in code-projects Online Job Portal 1.0 exposes unauthenticated remote attackers to arbitrary file upload via the txtFile parameter in /JobSeekerInsert.php, enabling likely webshell deployment and subsequent server-side code execution. A public proof-of-concept exploit exists (no KEV listing), substantially lowering the exploitation barrier for any internet-exposed instance. The CVSS 4.0 impact metrics are conservatively rated Low across C/I/A, which understates the realistic post-exploitation potential of an unrestricted PHP file upload - successful webshell placement typically yields full OS command execution in the web server process context.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/DeleteUser.php endpoint to unauthenticated remote database manipulation. An attacker can craft HTTP requests that inject arbitrary SQL, enabling data extraction, modification, or deletion from the underlying database. A public proof-of-concept exploit exists (GitHub: shihuizhang-dazhi/MY-CVE/issues/4), lowering the bar for exploitation; this vulnerability is not currently listed in CISA KEV.
SQL injection in code-projects Online Job Portal 1.0 exposes the /Admin/EditUser.php endpoint to remote database manipulation via the unsanitized UserId parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) classifies this as remotely exploitable with no authentication or interaction required, though the Admin path location raises questions about actual auth gating in practice. A public exploit exists (E:P confirmed in CVSS 4.0 and via GitHub issue), lowering the skill bar for exploitation considerably; this CVE is not currently listed in CISA KEV.
Unauthenticated authorization bypass in poco-ai/poco-claw's Workspace API allows remote attackers to access arbitrary users' workspace files by manipulating the user_id parameter in the get_workspace_file function. All versions through 0.5.4 are affected, with the executor manager's control-plane routes completely lacking token-based authentication before the fix. Publicly available exploit code exists (POC confirmed via GitHub issue #133 and PR #135); no CISA KEV listing at time of analysis.
Arbitrary file write via path traversal in Tenable Agent 11.2.0 and 11.1.3 and earlier lets a privileged attacker escape the intended plugin directory and drop files at attacker-chosen paths, potentially escalating to remote code execution. The flaw is vendor-reported (Tenable TNS-2026-18) and affects the endpoint scanning agent that typically runs with elevated/service privileges. No public exploit identified at time of analysis and it is not listed in CISA KEV.