Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score.
Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthToken by POSTing to the internal plugin install endpoint with hardcoded default stack_id and org_id values exposed in the public source tree, then use that token to seize full control of the OnCall instance. With the token, an attacker can create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token to lock out operators, and redirect OnCall-to-Grafana API traffic to an attacker host by overwriting grafana_url and api_token. Publicly available exploit code exists (reported by VulnCheck), CVSS 4.0 base 9.3, though there is no public exploit identified as actively exploited - it is not on CISA KEV.
The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.
Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.
The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.
Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.
Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. Publicly available exploit code exists (VulnCheck/geo-chen); no KEV listing at time of analysis, but the combination of unauthenticated access, cloud credential theft potential, and working POC makes this a genuine priority for any cloud-hosted TGI deployment.
The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
SQL injection in WP Job Portal WordPress plugin before 2.5.5 enables authenticated subscriber-level users to exfiltrate data from the underlying WordPress database. Because subscriber accounts are explicitly self-registerable (no admin approval required), the practical authentication barrier is near-zero for any external attacker. A publicly available exploit exists per WPScan, though EPSS at 0.18% (7th percentile) indicates limited observed exploitation to date and no CISA KEV listing at time of analysis.
Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.
Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.
Unauthorized access to private chatbot conversations in the AI Engine WordPress plugin before 3.5.5 allows any authenticated subscriber-level user to both read and overwrite other users' chat records when the discussions feature is enabled. The plugin fails to verify that a client-supplied conversation identifier belongs to the requesting user (CWE-639 IDOR), enabling session data theft and record hijacking. Public exploit code is available via WPScan, though EPSS stands at only 0.13% (3rd percentile), suggesting no widespread automated exploitation; active exploitation is not confirmed in the CISA KEV at time of analysis.
Code injection in Frogman before 1.6.2 lets an authenticated PERM_WRITE caller of the MCP/HTTP dialplan API inject arbitrary Asterisk directives - including System() and Set(SHELL(...)) - into extensions_custom.conf, yielding remote command execution on the PBX host. The flaw stems from fm_dialplan_apply sanitizing only the context name while passing template parameters such as greeting, dest, url, extension, code, and file into generated dialplan text unchecked. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, but the CVSS is 9.9 and the fix (v1.6.2) plus root-cause commit are public.
Account takeover in Zoom's Windows client family - the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows - lets a remote, unauthenticated attacker seize control of a victim's account by sending crafted input over the network, per Zoom's security bulletin ZSB-26014. The flaw stems from improper input validation (CWE-20) and carries a vendor CVSS of 9.8, reflecting full confidentiality, integrity, and availability impact with no privileges or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated network vector makes it a high-priority patch.
Hardcoded default administrator password in Pheditor (all versions prior to 2.0.6) lets remote unauthenticated attackers log in as admin using the string 'admin' — the SHA-512 hash of which is baked into pheditor.php line 11 — and then abuse the built-in terminal and file-upload features for immediate remote code execution. Any deployment left on defaults is trivially compromised because there is no forced password change, expiry, lockout, or setup wizard. A working PoC is published in the GitHub Security Advisory, though there is no public exploit identified in active in-the-wild campaigns and no EPSS/KEV data is provided.
Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.
Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.
Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.
Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.
Missing authorization in Frogman, a headless Asterisk PBX control layer exposed over MCP and an HTTP API, lets any low-privilege PERM_READ caller invoke eight administrative tools (fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query, fm_diagnose_trunk) that should require admin, leaking AMI manager secrets, outbound dial PINs, full dialplan context, root SSH connection commands, backup artifact paths, CDR history, and raw AMI endpoint dumps containing SIP password/md5_cred/oauth_secret fields, plus executing arbitrary saved GraphQL queries. All releases prior to 1.6.3 are affected, tracked under GHSA-q4c4-5cr4-8q47 with a CVSS 4.0 score of 9.3. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken access control in Perfect Support Ticketing & Document Management System through version 1.7 permits authenticated Agent-level users to manipulate the Support Agent assignment field on tickets beyond their authorized scope, including adding or removing Superadmin accounts. The vulnerability stems from missing server-side authorization checks (CWE-862), allowing role-based access controls to be circumvented entirely by any Agent assigned to a ticket. A publicly available exploit exists per VulnCheck and a GitHub PoC disclosure; no CISA KEV listing is present at time of analysis.
Authentication bypass in the Microsoft 365 / Microsoft Entra ID (local_o365) plugin for Moodle allows an unauthenticated attacker to forge a JWT and log in as any Office 365-linked Moodle user before versions 4.5.6, 5.0.5, and 5.1.1. The Teams SSO endpoint sso_login.php base64-decodes the JWT payload and trusts the 'upn' claim without verifying the token signature, so a self-signed or hand-crafted token is accepted as valid. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially exploitable and confirmed by a Microsoft GitHub security advisory (GHSA-hqjh-93qv-47v5).
Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs `kiota generate` without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI `x-ms-kiota-info` extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. There is no public exploit identified at time of analysis and no CISA KEV listing, though the fix (SanitizeClientClassName/SanitizeClientNamespaceName) is visible in the merged patch.
Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `static_template.file` values (via the x-ai-adaptive-card and x-ai-capabilities extensions) into generated Microsoft 365 Copilot and Teams plugin manifests, so a developer who runs `kiota plugin add` or `kiota plugin generate -t APIPlugin` against a malicious spec produces a manifest that resolves files outside its package when deployed. Rated CVSS 4.0 9.3 (Critical) with high confidentiality/integrity/availability impact and no privileges required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the upstream fix is confirmed in release v1.32.5.
Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the install command that Kiota presents to developers. When a developer runs `kiota info` (or the VS Code extension's `kiota info --json` dependency-install flow) against an attacker-controlled spec, Kiota reads the `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` field plus attacker-chosen dependency name/version values and surfaces them as its trusted recommended install command, achieving arbitrary command execution when that command is run. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the fix explicitly removes the untrusted extension field.
Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
OS command injection in WWBN AVideo through version 29.0 allows attackers to execute arbitrary operating-system commands as the web-server user via the ffmpeg.json.php endpoint. The notifyCode and callback request parameters are concatenated into a shell command without escaping, so an attacker able to produce a valid encrypted payload can inject shell metacharacters and achieve remote code execution. No public exploit identified at time of analysis; the flaw carries a CVSS 4.0 base score of 9.2, though successful exploitation is gated by the requirement to forge a valid encrypted payload.
OS command injection in AVideo (WWBN) through version 29.0 lets remote attackers who can forge a valid encrypted codeToExec payload run arbitrary shell commands as the web-server user via the listFFmpegProcesses() function in the standAlone plugin API. The flaw is unauthenticated (PR:N) but non-trivial to reach because it depends on producing an accepted encrypted parameter, and no public exploit or CISA KEV listing is identified at time of analysis.
Improper TLS hostname verification in the Snowflake Connector for Python (versions before 4.7.1) lets an on-path attacker defeat HTTPS certificate validation, accepting any certificate signed by any trusted CA regardless of the requested hostname. An adversary who can intercept traffic can decrypt and tamper with connector sessions, exposing Snowflake credentials, query results, and staged file data, and can inject arbitrary SQL bounded by the victim role's privileges. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the reporting vendor (Snowflake) rates it CVSS 4.0 9.2.
Remote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet with malformed address parameters to trigger an out-of-bounds access during packet classification, potentially leading to remote code execution or a kernel panic. The flaw affects illumos-gate and downstream distributions (OmniOS, SmartOS/Triton) built before commit 53a3efde, and has existed since 2010 (commit a5407c02). There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is Unreported (E:U), but the attack requires no authentication or user interaction.
Arbitrary file disclosure in Envoy Gateway's controller allows a low-privileged tenant who can create an EnvoyExtensionPolicy to read sensitive files from the gateway controller pod. A path-normalization gap in the security.lua critical-path check (CWE-20) lets attacker-supplied Lua bypass the read restriction using double-slash paths (e.g. //etc/passwd), exposing Kubernetes service-account tokens, TLS certificates, and process environment. No public exploit identified at time of analysis, but the vendor advisory documents the exact bypass and CVSS is rated 9.1.
Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.
Unauthenticated remote code execution in SGLang (versions 0 through 0.5.14) arises when the expert-parallel backup subsystem binds a ZeroMQ PULL socket to a routable interface without authentication or safe deserialization, letting a network attacker send a crafted pickle payload that executes arbitrary code in the serving process. It affects deployments where the elastic expert-parallel backup feature is enabled and the socket is reachable. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Peer credential disclosure in WireGuard Easy (wg-easy) through 15.3.0 lets unauthenticated network attackers recover a client's WireGuard PrivateKey and PresharedKey by brute-forcing the one-time configuration link. Because the OTL token is derived from CRC32 over a random value bounded to 0-999, an attacker faces at most 1000 candidate tokens per client ID against the unauthenticated /cnf/:oneTimeLink route, which had no rate limiting and did not enforce token expiration. There is no public exploit identified at time of analysis, but the small keyspace makes exploitation trivial once a valid link is active; the flaw was reported by VulnCheck and is fixed upstream.
Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Argo Workflows before 3.7.15 and 4.0.6 lets a low-privileged user who can submit Workflows bypass the Strict/Secure templateReferencing protections and inject an arbitrary strategic-merge PodSpecPatch into the artifact garbage-collection pod. Because the fix for CVE-2026-31892 only walked top-level WorkflowSpec fields and allow-listed WorkflowSpec.ArtifactGC wholesale, its nested WorkflowLevelArtifactGC.PodSpecPatch flowed unmodified into util.ApplyPodSpecPatch, allowing an attacker to spawn a pod with privileged: true, hostPath volumes, hostNetwork: true, and an attacker-chosen image and command. This is an incomplete-fix regression; there is no public exploit identified at time of analysis and it is not in CISA KEV.
Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.
Privilege escalation in the Digits WordPress Mobile Number Signup and Login plugin (all versions through 9.1.0.5) lets authenticated Subscriber-level users promote themselves to Administrator by submitting a forged digits_reg_userrole value during a profile update. The flaw stems from the dig_update_wpwc_custom_fields() function failing to validate the caller's authorization or the requested role. There is no public exploit identified at time of analysis, but the low barrier (any registered user on an affected site with the DIGITS User Role field configured) and full-administrator outcome make this a high-priority patching item.
OS command injection in Pheditor 2.0.1 through 2.0.5 lets an authenticated user with the default-enabled `terminal` permission bypass the TERMINAL_COMMANDS allowlist and run arbitrary shell commands as the web server user. The flaw is an incomplete fix for GHSA-9643-6xjp-vx57: the sanitization blocklist added `$` but still misses the single pipe `|`, backtick, and newline (0x0A), each of which starts with a whitelisted prefix and slips past both filters. A fully working exploit is published in the GHSA advisory, and because Pheditor ships with the default password `admin`, the required authentication is frequently trivial to obtain, effectively lowering the barrier to unauthenticated RCE.
Authenticated command-injection in Pheditor 2.0.4 lets any user holding the 'terminal' permission bypass the TERMINAL_COMMANDS allowlist and run arbitrary OS commands as the web server user. The terminal handler only blocks '&', ';', and '||' and validates commands with a prefix check before handing the full string to shell_exec(), so shell substitution like ls$(...) satisfies the allowlist while executing attacker-controlled code. A working PoC is published in the GitHub advisory, though there is no public exploit identified as a standalone weaponized tool and no active exploitation reported.
PowerShell command injection in Lenovo XClarity Integrator for Microsoft Windows Admin Center (versions 5.1.1 and below) running on the WAC Gateway allows an authenticated low-privileged attacker to inject arbitrary PowerShell commands when the plugin establishes remote PowerShell sessions. Successful exploitation yields high-impact code execution that extends beyond the plugin into subsequent systems (managed hosts), with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a third-party disclosure write-up exists on mysites.guru.
Uncontrolled memory and CPU exhaustion in Centrifugo real-time messaging server before 6.8.4 lets unauthenticated attackers send a small compressed WebSocket frame to the unidirectional transport that inflates into a massive decompressed payload. The message_size_limit was only checked against compressed wire bytes, while decompressed output was read via io.ReadAll with no cap, enabling a classic decompression bomb denial of service. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary file read in the Whistle debugging proxy (avwo/whistle) before 2.10.3 lets remote attackers retrieve any file on the host by abusing the GET /cgi-bin/temp/get endpoint. Because lib/service/service.js only sanitizes req.query.filename when it matches the temporary-file pattern and otherwise hands the raw filename to getFile, a value like ../../../../etc/passwd escapes TEMP_FILES_PATH and is served back. The CVSS 4.0 score is 8.7 (high) with a confidentiality-only impact; there is no public exploit identified at time of analysis, and the flaw is fixed in 2.10.3.
Arbitrary JavaScript execution in Microsoft's @prompty/core TypeScript loader (2.0.0-alpha.1 through 2.0.0-beta.2) allows an attacker who supplies a crafted .prompty file to run code during prompt loading. The loader passed .prompty markdown to gray-matter without disabling its executable 'js'/'javascript' frontmatter engines, so a '---js' frontmatter block is evaluated as Node.js at parse time. Exploitation requires the victim's application to load the malicious file (UI:P); no public exploit is identified at time of analysis and it is not on CISA KEV, but the fix commit ships a working proof-of-concept test.
{...}, $var, or {$obj->prop} are emitted verbatim inside PHP double-quoted literals and interpolated as code when the generated client runs. No public exploit identified at time of analysis, though the fix commit ships a test demonstrating the ${env('HOME')} injection primitive; EPSS and KEV data were not provided.
{}//') demonstrating the break-out.