Critical Watch

SQL injection in PandasAI's LanceDB extension allows unauthenticated attackers to manipulate database operations in data science workflows, posing risk to organizations using this popular AI/ML data processing framework.

Path traversal in PandasAI allows unauthenticated remote attackers to read arbitrary files including credentials and configuration data, affecting enterprises using this library for AI-powered data analysis.

Spring AI is a widely-adopted framework in enterprise Java applications, and this critical unauthenticated remote code execution vulnerability via SpEL injection affects multiple recent versions with no apparent mitigation beyond upgrading.

Tenda routers have a significant consumer and small business install base, and this high-severity buffer overflow with public exploit code enables authenticated attackers to achieve remote code execution on network perimeter devices.

Grassroots DICOM (GDCM) library is widely integrated into medical imaging systems and PACS infrastructure across healthcare organizations, and CISA ICS-CERT's advisory indicates this unauthenticated remote DoS vulnerability poses operational risk to critical medical devices and diagnostic systems.

WordPress path traversal vulnerability affecting the Shared Files plugin allows low-privileged attackers to download sensitive configuration files including wp-config.php, exposing database credentials and secret keys on potentially thousands of WordPress installations.

The wvp-GB28181-pro video streaming platform is commonly deployed in surveillance and security camera infrastructures, and this deserialization vulnerability in Redis configuration could allow remote attackers to achieve code execution on video management systems.

Kodbox is a widely-deployed enterprise file management and collaboration platform, and this unauthenticated arbitrary file upload vulnerability allows remote attackers to upload webshells and achieve remote code execution without authentication.