Monthly
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. CVSS 4.0 scores this at 9.1 CRITICAL due to network attack vector requiring no privileges or user interaction, though attack complexity is high and specific timing conditions apply (AT:P). No CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires vendor-specific knowledge of the insecure defaults.
Schneider Electric EcoStruxure Panel Server can revert credentials to insecure default values under rare circumstances, allowing remote unauthenticated attackers to gain unauthorized access using known factory credentials. This CWE-1188 vulnerability enables complete confidential information disclosure (CVSS 8.2 High). Exploitation requires specific timing conditions (AT:P - Attack Timing: Present) to catch the window when credentials reset. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting targeted rather than widespread exploitation risk.
Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.
OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.
Chrome DevTools Protocol exposure in OpenClaw sandbox browser allows adjacent network attackers to remotely control sandboxed Chrome instances and access sensitive data. The CDP relay binds to 0.0.0.0 without source IP restrictions in versions before 2026.4.10, enabling attackers on the same Docker network to bypass sandbox isolation and execute arbitrary JavaScript in browser contexts. Vendor-released patch available (v2026.4.10); no public exploit identified at time of analysis. CVSS 9.0 reflects adjacent network attack vector with high confidentiality, integrity, and availability impact across virtual and system scopes.
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.
Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. CVSS 4.0 scores this at 9.1 CRITICAL due to network attack vector requiring no privileges or user interaction, though attack complexity is high and specific timing conditions apply (AT:P). No CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires vendor-specific knowledge of the insecure defaults.
Schneider Electric EcoStruxure Panel Server can revert credentials to insecure default values under rare circumstances, allowing remote unauthenticated attackers to gain unauthorized access using known factory credentials. This CWE-1188 vulnerability enables complete confidential information disclosure (CVSS 8.2 High). Exploitation requires specific timing conditions (AT:P - Attack Timing: Present) to catch the window when credentials reset. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting targeted rather than widespread exploitation risk.
Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.
OpenClaw's Feishu webhook integration fails open when encryptKey is missing or callback tokens are blank, allowing remote unauthenticated attackers to bypass signature verification and replay protection mechanisms. Attackers can submit crafted webhook requests or malformed card-action callbacks directly to command dispatch without authentication, enabling arbitrary command execution. Vendor-confirmed authentication bypass; patch released in version 2026.4.15. No public exploit code or CISA KEV listing identified at time of analysis, but the fail-open behavior and network attack vector (CVSS AV:N/AC:L/PR:N) make this highly exploitable against misconfigured deployments.
Chrome DevTools Protocol exposure in OpenClaw sandbox browser allows adjacent network attackers to remotely control sandboxed Chrome instances and access sensitive data. The CDP relay binds to 0.0.0.0 without source IP restrictions in versions before 2026.4.10, enabling attackers on the same Docker network to bypass sandbox isolation and execute arbitrary JavaScript in browser contexts. Vendor-released patch available (v2026.4.10); no public exploit identified at time of analysis. CVSS 9.0 reflects adjacent network attack vector with high confidentiality, integrity, and availability impact across virtual and system scopes.
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.
Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.