Monthly
SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.
Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.
DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.
{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.
{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.
{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.
Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.
Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMatchProperties map to execute arbitrary Cypher queries against the connected Neo4j database, enabling unauthorized read, modification, or deletion of any node or relationship. The flaw exists across three release streams (4.10.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and is a direct bypass of the partial fix introduced in CVE-2025-66169, which bound property values as query parameters but left property names (JSON keys) concatenated verbatim into the WHERE clause. No public exploit code or CISA KEV listing has been identified at time of analysis, though the prior related CVE in the same producer indicates recurring injection exposure in this component.
DQL (Dgraph Query Language) injection in Dgraph's GraphQL-to-DQL query rewriter (versions <= v25.3.3) lets remote unauthenticated attackers inject arbitrary query blocks through the unauthenticated checkUserPassword GraphQL query. User-supplied password values are interpolated into a checkpwd() DQL call via fmt.Sprintf without escaping, so a double-quote breaks out of the string literal and appends attacker-controlled DQL. A working PoC exists (publicly available exploit code exists); the issue is not in CISA KEV and no active exploitation is reported, but server-side execution of injected blocks is confirmed, enabling schema/data enumeration and resource exhaustion.
{"$ne": null} for client_id, client_secret, and refresh_token returns a live token bound to whatever user Mongo matches first; iterating with $nin/$regex walks the entire token collection. No public exploit identified at time of analysis, but exploitation is trivial and capturing an admin token yields full /api/v1/* control and Apps-Engine app installation (server-side code execution). Fixed in the 8.5.0/8.4.1/8.3.3/8.2.3/8.1.4/8.0.5/7.13.7/7.10.11 release line.
{"$gt": ""} matches the first unexpired credential-token document, yielding a full Meteor auth token bound to a legitimate victim - and full instance compromise if that victim is an administrator. No public exploit identified at time of analysis, but the CVSS 9.1 rating and trivial exploitability make this a high-priority patch.
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.
{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.
Regex injection in BuddyPress 14.4.0's activity mention resolver allows authenticated WordPress users to manipulate a REGEXP clause against the users table when username compatibility mode is enabled, enabling boolean-based username inference and denial of service via catastrophic backtracking. CVSS 4.0 scores this 7.1 with low confidentiality impact and high availability impact, reflecting the dual data-leakage and DoS outcomes. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.