Vulnerabilities

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0.

Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3.

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3.

An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.

In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.

D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Apache Polaris can issue broad temporary ("vended") storage credentials during<br /> staged<br /> table creation before the effective table location has been validated or<br /> durably reserved. <br /> Those temporary credentials are meant to limit the scope<br /> of<br /> accessible table data and metadata, but this scope limitation becomes<br /> attacker-<br /> directed because the attacker can choose a reachable target location.<br /> <br /> <br /> <br /> In the confirmed variant, if the caller supplies a custom `location` during<br /> stage create and requests credential vending, Apache Polaris uses that location to<br /> construct delegated storage credentials immediately. The stage-create path<br /> itself neither runs the normal location validation nor the overlap checks<br /> before those credentials are issued.<br /> <br /> <br /> <br /> Closely related to that, the staged-create flow also accepts<br /> `write.data.path` / `write.metadata.path` in the request properties and<br /> feeds<br /> those location overrides into the same effective table location set used for<br /> credential vending. Those fields are secondary to the main custom-`location`<br /> exploit, but they are still attacker-influenced location inputs that should<br /> be<br /> validated before any credentials are issued.

Apache Polaris accepts literal `*` characters in namespace and table names. When it<br /> later builds temporary S3 access policies for delegated table access, those<br /> same characters appear to be reused unescaped in S3 IAM resource patterns<br /> and<br /> `s3:prefix` conditions.<br /> <br /> <br /> <br /> In S3 IAM policy matching, `*` is treated as a wildcard rather than as<br /> ordinary text. That means temporary credentials issued for one crafted table<br /> can match the storage path of a different table.<br /> <br /> <br /> <br /> In private testing against Polaris 1.4.0 using Polaris&amp;#39; AWS S3 temporary-<br /> credential path on both MinIO and real AWS S3, credentials returned for<br /> crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other<br /> tables&amp;#39; S3 locations.<br /> <br /> <br /> The confirmed behavior includes:<br /> <br /> <br /> - reading another table&amp;#39;s metadata control file ([Iceberg metadata JSON]);<br /> <br /> - listing another table&amp;#39;s exact S3 table prefix ([table prefix]);<br /> <br /> - and, when write delegation was returned for the crafted table, creating<br /> and<br /> deleting an object under another table&amp;#39;s exact S3 table prefix.<br /> <br /> <br /> <br /> A control case using ordinary different names did not allow the same<br /> cross-table access.<br /> <br /> <br /> <br /> A least-privilege AWS S3 variant was also confirmed in which the attacker<br /> principal had no Polaris permissions on the victim table and only the<br /> minimal permissions required to create and use a crafted wildcard table<br /> (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that<br /> setup, direct Polaris access to `foo.t1` remained forbidden, but the<br /> attacker<br /> could still create and load `*.*`, receive delegated S3 credentials, and use<br /> those credentials to list, read, create, and delete objects under `foo.t1`.<br /> <br /> <br /> <br /> In Iceberg, the metadata JSON file is a control file: it tells readers which<br /> data files belong to the table, which snapshots exist, and which table<br /> version<br /> to read. So unauthorized access to it is already a meaningful<br /> confidentiality<br /> problem. The confirmed write-capable variant means the issue is not limited<br /> to<br /> disclosure.