Unauthenticated

A remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in Crawl4AI Docker API versions up to 0.8.9, specifically targeting the `/crawl/stream` endpoint, to read internal network services and cloud-metadata endpoints, potentially exposing sensitive information like IAM credentials.

CVE-2026-46817 is a critical vulnerability in Oracle Payments component of Oracle E-Business Suite versions 12.2.3 through 12.2.15, allowing an unauthenticated attacker with network access via HTTP to compromise the application and potentially achieve complete takeover.

CVE-2026-34311 allows an unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services, potentially resulting in complete takeover of the application in versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28.

phpMyFAQ before 4.1.3 is vulnerable to an unauthenticated password reset, allowing attackers to change account passwords without token validation by sending crafted PUT requests to the /api/index.php/user/password/update endpoint.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2, allowing attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

FUXA version 1.3.0 is vulnerable to unauthenticated remote code execution (CVE-2026-43947) because the /api/runscript endpoint, when in test mode, executes attacker-supplied code without proper authorization, allowing execution of arbitrary commands if a server-side script exists with permissive permissions.

9router versions 0.4.30 to 0.4.33 are vulnerable to unauthenticated remote code execution, allowing network-adjacent attackers to execute arbitrary OS commands by registering and triggering malicious plugins through unprotected API endpoints.

GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability (CVE-2018-25332) allowing attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality via a malicious JAR plugin.

Supsystic Membership version 1.4.7 is vulnerable to SQL injection (CVE-2020-37244), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters, potentially extracting sensitive database information.

The Goobi viewer REST endpoint accepted an arbitrary Solr streaming expression from unauthenticated network clients, enabling attackers to read, modify, or delete the complete Solr index; this was resolved by removing the affected API endpoint.

Dalfox in REST API server mode is vulnerable to CVE-2026-45089, an unauthenticated arbitrary file create/append vulnerability, due to the `output`, `output-all`, and `debug` options being deserialized directly from the attacker's request body, allowing a network caller to create or append to any file writable by the dalfox process.

WordPress TheCartPress version 1.5.3.6 contains an unauthenticated privilege escalation vulnerability, CVE-2021-47932, allowing attackers to create administrator accounts via crafted POST requests to the AJAX handler.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted POST request to the `/upi/v1/upNodesLinks` endpoint can trigger a `Fatalf` call, terminating the entire SMF process, effectively disrupting network services.

An information disclosure vulnerability in the Easy PayPal Events & Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.

Weaver E-cology 10.0 before 20260312 is vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary commands by crafting a POST request to the /papi/esearch/data/devops/dubboApi/debug/method endpoint.

Unauthenticated SQL injection vulnerability exists in phpMyFAQ <= 4.1.1 due to improper handling of the User-Agent header in BuiltinCaptcha, allowing attackers to inject malicious SQL payloads and potentially gain complete control of the datastore.

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.