All CosmicBytez Labs articles tagged #CVSS 9.8, across news, security advisories, how-to guides, and projects.
A critical unauthenticated arbitrary file upload vulnerability in the Super Forms plugin for WordPress (CVSS 9.8) allows attackers to upload and execute...
A critical unauthenticated arbitrary file upload flaw (CVSS 9.8) in the Instant Appointment WordPress plugin allows attackers to upload and execute...
A critical CVSS 9.8 hardcoded credentials vulnerability in IEI Integration Corp's IRM-IEI Remote Management software allows unauthenticated remote...
A CVSS 9.8 critical vulnerability allows unauthenticated remote attackers to recover a default hardcoded password from a firmware image, granting full…
A CVSS 9.8 critical Java deserialization vulnerability allows attackers to bypass ObjectInputFilter via TC_PROXYCLASSDESC, circumventing acceptMatchers…
A critical authentication bypass in authentik allows attackers to skip the Source stage entirely by sending an empty POST request, completely circumventing…
A critical CVSS 9.8 remote code execution vulnerability in manga-image-translator allows unauthenticated attackers to execute arbitrary commands by...
CVSS 9.8 in Goobi Viewer REST API lets unauthenticated clients inject Solr streaming expressions, enabling RCE on affected digital heritage platforms.
A critical authentication bypass vulnerability in NVIDIA Triton Inference Server could allow unauthenticated attackers to execute code, escalate...
The Boost plugin for WordPress versions up to 2.0.3 is vulnerable to PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie,...
Apache Camel's JmsBinding class in camel-jms and camel-sjms deserializes incoming JMS ObjectMessage payloads via javax.jms.ObjectMessage.getObject()...
Apache MINA's AbstractIoBuffer.resolveClass() contains a branch for static classes and primitive types that skips allowlist validation entirely, letting...
KTransformers through version 0.5.3 contains a critical unsafe deserialization vulnerability in its balance_serve backend mode, where an unauthenticated...
A critical OS command injection vulnerability in radare2-mcp 1.6.0 and earlier allows remote attackers to execute arbitrary commands by bypassing the...
A critical OS command injection vulnerability in NewSoftOA by NewSoft allows unauthenticated local attackers to inject and execute arbitrary OS commands...
OpenOlat versions 10.5.4 through 20.2.4 fail to verify JWT signatures in their OpenID Connect implicit flow, allowing unauthenticated attackers to...
Oracle's March 2026 Critical Patch Update includes CVE-2026-21992, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle Identity...