Heap-based buffer overflow in GNU Binutils 2.45 linker component affects the elf_x86_64_relocate_section function, allowing authenticated local attackers to cause availability impact with low complexity exploitation. CVSS score of 1.9 reflects limited scope (availability only, no confidentiality or integrity impact), though publicly available exploit code exists and patch has been released by the upstream project.
A weakness has been identified in D-Link DIR-852 up to 20251002. This affects an unknown part of the file /HNAP1/. Executing manipulation can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.
Symlink following in DesktopCommanderMCP up to version 0.2.13 allows local authenticated attackers to read files outside intended directory boundaries through the isPathAllowed function in filesystem.ts. The vulnerability requires local access and authenticated user privileges, with high attack complexity and low exploitability difficulty despite public availability of proof-of-concept code. This affects only unsupported product versions and carries minimal real-world risk (CVSS 1.1, EPSS 0.02%), though the vendor acknowledges the issue as a guardrail limitation rather than a hardened security boundary.
Code injection in the ClineProvider prompt handler of Kilo Code up to version 4.86.0 allows remote attackers with user interaction to manipulate input prompts and inject arbitrary code. The vulnerability affects the prompt processing component through insufficient input validation in src/core/webview/ClineProvider.ts. Public exploit code is available, and a patch has been released by the vendor, though the low CVSS score (2.1) and minimal EPSS percentile (12%) suggest limited real-world exploitation risk despite public availability.