SVG-based server-side request forgery in ThingsBoard versions prior to 4.2.1 allows upload of crafted SVG files containing external URL references to the dashboard Image Upload Gallery, causing the platform to initiate unintended outbound HTTP requests toward internal network resources. All ThingsBoard deployments (community, professional edition) running versions before 4.2.1 are affected via this gallery feature. No public exploit code or CISA KEV listing exists at time of analysis; however, the upstream fix in PR #13927 - which adds a Content-Security-Policy response header rather than sanitizing SVG content at upload - indicates the primary exploitation path may be browser-mediated rather than purely server-side, warranting scrutiny of the PR:N (no privileges required) CVSS assignment.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through <= 1.4.1.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWiki WebAuthn extension allows Stored XSS.This issue affects MediaWiki WebAuthn extension: 1.39, 1.43, 1.44.
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
Stored Cross-Site Scripting in CobbleStone Enterprise Contract Management Portal v22.4.0 allows a low-privileged, authenticated remote attacker to inject persistent malicious scripts into the application's chat box component. When a victim user views the chat, the injected script executes in their browser session, enabling session hijacking, credential theft, or in-application action forgery scoped to the vulnerable system. Notably, the vendor has disclosed that v22.4.0 is an obsolete, unsupported version no longer in active distribution, which substantially narrows the real-world attack surface. No public exploit identified at time of analysis, though a researcher writeup on Medium constitutes partial technical disclosure.
Authenticated subscribers in the Binary MLM Plan WordPress plugin up to version 5.0 can access other users' payout summaries through insecure direct object reference (IDOR) in the /bmp-account-detail/ endpoint. The vulnerability stems from the bmp_user_payout_detail_of_current_user() function failing to verify payout record ownership before returning data, allowing any authenticated user with the bmp_user role to enumerate and view arbitrary payout details by manipulating the payout-id parameter. This is a low-severity information disclosure affecting MLM WordPress sites; no public exploit code or active exploitation has been confirmed.