CryptoLib versions prior to 1.4.3 contain an out-of-bounds read vulnerability in the Crypto_AOS_ProcessSecurity function that allows remote attackers to crash spacecraft communications systems when parsing malformed AOS frame hashes. Public exploit code exists for this vulnerability affecting cFS deployments that rely on SDLS-EP for spacecraft-to-ground station security. The vulnerability has high severity due to its denial of service impact on critical space communications infrastructure, and no patch is currently available.
Stored cross-site scripting (XSS) in HAX CMS versions 11.0.6 through 24.x allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to account takeover. Public exploit code exists for this vulnerability affecting both PHP and Node.js deployments. Users should upgrade to version 25.0.0 or later to remediate the issue.
Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle analysis, causing malicious pickles leveraging cProfile.run() to be marked as SUSPICIOUS rather than OVERTLY_MALICIOUS. Organizations using Fickling as a security gate for deserialization decisions may be deceived into executing attacker-controlled code. Public exploit code exists for this vulnerability, and patches are available in version 0.1.7 and later.
Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execute arbitrary code. Versions through 0.1.6 misclassify dangerous runpy-based payloads as merely suspicious rather than malicious, enabling code execution on systems that rely on Fickling to validate pickle safety. Public exploit code exists for this vulnerability, though a patch is available in version 0.1.7.
Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, enabling attackers to craft malicious pickles that bypass safety checks and achieve arbitrary code execution. This vulnerability affects users relying on Fickling to validate untrusted serialized Python objects for safety. Public exploit code exists for this HIGH severity vulnerability, though a patch is available in version 0.1.7 and later.
RustCrypto Elliptic Curves versions 0.14.0-pre.0 and 0.14.0-rc.0 are vulnerable to denial-of-service when decrypting SM2 public key encryption, as invalid curve points with syntactically valid coordinates cause an unhandled panic during point validation. Public exploit code exists for this vulnerability, affecting applications that use the SM2 implementation. A remote attacker can crash the cryptographic service by sending specially crafted ciphertext with malformed elliptic curve points.
CryptoLib versions prior to 1.4.3 contain a heap buffer overflow in the KMC crypto service's Base64 decoder, where oversized input strings can write beyond allocated buffer boundaries when processing KMC JSON responses. An attacker with network access to the KMC service can trigger this vulnerability to crash the spacecraft-ground station communication process or potentially execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available.
RustCrypto's SM2 elliptic curve implementation in versions 0.14.0-pre.0 and 0.14.0-rc.0 is vulnerable to denial-of-service through improper input validation in the decrypt() function, allowing remote attackers to crash affected applications by submitting malformed or undersized ciphertext that triggers unhandled panics. Public exploit code exists for this vulnerability, though a patch is available.
CryptoLib versions prior to 1.4.3 are vulnerable to denial of service through unbounded memory allocation in the KMC crypto service client's HTTP response handling. A malicious or compromised KMC server can trigger excessive memory consumption by sending arbitrarily large responses, causing the client process to crash. Public exploit code exists for this vulnerability affecting spacecraft communications secured by SDLS-EP.
Spree versions up to 4.10.2 is affected by authorization bypass through user-controlled key (CVSS 7.5).
SM2 elliptic curve implementations in RustCrypto versions 0.14.0-pre.0 and 0.14.0-rc.0 suffer from a critical entropy reduction flaw where ephemeral nonce generation requests only 32 bits instead of 256 bits of randomness, degrading encryption security from 128-bit to 16-bit strength. Public exploit code exists, allowing attackers to recover the nonce and decrypt ciphertexts using only the public key and encrypted message. A patch is available for affected deployments.
CryptoLib versions prior to 1.4.3 contain an out-of-bounds heap read in the cryptography_aead_encrypt() function, affecting spacecraft communications secured via the SDLS-EP protocol. Public exploit code exists for this vulnerability, allowing remote attackers to trigger a denial of service condition without authentication. The vulnerability impacts systems using CryptoLib for ground-to-spacecraft communications and has been patched in version 1.4.3.
Cross-site scripting in Angular's Template Compiler allows attackers to inject arbitrary JavaScript through unsanitized href and xlink:href attributes on SVG <script> elements bound to untrusted data. Affects Angular versions prior to 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, with no public exploit identified at time of analysis despite a very low EPSS score of 0.01%. Patched releases are available from the Angular project, and exploitation requires the victim application to dynamically bind user-controlled values to those specific SVG script attributes.
DevToys versions 2.0.0.0 through 2.0.8.x are vulnerable to path traversal attacks during extension package installation, allowing attackers to write files outside the intended directory by crafting malicious NUPKG archives with directory traversal sequences. An attacker can exploit this to overwrite arbitrary files with DevToys process privileges, potentially enabling code execution or system compromise on affected systems. The vulnerability is patched in version 2.0.9.0.
React Router is a router for React. In @remix-run/react version prior to 2.17.3. [CVSS 8.2 HIGH]
Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. [CVSS 8.1 HIGH]
Ghost CMS versions 5.121.0-5.130.5 and 6.0.0-6.10.3 incorrectly allow Staff Token authentication to access endpoints restricted to Staff Session authentication, enabling authenticated Admin/Owner-role users to perform unauthorized actions. An attacker with valid Staff Token credentials for elevated roles could bypass authentication restrictions and access sensitive endpoints not intended for token-based access. Patches are available in versions 5.130.6 and 6.11.0.
Ghost CMS versions 5.105.0-5.130.5 and 6.0.0-6.10.3 contain an authentication bypass in their two-factor authentication implementation that allows authenticated staff members to circumvent email-based 2FA requirements. An attacker with valid staff credentials can exploit this flaw to gain unauthorized access to administrative functions without completing the required second authentication factor. Patches are available in versions 5.130.6 and 6.11.0.
Fickling versions prior to 0.1.7 fail to properly detect malicious pickle payloads due to inadequate handling of the "builtins" module, allowing attackers to bypass security analysis and potentially execute arbitrary code. This vulnerability affects Python environments using vulnerable versions of Fickling for pickle inspection and static analysis. An attacker can craft specially designed pickle files that evade detection mechanisms, compromising the integrity of pickle validation workflows.
Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. [CVSS 7.6 HIGH]
NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. [CVSS 7.5 HIGH]
WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. [CVSS 7.5 HIGH]
Comfyui-Manager versions up to 3.39.2 contains a vulnerability that allows attackers to security setting tampering or modification of application behavior (CVSS 7.5).
Out-of-bounds write in CryptoLib's SDLS-EP implementation allows unauthenticated network attackers to corrupt the gvcid_counter variable by writing beyond array bounds during parameter registration, potentially disrupting spacecraft-to-ground station communications security. Affected systems running CryptoLib versions prior to 1.4.3 are vulnerable to manipulation of parameter lookup logic without authentication or user interaction. No patch is currently available for this vulnerability affecting NASA's core Flight System deployments.
Arbitrary command execution in OpenProject versions 16.6.1 and below allows authenticated administrators to execute system commands by manipulating the sendmail binary path configuration and triggering a test email function. An admin-level attacker can leverage this to achieve full system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available, and exploitation requires high privileges but no user interaction.