.NET applications are vulnerable to spoofing attacks due to improper validation of a required security element, allowing unauthenticated remote attackers to forge or manipulate application data over the network. This vulnerability affects multiple .NET versions and currently has no available patch, exposing organizations to authentication bypass and data integrity risks. The attack requires no user interaction and can be exploited directly from the network.
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution. [CVSS 7.5 HIGH]
Unauthenticated attackers can exploit SQL injection in Flowring's Docpedia to execute arbitrary database queries and extract sensitive information without authentication. The vulnerability requires no user interaction and is remotely accessible over the network, presenting a critical risk to all deployments. No patch is currently available to remediate this issue.
Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. [CVSS 7.3 HIGH]
Privilege escalation in Microsoft Graphics Component via use-after-free memory corruption affects Windows Server 2019 and 2012, allowing authenticated local attackers to gain elevated system privileges with user interaction. The vulnerability poses a significant risk in industrial environments where Windows Server hosts critical infrastructure. No patch is currently available for this high-severity issue.
Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges on affected Windows and Windows Server systems. An attacker with local access and user-level permissions can trigger memory corruption through user interaction to compromise system integrity and confidentiality. This vulnerability affects Windows 10 1809, Windows Server 2025, and related Hyper-V implementations with no patch currently available.
Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges (CVSS 7.3). Exploitation requires user interaction and local system access, affecting Windows 10 1809 and Windows Server 2025. No patch is currently available.
Businessobjects Business Intelligence Platform versions up to 430 is affected by url redirection to untrusted site (open redirect) (CVSS 7.3).
The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.
FortiAuthenticator 6.3 through 6.6.6 allows read-only users to modify local user accounts by uploading files to an unprotected endpoint, bypassing authorization controls. This vulnerability requires high privileges to initiate but could enable unauthorized account modifications in affected deployments. No patch is currently available for this high-severity flaw.
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]
Forticlient versions up to 7.4.4 is affected by improper link resolution before file access (CVSS 7.1).
Windows Storage component contains an authentication bypass that enables authenticated local users to escalate privileges on Windows 10, Windows 11, and Windows Server 2016/2019 systems. An attacker with valid local credentials can exploit this vulnerability to gain elevated system access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.
Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Windows Subsystem for Linux contains a use-after-free vulnerability that enables local privilege escalation for authenticated users. An attacker with valid local access could exploit this memory safety flaw to gain elevated system privileges on affected Windows Server 2022 systems.
Local privilege escalation in Windows Subsystem for Linux affects Windows 11 23h2 and Windows 10 22h2 through a race condition in shared resource synchronization. An authenticated local attacker can exploit this vulnerability to gain elevated privileges on the system. No patch is currently available for this vulnerability.
Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. No patch is currently available.
Windows Ancillary Function Driver for WinSock in Windows 11 23h2 and Windows Server 2022 23h2 contains a use-after-free vulnerability that allows authenticated local users to achieve privilege escalation. An attacker with local access and valid credentials can trigger the memory safety flaw to gain elevated system privileges. No patch is currently available for this HIGH severity vulnerability.
A flaw has been found in Artifex MuPDF versions up to 1.26.1 is affected by untrusted search path (CVSS 7.0).
Privilege escalation in Intel QuickAssist Technology (QAT) on certain Intel platforms allows a system-software adversary already holding privileged (Ring 0 / kernel-level) access to read and corrupt kernel state via an unprotected alternate hardware interface. The flaw stems from a missing protection mechanism on a secondary hardware control path, yielding high confidentiality and integrity impact but no availability loss. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not listed in CISA KEV.