The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.
Arbitrary local file disclosure in Keras 3.0.0 through 3.13.1 allows a remote attacker to read sensitive files from a victim's system by tricking them into loading a malicious .keras model that abuses HDF5 external dataset references in the model-loading path. Exploitation requires the victim to open the attacker-supplied model (UI:P), but no authentication is needed; EPSS is very low (0.01%, 2nd percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.
Installed application enumeration in Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) allows local applications to discover what other apps a user has installed through insufficient privacy controls. An attacker can exploit this through a malicious app to profile a user's installed software without explicit permission. This vulnerability affects multiple Apple platforms and requires user interaction to execute a malicious application.
Applications on Apple macOS and iOS platforms can circumvent user privacy preferences through a code execution vulnerability affecting multiple OS versions including Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4, and iOS 18.7.5. A local attacker with user interaction can exploit this to access sensitive user data or modify system settings protected by privacy controls. The vulnerability requires patching through official OS updates, as no workaround is currently available.
Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.
Unprivileged local users can exploit a race condition in Apple's operating systems (macOS, iOS, iPadOS, tvOS, and visionOS) to escalate privileges to root through improper state handling during concurrent operations. This vulnerability affects multiple OS versions and requires local access with low privileges to trigger, making it exploitable by malicious applications or local attackers. No patch is currently available for this vulnerability.