Session hijacking in Manyfold prior to version 0.133.0 allows unauthenticated attackers to steal user session cookies through proxy cache leakage, potentially gaining unauthorized access to self-hosted 3D model collections. Public exploit code exists for this vulnerability, and no patch is currently available for affected versions. This attack requires user interaction and can result in complete account compromise without data modification capabilities.
NanaZip versions 5.0.1252.0 through 6.5.1637.0 contain an out-of-bounds memory access flaw in the UFS file parser that can be triggered by opening a malicious .ufs/.ufs2/.img archive file, potentially causing process crashes, hangs, or exploitable heap corruption. Local attackers can exploit this vulnerability through normal file-open operations without elevated privileges, and public exploit code is available. No patch is currently available for affected versions.
Zen C is a systems programming language that compiles to human-readable GNU C/C11. [CVSS 6.6 MEDIUM]
Out-of-bounds memory read in NanaZip versions 5.0.1252.0 through 6.0.1637.x allows local authenticated attackers to disclose in-process memory or trigger application crashes by crafting malicious .NET Single File Application bundles with malformed manifest headers. Public exploit code exists for this vulnerability, and patches are available in versions 6.0.1638.0 and 6.5.1638.0. The issue affects Dotnet and Nanazip products where a malicious user interaction with crafted archive files can bypass bounds checking during manifest parsing.
Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients by manipulating form IDs, bypassing patient context validation. This allows disclosure or alteration of sensitive medical data across the patient database, and public exploit code exists for this vulnerability. A patch is available on the main branch of the OpenEMR repository.
Astro web framework versions 9.0.0 through 9.5.3 fail to validate remote image domains when the inferSize option is enabled, allowing attackers to trigger server-side requests to arbitrary hosts and bypass configured image.domains and image.remotePatterns restrictions. An attacker controlling image URLs through CMS content or user input can exploit this to perform SSRF attacks or access unauthorized resources. Public exploit code exists for this vulnerability.
hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]
SQL injection in Phishing Club's GetOrphaned recipient endpoint allows authenticated attackers to manipulate ORDER BY clauses by injecting malicious SQL expressions through an unvalidated sortBy parameter. Public exploit code exists for this vulnerability, affecting versions prior to 1.30.2, where attackers can extract sensitive data despite the lack of direct integrity or availability impact. The vulnerability has been patched in v1.30.2 through implementation of column allowlist validation.
Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.
Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
Mailpit versions prior to 1.29.2 contain a Server-Side Request Forgery vulnerability in the Link Check API that allows unauthenticated remote attackers to perform HTTP requests to arbitrary hosts, including internal and private IP addresses. The API fails to validate or filter target URLs and returns status codes for each link, enabling non-blind SSRF attacks. Public exploit code exists for this vulnerability, affecting deployments with default configuration.
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /settings/index.php allows unauthenticated remote attackers to manipulate database queries and potentially read or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available. Organizations running affected versions should implement access controls or upgrade immediately to mitigate the risk.
Manyfold versions up to 0.133.1 is affected by authorization bypass through user-controlled key (CVSS 5.3).
NanaZip versions 5.0.1252.0 through 6.5.1637.x contain an integer underflow in the .NET Single File Application parser that allows local attackers with user privileges to cause denial of service through unbounded memory allocation when opening a specially crafted archive file. Public exploit code exists for this vulnerability. Patches are available in versions 6.0.1638.0 and 6.5.1638.0.
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.
Wger versions up to 2.4 allow authenticated users to access other users' private nutrition plans through insecure direct object references in the nutritional_values endpoints, exposing sensitive dietary data including caloric intake and macronutrient breakdowns. The vulnerability stems from bypassing user-scoped querysets via direct primary key lookups, and public exploit code is available.
Wger versions up to 2.4 expose all users' repetition configuration data to any authenticated attacker due to missing authorization checks in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet endpoints. A registered user can enumerate the complete workout structures of all other users on the platform. Public exploit code exists for this vulnerability, and a patch is available.
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.
Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.
Unauthenticated attackers can submit forged webhook payloads to multiple email provider integrations in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 when authentication tokens are not configured, allowing them to artificially inflate user bounce scores and disable legitimate user accounts. The vulnerability affects webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, with Mailpace having no token validation whatsoever. Administrators should immediately configure webhook authentication tokens for all email provider integrations as a workaround until patching is available.
Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).
Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar resources associated with the service acc (CVSS 6.5).
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template deletion API that allows team administrators to delete certificate templates belonging to other teams. The vulnerability stems from insufficient validation of template ownership during batch deletion operations, enabling cross-team resource destruction that could disrupt certificate-dependent functions like device enrollment and VPN access. A patch is not yet available as of this CVE publication.
WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder contains a security vulnerability (CVSS 6.5).
Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.
SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.
Live Helper Chat is an open-source application that enables live support websites. [CVSS 6.5 MEDIUM]
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes...
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A mali...
Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.
A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.
A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.
Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.
A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.
Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.
Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Null pointer dereference in Windows allows authenticated local users to cause a denial of service condition with potential system instability. An attacker with valid user credentials can trigger this memory safety issue to crash affected processes or degrade system availability. No patch is currently available for this vulnerability.
Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.
VMWare Workstation and Fusion contain a logic flaw in the management of network packets. Known attack vectors: A malicious actor with administrative privileges on a Guest VM may be able to interrupt or intercept network connections of other Guest VM's. [CVSS 5.9 MEDIUM]
SteVe is an open-source EV charging station management system. [CVSS 6.3 MEDIUM]
Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.