A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.
A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.
A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. With a CVSS score of 8.1 (High), this vulnerability enables high confidentiality and integrity impact, allowing attackers to extract sensitive patient health records and potentially modify database contents, though exploitation requires low-privileged authentication.
Authentication bypass in Tutor LMS Pro WordPress plugin (versions through 3.9.4) allows remote attackers to abuse authentication mechanisms via alternate paths, potentially gaining unauthorized administrative access. CVSS 8.1 reflects high attack complexity (AC:H) requiring specific conditions, yet successful exploitation grants complete system compromise (C:H/I:H/A:H). EPSS probability of 0.02% (6th percentile) indicates low observed exploitation activity. No active exploitation confirmed by CISA KEV. SSVC framework classifies this as non-automatable with total technical impact, making it a priority for organizations running this WordPress LMS plugin despite low real-world exploitation signals.
Authentication bypass in Ultimate Membership Pro WordPress plugin versions through 13.7 enables remote attackers to circumvent access controls via alternate authentication paths, potentially achieving complete account takeover. Attack complexity is rated high (AC:H) but requires no authentication or user interaction. EPSS score is low (0.02%, 6th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV at time of analysis. SSVC framework rates technical impact as total with exploitation status of none.
A PHP object injection vulnerability exists in the xtemos WoodMart WordPress theme through version 8.3.8, stemming from insecure deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can be instantiated during deserialization, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. The vulnerability affects all versions of WoodMart up to and including 8.3.8, with no CVSS score or EPSS data currently published, though the underlying deserialization flaw (CWE-502) is a known vector for critical remote exploitation.
AncoraThemes Melody melodyschool theme versions up to 1.6.3 contain a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other critical impacts depending on available PHP gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and KEV status is unknown, the vulnerability affects a WordPress theme distributed through the Patchstack vulnerability database, indicating active tracking by the security community.
A PHP object injection vulnerability exists in AncoraThemes Morning Records WordPress theme through version 1.2, arising from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious objects that can lead to arbitrary code execution or other severe impacts depending on available PHP gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack security researchers, indicating active awareness in the security community.
A privilege escalation vulnerability exists in the wpeverest User Registration WordPress plugin through version 4.4.9 due to incorrect privilege assignment (CWE-266). This flaw allows authenticated or unauthenticated attackers to escalate their privileges within the plugin, potentially gaining administrative access or elevated capabilities. No CVSS score, EPSS data, or KEV status has been published, limiting quantification of real-world exploitation risk, though the vulnerability was reported by Patchstack and affects all installations running version 4.4.9 or earlier.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in the Salon Booking System Pro WordPress plugin versions prior to 10.30.12, allowing attackers to escalate privileges and potentially achieve account takeover. The vulnerability affects all versions of the salon-booking-plugin-pro from an unspecified baseline through version 10.30.11. This privilege escalation can be exploited by unauthenticated or low-privileged attackers to gain unauthorized administrative access to the booking system.
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
Sandbox escape vulnerability in macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) allows locally-installed applications to break out of their sandbox restrictions through a race condition. An attacker with the ability to run an application on an affected system could exploit this to gain unauthorized access outside the application's intended security boundaries. No patch is currently available for this HIGH severity vulnerability (CVSS 8.1).
Sandboxed processes on Apple macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can escape sandbox isolation due to a race condition in state handling, allowing local attackers to bypass security restrictions and potentially execute arbitrary operations with elevated privileges. No patch is currently available for affected systems. The vulnerability requires local access and specific timing conditions but carries high impact across confidentiality, integrity, and availability.
Saloon versions prior to v4 contain a path traversal vulnerability in fixture name handling that allows attackers to read or write files outside the configured fixture directory. Users with MockResponse fixtures derived from untrusted input (such as request parameters or configuration values) are affected, as attackers can use path traversal sequences like ../ or absolute paths to access arbitrary files on the system with the privileges of the running process. The vulnerability has been patched in Saloon v4 with input validation and defense-in-depth path verification.
Use-after-free in Linux kernel's netfilter nft_set_pipapo enables local privilege escalation to kernel-level access (confidentiality/integrity/availability compromise). Affects Linux kernel 5.6+ through multiple stable branches (6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x). Vendor patches available across all affected kernel series. EPSS score of 0.03% (9th percentile) indicates low automated exploitation likelihood, consistent with local-access requirement and lack of public exploit code at time of analysis.
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.
Local privilege escalation in Linux kernel netfilter subsystem (xt_CT module) allows authenticated attackers with low privileges to achieve arbitrary code execution, information disclosure, and denial of service. The vulnerability stems from improper handling of packets enqueued in nfqueue when connection tracking templates are removed, creating use-after-free conditions on helper modules or timeout policies. Patches released across stable branches 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and mainline 7.0-rc5. EPSS score of 0.02% (7th percentile) indicates low probability of mass exploitation despite 7.8 CVSS severity, with no KEV listing or public POC identified.
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
Local privilege escalation and denial of service in Linux kernel NFC rawsock implementation (versions 3.1 through 6.19.6, patched in 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, 7.0-rc3) allows authenticated local users to trigger use-after-free conditions via race between socket teardown and asynchronous NFC data transmission. CVSS 7.8 HIGH with local attack vector requiring low privileges. EPSS score 0.02% (6th percentile) indicates minimal real-world exploitation probability. Vendor patches available across all stable kernel branches since early 2026.
A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
Use-after-free in Linux kernel network traffic control subsystem allows local authenticated attackers to execute arbitrary code with high privileges when changing network queue pair configurations on lockless qdiscs (virtio-net confirmed affected). Race condition between qdisc_reset_all_tx_gt() and dequeue operations causes memory to be freed while still in use. Vendor-released patches available for stable kernel branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and mainline 7.0-rc3. EPSS exploitation probability is low (0.02%, 7th percentile) and no active exploitation confirmed at time of analysis, though a reliable reproducer exists using iperf3 and ethtool queue manipulation.
Use-after-free in Linux kernel cfg80211 WiFi subsystem allows local authenticated users with low privileges to achieve high impact on confidentiality, integrity, and availability through rfkill work-queue exploitation. The vulnerability affects Linux kernel versions 2.6.31 through 6.19-rc2, with patches released for stable branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (7th percentile) indicates very low probability of mass exploitation. No CISA KEV listing or public exploit identified at time of analysis, though the issue was discovered via syzkaller fuzzing, demonstrating automated exploit development potential.
A use-after-free (UAF) vulnerability exists in the Linux kernel's BPF subsystem within the bpf_trampoline_link_cgroup_shim function, where a race condition allows a process to reference memory after it has been freed. An attacker with CAP_BPF or CAP_PERFMON capabilities can trigger this vulnerability to cause a kernel crash (denial of service). A proof-of-concept has been demonstrated by the reporter, showing the bug can be reliably reproduced; the vulnerability is not listed on the CISA KEV catalog but affects all Linux kernel versions until patched.
A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.
A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.
Use-after-free in the Linux kernel's libertas wireless driver (lbs_free_adapter()) allows local privileged users to corrupt memory when a timer callback races with adapter teardown. The flaw stems from using non-synchronous timer_delete() instead of timer_delete_sync() on command_timer and tx_lockup_timer, leaving callbacks free to dereference freed driver_lock, cur_cmd, and dev fields. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug has existed since the driver's introduction and on stable trees through 6.18.x.
A race condition exists in the Linux kernel's bridge CFM (Connectivity Fault Management) peer MEP (Maintenance End Point) deletion code where a delayed work queue can be rescheduled between the cancellation check and memory freeing, leading to use-after-free on freed memory. This affects all Linux kernel versions with the vulnerable bridge CFM implementation. An attacker with local access to trigger peer MEP deletion while CFM frame reception occurs could cause a kernel use-after-free condition potentially leading to information disclosure or denial of service.
A double-put vulnerability exists in the Linux kernel's pinctrl cirrus cs42l43 driver probe function, where devm_add_action_or_reset() already invokes cleanup on failure but the code explicitly calls put again, causing a double-free condition. This affects Linux kernel versions across multiple stable branches where the cs42l43 pinctrl driver is compiled. The vulnerability could lead to kernel memory corruption and potential denial of service or information disclosure when the driver probe path encounters failure conditions.
This vulnerability affects the Linux kernel's ARM64 BPF JIT compiler, where insufficient alignment requirements (4 bytes instead of 8 bytes) for the JIT buffer cause the bpf_plt structure's u64 target field to be misaligned. This misalignment creates two critical issues: UBSAN generates warnings for undefined behavior, and more dangerously, concurrent updates to the target field via WRITE_ONCE() in bpf_arch_text_poke() can result in torn 64-bit reads on ARM64 systems, causing the JIT to jump to corrupted addresses. Linux kernel versions using ARM64 BPF JIT are affected, and while there is no public exploit code available, this represents a memory corruption vulnerability that could lead to privilege escalation or denial of service. Multiple stable kernel patches are available addressing this issue.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
This vulnerability is a speculative execution safety flaw in the Linux kernel's x86 FRED (Flexible Return and Event Delivery) interrupt handling code where array_index_nospec() is incorrectly positioned, allowing speculative memory predictions to leak sensitive information through side-channel attacks. The vulnerability affects all Linux kernel versions with FRED support (primarily x86-64 systems with newer Intel/AMD processors). An attacker with local access could potentially infer sensitive kernel memory values through timing or covert channel attacks exploiting the unsafe speculation window.
A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.
A use-after-free vulnerability exists in the Linux kernel's crypto subsystem (CCP driver) within the sev_tsm_init_locked() function error path, where a pr_err() statement dereferences freed memory to access structure fields t->tio_en and t->tio_init_done after kfree(t) has been executed. This vulnerability can lead to information disclosure by reading freed memory contents. The issue affects Linux kernel versions across distributions using the affected CCP crypto driver code and was identified by the Smatch static analyzer.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.
A use-after-free and list corruption vulnerability exists in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem when the SMI sender returns an error. The vulnerability affects all Linux kernel versions with the vulnerable IPMI code path, allowing local attackers or processes with IPMI access to trigger denial of service conditions through list corruption and NULL pointer dereferences. The vulnerability is not currently listed in CISA's KEV catalog, and no CVSS or EPSS scores have been published; however, the technical nature indicates high reliability for exploitation by local actors with kernel interface access.
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
HTTP Server input validation failures in Cisco IOS and IOS XE Release 3E enable authenticated remote attackers to trigger device reloads via malformed requests, causing denial of service. An attacker with valid credentials can exploit improper input handling to exhaust watchdog timers and force unexpected system restarts. No patch is currently available for this vulnerability affecting Cisco and Apple products.
Low-privilege authenticated users in OpenEMR versions up to and including 8.0.0.3 can view and download Ensora eRx error logs due to missing authorization checks, exposing sensitive healthcare system information. This broken access control vulnerability (CVSS 7.7) affects network-accessible installations and has a 3% EPSS exploitation probability (8th percentile), with no public exploit identified at time of analysis. No vendor-released patch identified at time of analysis according to the CVE disclosure.
OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. A patch is available in version 8.0.0.3, and this vulnerability has a CVSS score of 7.7 with high confidentiality impact.
A path traversal vulnerability exists in designingmedia Energox theme affecting versions up to and including 1.2, allowing attackers to access files outside intended directories through improper pathname validation. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has been reported by Patchstack. While CVSS and EPSS scores are not available and KEV status is unknown, the vulnerability represents a classic file access control weakness that could enable unauthorized file disclosure or deletion depending on application context.
A path traversal vulnerability in designingmedia Instant VA (a WordPress theme) allows attackers to access and manipulate files outside the intended restricted directory through improper pathname validation. This vulnerability affects Instant VA versions up to and including 1.0.1, enabling potential arbitrary file deletion or unauthorized file access depending on server permissions. While no CVSS or EPSS scoring has been assigned and KEV status is unknown, the vulnerability has been documented by Patchstack with a functional reference to the Instant VA theme, indicating active research and potential proof-of-concept availability.
A missing authorization vulnerability exists in WebToffee Comments Import & Export for WooCommerce (versions up to 2.4.9) that allows attackers to exploit incorrectly configured access control, potentially enabling unauthorized comment manipulation. The vulnerability is classified as CWE-862 (Missing Authorization), affecting WordPress installations using this plugin. Attackers with low or no privileges may be able to bypass authentication mechanisms to perform unauthorized actions on comment data.
An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Panorama Web HMI contains a path traversal vulnerability (CWE-552) that allows unauthenticated remote attackers to read arbitrary server files if their paths are known and accessible to the service account. The vulnerability affects Panorama Suite versions 2022-SP1, 2023, and 2025 installations, requiring specific security updates to remediate. Currently no patch is available for the latest affected versions.
A Command Injection vulnerability in OpenHands allows authenticated users to execute arbitrary commands in the agent sandbox by injecting shell metacharacters into the path parameter of the /api/conversations/{conversation_id}/git/diff API endpoint. The vulnerability affects OpenHands installations exposing this endpoint, with a CVSS score of 7.6. A patch is available via PR #13051, and while no EPSS or KEV data indicates active exploitation, the vulnerability is easily exploitable by any authenticated user.