Stored cross-site scripting (XSS) in FOG Project versions prior to 1.5.10.1812 allows authenticated high-privilege administrators to inject malicious scripts into management pages (Host, Storage, Group, Image, Printer, Snapin) through unsanitized record creation/update parameters, which are then executed when other administrators view the listing tables. The vulnerability requires administrative access and user interaction to trigger, resulting in potential session hijacking, credential theft, or lateral movement within the management interface.
Improper authorization in Chatwoot up to version 4.11.1 allows remote unauthenticated attackers to bypass authentication via the signupEnabled parameter in the /app/login endpoint's Signup Endpoint component. The vulnerability enables attackers to manipulate signup authorization controls by setting signupEnabled to true, resulting in unauthorized access. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.
Streamax Crocus 1.3.44 contains a remote SQL injection vulnerability in the /OperateStatistic.do endpoint via the VehicleID parameter, allowing unauthenticated remote attackers to manipulate database queries and extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not responded to early disclosure notifications, leaving affected deployments without an official patch.
SQL injection in Streamax Crocus 1.3.44 parameter handler allows unauthenticated remote attackers to manipulate the State argument in /DevicePrint.do?Action=ReadTask endpoint, enabling database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notification and no patch is available.
Firewalld on Red Hat Enterprise Linux 7, 8, 9, and 10, as well as OpenShift Container Platform 4, contains an authentication bypass vulnerability in two D-Bus setters (setZoneSettings2 and setPolicySettings) that allows local unprivileged users to modify runtime firewall configurations without proper authorization. An authenticated local attacker can exploit this to change network security policies, potentially enabling lateral movement or service disruption. No public exploit code has been identified at the time of analysis, though Red Hat has issued security advisories (CVE-2026-4948, Bugzilla #2452086).
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.
Open WebUI versions prior to 0.8.6 allow authenticated users to delete arbitrary files from knowledge bases they have write access to, due to missing validation that files actually belong to the target knowledge base. An attacker with legitimate write permissions to any knowledge base can exploit this to delete files from other knowledge bases by crafting requests with known file identifiers, resulting in data loss and service disruption. No public exploit code or active exploitation has been reported at time of analysis.
WebSocket token validation bypass in WWBN AVideo versions up to 26.0 allows authenticated attackers to retain permanent real-time access to sensitive connection metadata after account revocation. The verifyTokenSocket() function fails to enforce token expiration despite generating 12-hour timeouts, enabling captured tokens to grant indefinite access to admin-level data including IP addresses, browser fingerprints, and user page locations. Authenticated users (PR:L per CVSS vector) can exploit this to maintain surveillance capabilities even after account deletion or privilege demotion. No public exploit identified at time of analysis.
WWBN AVideo versions up to 26.0 allow authenticated users to arbitrarily overwrite poster images for any scheduled live stream due to missing authorization checks in the uploadPoster.php endpoint, combined with subsequent broadcast of sensitive broadcast keys and user IDs to all connected WebSocket clients. An authenticated attacker can exploit this vulnerability without user interaction to deface another user's scheduled broadcasts and potentially harvest credential material for further attacks. No public exploit identified at time of analysis, though the vulnerability has been disclosed via GitHub security advisory with a published fix commit available.
OX Dovecot Pro authentication server becomes disconnected when processing invalid base64 SASL data, causing all concurrent active authentication sessions to fail and enabling denial-of-service attacks against login infrastructure. Unauthenticated remote attackers can trigger this condition with minimal attack complexity by sending malformed base64 sequences to the SASL authentication handler. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.3 reflecting limited availability impact without confidentiality or integrity compromise.
MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parser that allows remote, unauthenticated attackers to crash the MapServer process by sending a crafted SLD document containing more than 100 Threshold elements within a ColorMap/Categorize structure. The vulnerability is reachable via WMS GetMap requests using the SLD_BODY parameter, requiring no authentication or user interaction. Vendor-released patch: version 8.6.1 eliminates the issue; no public exploit code or active exploitation has been identified at time of analysis.
Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.
Denial-of-service vulnerability in python-ecdsa library allows remote attackers to crash applications parsing untrusted DER-encoded private keys through truncated or malformed DER structures. The DER parsing functions accept invalid input that declares a longer byte length than actually provided, subsequently triggering unexpected internal IndexError exceptions instead of cleanly rejecting the malformed data. Publicly available proof-of-concept code demonstrates deterministic crashes via SigningKey.from_der() on mutated DER inputs.
Path traversal in OX Dovecot Pro allows unauthenticated remote attackers to read arbitrary files such as /etc/passwd when per-domain passwd files are misconfigured above /etc or when slash characters are added to the domain path component. Successful exploitation can expose system authentication data or make system users appear as valid mail users, leading to unauthorized access. No public exploit code is currently known, and the vulnerability requires specific misconfiguration to trigger, resulting in a moderate CVSS score of 5.3 with low confidentiality impact.
Integer overflow in dloebl CGIF up to version 0.5.2 allows remote attackers to trigger availability impact via manipulation of width/height arguments in the cgif_addframe function. The vulnerability requires user interaction (UI:P) but can be exploited over the network with no authentication. A patch is available via upstream commit b0ba830093f4317a5d1f345715d2fa3cd2dab474.
OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormally high numbers of RFC 2231 MIME parameters, enabling remote denial of service without authentication or user interaction. Unauthenticated remote attackers can craft malicious MIME messages to trigger algorithmic complexity in parameter parsing, degrading mail service availability. No public exploit code is currently known, and patch availability has not been independently confirmed from the provided advisory reference.
WWBN AVideo up to version 26.0 fails to enforce password verification on API endpoints `get_api_video_file` and `get_api_video`, allowing unauthenticated remote attackers to retrieve direct playback URLs (MP4 files and HLS manifests) for password-protected videos by directly invoking the API. The web interface enforces password checks through the `CustomizeUser::getModeYouTube()` hook, but this validation is entirely absent from the API code path, creating a complete authentication bypass. Upstream fix available via commit be344206f2f461c034ad2f1c5d8212dd8a52b8c7; no public exploit or active exploitation confirmed at time of analysis.
Unauthenticated stream hijacking in LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 allows authenticated users to read other users' real-time chat conversations via the SSE streaming endpoint `/api/agents/chat/stream/:streamId` without ownership verification. An attacker with valid credentials can enumerate or guess stream IDs to intercept sensitive messages, AI-generated responses, and tool invocation data from arbitrary users. The vulnerability was patched in version 0.8.2.
WWBN AVideo up to version 26.0 allows authenticated attackers to conduct concurrent balance transfers that exploit a Time-of-Check-Time-of-Use (TOCTOU) race condition in the wallet module, enabling arbitrary financial value multiplication without database transaction protection. An attacker with multiple authenticated sessions can trigger parallel transfer requests that each read the same wallet balance, all pass the sufficiency check independently, but result in only a single deduction while the recipient receives multiple credits. The vulnerability requires local authentication and moderate attacker effort (AC:H) but carries high integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.
Wazuh authd contains a heap-buffer overflow vulnerability that allows attackers to cause memory corruption and malformed heap data by sending specially crafted input. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WWBN AVideo versions up to 26.0 expose all non-private video categories to unauthenticated remote attackers due to missing access control enforcement in the categories.json.php endpoint. The vulnerability combines two distinct flaws: complete bypass of group-based filtering when no user parameter is supplied, and a type confusion bug that substitutes the admin user's group memberships when a user parameter is present, allowing unauthorized disclosure of category metadata intended for restricted user groups. CVSS 5.3 reflects the information disclosure impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.
Clickedu contains a reflected XSS vulnerability in the /user.php/ endpoint that permits remote attackers to execute arbitrary JavaScript in a victim's browser via malicious URL parameters, enabling session hijacking, credential theft, and unauthorized actions. The vulnerability affects all versions of Sanoma's Clickedu product (per CPE cpe:2.3:a:sanoma:clickedu:*:*:*:*:*:*:*:*) and a vendor patch is available. No CVSS score or active exploitation data was provided; however, the reflected XSS attack vector combined with educational platform context indicates moderate to high real-world risk given typical user trust in institutional URLs.
ByteDance Deer-Flow artifacts API fails to sanitize user-supplied HTML and script content before storage and rendering, enabling stored cross-site scripting (XSS) attacks that execute arbitrary scripts in the browser context of users viewing artifacts. All versions prior to commit 5dbb362 are affected; attackers can compromise sessions, steal credentials, and execute arbitrary JavaScript without authentication. A patch is available from the vendor via GitHub commit 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6, and no public exploit code or active exploitation has been identified at time of analysis.
Cross-site scripting (XSS) in QDOCS Smart School Management System up to version 7.2 allows authenticated remote attackers to inject malicious scripts via the Note parameter in the /admin/enquiry endpoint of the Admission Enquiry Module, potentially compromising session integrity and user data. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), resulting in a CVSS 5.1 score with low integrity impact. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Stored cross-site scripting (XSS) in the WordPress OpenStreetMap plugin by MiKa allows authenticated users with page creation or editing privileges to inject malicious scripts that execute in the browsers of other users viewing the affected pages. The vulnerability affects all versions of the plugin via CPE cpe:2.3:a:mika:openstreetmap:*:*:*:*:*:*:*:*. With a CVSS score of 5.4 and moderate attack complexity requiring user interaction, this poses a localized but meaningful risk to WordPress sites where contributors or editors cannot be fully trusted. No public exploit code or active exploitation has been confirmed at time of analysis.
Traefik reverse proxy and load balancer versions prior to 2.11.42, 3.6.11, and 3.7.0-ea.3 allow authenticated attackers to inject canonical HTTP header names that override non-canonical headers configured via the `headerField` setting, enabling identity impersonation to backend systems. The vulnerability exploits HTTP header handling inconsistencies where backends read the attacker-supplied canonical header before Traefik's non-canonical configuration, permitting authentication bypass for any identity. Vendor-released patches are available for all affected major versions.
Fleet device management software prior to version 4.81.0 allows privilege escalation through email validation bypass in the user invitation flow. An attacker with a valid invite token can create an account using an arbitrary email address while retaining the role permissions granted by the invite, potentially obtaining global admin access. No public exploit code or active exploitation has been identified at the time of analysis.
Fleet device management software versions prior to 4.81.1 contain a broken access control vulnerability in the host transfer API that allows authenticated team maintainers to transfer hosts from any team into their own team, circumventing team isolation boundaries and gaining full control over stolen hosts including root-level script execution capabilities. The vulnerability requires authenticated access (PR:L in CVSS vector) but presents high integrity impact due to the ability to execute privileged commands on managed endpoints. No public exploit code or active exploitation has been confirmed at time of analysis.
Bludit up to version 3.18.2 allows authenticated users with content upload privileges to execute arbitrary JavaScript in victim browsers via stored XSS in SVG image uploads. An attacker with Author, Editor, or Administrator role can upload a malicious SVG file that executes when accessed by any unauthenticated visitor to the uploaded resource URL, compromising browser sessions and potentially enabling account takeover or sensitive data theft. No public exploit code has been identified at time of analysis, though the vendor was notified early and subsequently ceased coordination.
Mastodon versions 4.5.x before 4.5.8 and 4.4.x before 4.4.15 allow unauthenticated attackers with prior knowledge of a quote to prevent its correct processing on a target server, resulting in limited integrity and availability impact. The vulnerability exploits timing and knowledge of ActivityPub quote structures to disrupt social content distribution. Patches are available in Mastodon 4.5.8 and 4.4.15; versions 4.3 and earlier are unaffected due to lack of quote support.
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
Server-Side Request Forgery in calibre's background-image endpoint allows remote attackers to perform blind GET requests to arbitrary URLs and exfiltrate sensitive information from the e-book sandbox prior to version 9.6.0. Calibre versions before 9.6.0 are affected, with vendor-released patch available at version 9.6.0 or later. No active exploitation or public exploit code has been confirmed at time of analysis.
Blog.Admin versions 8.0 and earlier expose sensitive administrator account information through an improper access control vulnerability in the getinfobytoken API endpoint. An attacker possessing a valid authentication token can bypass authorization checks to retrieve confidential administrator credentials and account details, potentially enabling lateral movement or privilege escalation attacks. No public exploit code or active exploitation has been confirmed at the time of analysis.
Dovecot's text conversion script for OOXML attachments unsafely processes zip-style files, allowing authenticated attackers to index unintended system files and contaminate full-text search indexes with sensitive content. Open-Xchange Dovecot Pro is affected. The vulnerability results in information disclosure (CWE-200) with a CVSS score of 4.3 and requires prior authentication; no public exploit identified at time of analysis.
Open WebUI versions prior to 0.8.6 disclose the server's absolute DATA_DIR path to any authenticated non-admin user via unsanitized filename handling in the speech-to-text transcription endpoint, which returns FileNotFoundError messages in HTTP 400 responses. This information disclosure affects all default deployments and requires only user-level authentication to trigger. The vulnerability has been patched in version 0.8.6, and no public exploit code or active exploitation has been identified at time of analysis.
Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.