Remote code execution and privilege escalation in Gigabyte Control Center allows unauthenticated network attackers to write arbitrary files to any system location when the pairing feature is enabled. This path traversal vulnerability (CWE-23) requires high attack complexity but needs no user interaction. No public exploit identified at time of analysis, though the technical details disclosed by Taiwan CERT provide sufficient information for exploitation development. CVSS 8.1 (High) reflects significant impact across confidentiality, integrity, and availability.
Stored Cross-Site Scripting in CI4MS methods management allows authenticated users to inject malicious JavaScript into administrative interfaces and global navigation, affecting all users including administrators. The vulnerability affects CI4MS versions before 0.31.0.0 with a CVSS score of 9.1 due to scope change (C) enabling privilege escalation. Vendor-released patch available in version 0.31.0.0. No public exploit identified at time of analysis, though EPSS data not provided for risk probability assessment.
Stored cross-site scripting in CI4MS role/group management allows authenticated attackers to inject malicious JavaScript into three distinct administrative fields, achieving persistent code execution in privileged admin contexts with scope change impact. The vulnerability affects all versions prior to 0.31.0.0 and requires low-privilege authenticated access with no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C). Vendor-released patch version 0.31.0.0 addresses the input sanitization and output encoding failures. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE.
Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.
Cross-Site Request Forgery in Zimbra Collaboration Server 10.0 and 10.1 allows remote attackers to perform sensitive account actions such as disabling two-factor authentication by inducing authenticated users to submit crafted requests, exploiting insufficient CSRF protection on authentication tokens issued during account state transitions like password changes or 2FA enablement. No public exploit code has been identified at time of analysis, and patch availability has been confirmed in vendor advisories for versions 10.0.18 and 10.1.13.
Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.
Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4.
Improper authorization in GitLab CE/EE Jira Connect integration allows authenticated users with minimal workspace permissions to steal installation credentials and impersonate the GitLab application. Affects versions 14.3 through 18.8.6, 18.9.0-18.9.2, and 18.10.0. Vendor-released patches available in versions 18.8.7, 18.9.3, and 18.10.1. High CVSS score (8.1) reflects significant confidentiality and integrity impact with low attack complexity. No public exploit identified at time of analysis, though detailed disclosure exists via HackerOne report.
Path traversal in Tautulli's /newsletter/image/images API endpoint allows unauthenticated remote attackers to read arbitrary files from the server filesystem. Tautulli, a Python-based monitoring tool for Plex Media Server, is affected in all versions prior to 2.17.0. The vulnerability carries a CVSS 4.0 score of 8.7 with network attack vector, low complexity, and no authentication required (PR:N), enabling trivial exploitation for sensitive information disclosure. No active exploitation confirmed at time of analysis, though the unauthenticated nature and public disclosure significantly elevate real-world risk.
Unauthenticated attackers can bypass authorization controls in On24 Q&A Chat to enumerate event IDs and retrieve complete question-and-answer histories through the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint. This exposure leaks sensitive data including user identifiers, private URLs, messages, and internal references that should be restricted to authenticated users. The compromised information can facilitate reconnaissance for lateral movement, system exploitation, or unauthorized access to connected applications.
Remote denial of service in tinyproxy versions through 1.11.3 allows unauthenticated attackers to exhaust all proxy worker connections via malformed HTTP chunked transfer encoding. An integer overflow in chunk size parsing (using strtol() without ERANGE validation) enables attackers to send LONG_MAX values that bypass size checks and trigger arithmetic overflow during chunklen+2 calculations. This forces the proxy to attempt reading unbounded request body data, holding worker slots indefinitely until all connections are exhausted and new clients are rejected. Upstream fix available (commits bb7edc4, 969852c) but latest stable release 1.11.3 remains unpatched. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) and requires no authentication (PR:N).
Insecure deserialization in Gigabyte Control Center's Performance Library component allows authenticated local users to escalate privileges to SYSTEM by sending crafted serialized payloads to the EasyTune Engine service. Affecting Gigabyte Performance Library across versions, this CWE-502 flaw enables low-privileged users to gain complete control of the Windows system. EPSS data not available; no public exploit identified at time of analysis, though the local attack vector and low complexity (CVSS:3.1/AV:L/AC:L/PR:L) suggest exploitation is technically straightforward for attackers with initial local access.
Zebra cryptocurrency nodes prior to version 4.3.0 can be forced into consensus split by malicious miners who craft blocks containing V5 transactions with matching txids but invalid authorization data. The vulnerability stems from a cache lookup that used ZIP-244 txid (which excludes authorization data) to bypass full verification, allowing nodes to accept blocks with invalid signatures. While this does not enable invalid transaction acceptance, it isolates vulnerable nodes from the Zcash network, creating fork conditions exploitable for service disruption and potential double-spend scenarios against partitioned nodes. No public exploit code or CISA KEV listing exists, but the technical complexity is low for actors with mining capabilities. Affected products are zebrad and zebra-consensus Rust packages supporting Network Upgrade 5 (V5 transactions). Vendor-released patch: Zebra 4.3.0.
Insecure deserialization in WatchGuard Fireware OS enables local code execution as the portald user when combined with a filesystem write primitive. Affects Fireware OS versions 12.1 through 12.11.8 and 2025.1 through 2026.1.2 on platforms supporting Access Portal (excludes T-15/T-35 models). CVSS 8.4 severity reflects high impact but requires prior high-privilege local access and an existing write vulnerability to exploit. No public exploit identified at time of analysis, with EPSS data unavailable for risk probability assessment.
Parse Server LiveQuery leaks protected fields and authentication data across concurrent subscribers due to shared mutable object state. When multiple clients subscribe to the same class, race conditions in the sensitive data filter allow one subscriber's field filtering to affect other subscribers, exposing data that should remain protected or delivering incomplete objects to authorized clients. Deployments using LiveQuery with protected fields or afterEvent triggers face unauthorized information disclosure. Vendor-released patches are available for Parse Server 8 and 9. No public exploit identified at time of analysis, though the vulnerability is straightforward to trigger in affected configurations.
Unchecked arithmetic in Rust libp2p-gossipsub heartbeat processing allows remote unauthenticated denial of service via crafted PRUNE control messages. Network-reachable Gossipsub peers can crash vulnerable nodes by sending PRUNE messages with near-maximum backoff values (~i64::MAX), triggering an instant overflow panic during subsequent heartbeat cycles (43-74 seconds later). This is a distinct vulnerability from CVE-2026-33040, affecting a different code path in expiry handling rather than initial insertion. Reported by Ethereum Foundation security team; no public exploit identified at time of analysis, but attack vector is straightforward for any peer capable of establishing libp2p sessions.
Cross-session credential leakage in awesome-llm-apps Streamlit-based GitHub MCP Agent allows unauthenticated users to retrieve previously stored API tokens and secrets from process-wide environment variables, compromising GitHub Personal Access Tokens and LLM API keys across concurrent session boundaries. The vulnerability stems from improper session isolation in a multi-user Streamlit application that persists credentials in os.environ without clearing them between user sessions, enabling attackers to escalate privileges and access private resources without authentication.
Heap over-read in Botan C++ cryptography library versions 2.3.0 through 3.10.x allows remote, unauthenticated attackers to trigger crashes or undefined behavior during SM2 decryption. The vulnerability stems from insufficient length validation of authentication code (C3) values in SM2 ciphertexts, enabling reads of up to 31 bytes beyond allocated heap memory. With CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and EPSS data not provided, this represents a remotely exploitable memory safety issue in a cryptographic primitive. No public exploit identified at time of analysis. Patched in version 3.11.0.
Path traversal in TinaCMS GraphQL (@tinacms/graphql) enables unauthenticated remote attackers to write and overwrite arbitrary files within the project root, including critical configuration files like package.json and build scripts. The vulnerability stems from platform-specific path validation failures that treat backslash characters differently on Unix-based systems, allowing traversal sequences like 'x\..\..\..\package.json' to bypass security checks. With a CVSS score of 8.1 and publicly available exploit code demonstrating the attack, this represents a critical security risk for TinaCMS deployments, particularly those exposed to untrusted networks. No CISA KEV listing exists, but the proof-of-concept demonstrates clear exploitation paths to arbitrary code execution via build script modification.
Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.
Arbitrary file read in Gotenberg versions prior to 8.29.0 allows unauthenticated remote attackers to bypass URL deny-list protections and access sensitive container files via case-variant URI schemes. The default deny-list regex `^file:(?!//\/tmp/).*` only matches lowercase 'file:', but Chromium normalizes mixed-case schemes (FILE://, File://, fILE://) to lowercase after the deny-list check, enabling access to /etc/passwd, environment variables, and configuration files. This bypasses the incomplete fix for CVE-2024-21527. Vendor-released patch available in version 8.29.0. POC confirmed in GitHub advisory. EPSS exploitation probability is low (0.02%) despite public POC, suggesting limited real-world targeting to date.
Elevation of privilege in Symantec Data Loss Prevention Windows Endpoint allows authenticated local users to gain SYSTEM-level access and compromise protected resources. Affects all versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. CVSS 7.8 (High) reflects the local attack vector but complete system compromise upon successful exploitation. No public exploit identified at time of analysis, though the CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) classification suggests potential DLL hijacking or similar trust boundary violations.
Invoice Ninja versions 5.12.46 and 5.12.48 contain a Server-Side Request Forgery (SSRF) vulnerability in the CheckDatabaseRequest.php component that allows remote attackers to perform unauthorized requests to internal or external systems. The vulnerability affects the setup and database configuration functionality, potentially enabling attackers to access internal services, probe private networks, or interact with restricted resources from the server's perspective.
Grav CMS versions 1.7.x and earlier allow XML External Entity (XXE) injection through SVG file uploads in the administrative panel and File Manager plugin, potentially enabling remote code execution or information disclosure to authenticated administrators. No CVSS score, CVSS vector, or CWE classification has been assigned; exploitation status and patch availability cannot be confirmed from available data.
KubePlus 4.1.4 allows server-side request forgery (SSRF) and arbitrary HTTP header injection through improperly validated chartURL fields in ResourceComposition resources. The mutating webhook and kubeconfiggenerator components concatenate user-supplied chartURL values directly into wget command invocations without proper escaping, enabling attackers to inject wget options such as --header to forge HTTP requests or exfiltrate sensitive data. No patch version information is currently available, and exploitation status remains unconfirmed from authoritative sources.
OpenAirInterface AMF version 2.2.0 crashes during message decoding when processing specific malformed input sequences, enabling a denial of service condition. A remote attacker can trigger a consistent crash by sending specially crafted hex-encoded packets (example: 80 00 00 0E 00 00 01 00 0F 80 02 02 40 00 58 00 01 88) to the AMF component. No public exploit code has been identified, but the crash is reproducible with known input patterns.
Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.
Remote denial of service in GNU C Library (glibc) 2.43 and earlier allows unauthenticated remote attackers to crash applications via malformed input during character set conversion from IBM1390 or IBM1399 encodings. The vulnerability triggers an assertion failure in the iconv() function with high attack reliability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Proof-of-concept code exists and CISA SSVC assessment confirms the issue is automatable with partial technical impact, making this a practical denial-of-service vector for any networked application processing untrusted character encoding conversions.
Heap buffer overflow in FreeRDP's H.264 YUV decoder (versions before 3.24.2) allows remote attackers to potentially achieve code execution via specially crafted RDP sessions. The vulnerability stems from premature dimension updates in yuv_ensure_buffer() that persist when memory reallocation fails, creating exploitable memory corruption conditions. Attack requires user interaction (connecting to malicious RDP server) and moderate complexity (CVSS AC:H). No public exploit identified at time of analysis, though CVSS 7.5 HIGH score reflects potential for complete system compromise (C:H/I:H/A:H).
Heap buffer overflow in FreeRDP's CLEAR codec implementation allows remote attackers to execute arbitrary code when processing malicious RDP server responses. Affects all FreeRDP versions prior to 3.24.2. Attack requires high complexity and user interaction (victim must connect to attacker-controlled RDP server), but no authentication is required. CVSS 7.5 reflects the network-accessible attack vector with potential for complete system compromise. No public exploit identified at time of analysis, though technical details are publicly disclosed via GitHub security advisory.
CrewAI's JSON loader tool fails to validate file paths before reading, allowing arbitrary local file access that exposes sensitive server files to attackers with network access to the application. The vulnerability enables information disclosure without authentication, affecting all versions of CrewAI that include the vulnerable JSON loader component. No active exploitation has been confirmed, but the straightforward nature of the attack (unsanitized file path input) makes this a practical concern for production deployments.
Insecure Direct Object Reference in WP Download Monitor plugin (≤5.1.7) enables unauthenticated attackers to complete arbitrary pending orders by manipulating PayPal transaction tokens, allowing theft of paid digital goods. Attackers can pay minimal amounts for low-cost items and use those payment tokens to finalize high-value orders, effectively bypassing payment validation. CVSS 7.5 (High) reflects network-based attack with no authentication required. No public exploit identified at time of analysis, though the attack mechanism is clearly documented in vendor advisories.
Path traversal in WAGO Device Sphere and Solution Builder allows unauthenticated remote attackers to access backend components and expose sensitive information. The vulnerability stems from insufficient input validation (CWE-790), enabling attackers to bypass intended access boundaries with low complexity over network vectors. CVSS 7.5 (High) reflects significant confidentiality impact. EPSS data unavailable; no public exploit identified at time of analysis, and CISA KEV status not confirmed.
Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).
Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.
Cross-site scripting (XSS) in Tautulli 1.3.10 through 2.16.x allows remote attackers to inject malicious scripts via unsanitized JSONP callback parameters, enabling API key theft from authenticated users who click crafted links. The vulnerability requires social engineering (UI:A in CVSS) and affects the Plex monitoring tool's web interface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though the attack complexity is rated high (AC:H) suggesting practical exploitation requires specific conditions. GitHub security advisory indicates vendor-patched release available.
SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the mysqlColumnAsInsert function located in plugins/mysql/lib/column.go. The vulnerability affects the MySQL plugin component and enables attackers to manipulate database queries, potentially leading to unauthorized data access, modification, or deletion. Public proof-of-concept code is available, and CVSS/EPSS data are not yet assigned by NVD.
SQL injection in SchemaHero 0.23.0 allows remote attackers to execute arbitrary SQL commands through the column parameter in the columnAsInsert function within the PostgreSQL plugin, potentially compromising database integrity and confidentiality. Public exploit documentation is available, indicating proof-of-concept code exists. CVSS and EPSS data are unavailable, limiting formal severity quantification.
Authentication credential theft in HAPI FHIR Core library allows network attackers to intercept Bearer tokens, Basic auth credentials, and API keys through malicious URL prefix matching. The vulnerable `ManagedWebAccessUtils.getServer()` method uses unsafe `String.startsWith()` checks without host boundary validation, causing credentials configured for `http://tx.fhir.org` to be dispatched to attacker-controlled domains like `http://tx.fhir.org.attacker.com` when HTTP redirects occur. Affects Maven packages `ca.uhn.hapi.fhir:org.hl7.fhir.core` and `ca.uhn.hapi.fhir:org.hl7.fhir.utilities`. CVSS 7.4 (High) reflects network attack vector with high attack complexity requiring redirect manipulation. EPSS data not available; no confirmed active exploitation (CISA KEV), but detailed proof-of-concept code demonstrates the exploit chain through both SimpleHTTPClient and OkHttp redirect paths.
Node.js Permission Model bypass in FileHandle.chmod() and FileHandle.chown() promise-based methods allows local authenticated users with restricted --allow-fs-write to modify file permissions and ownership on already-open file descriptors, circumventing intended write restrictions. The vulnerability affects Node.js 20.x, 22.x, 24.x, and 25.x when running under the --permission flag; the callback-based equivalents (fs.fchmod, fs.fchown) were correctly patched in CVE-2024-36137, but the promises API was incompletely fixed. CVSS 3.3 with low real-world impact due to local-only attack vector and requirement for pre-existing file access.
Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.
Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.
Heap buffer overflow in FreeRDP's persistent bitmap cache handling allows local attackers to corrupt memory integrity and crash the RDP client. Affecting all versions prior to 3.24.2, the vulnerability (CWE-122) occurs when memory reallocation fails but the buffer size variable is prematurely updated, creating a size/pointer mismatch. EPSS data not available, but marked medium priority by Ubuntu. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub Security Advisory.
Heap-buffer-overflow in FreeRDP's winpr_aligned_offset_recalloc() function allows local attackers with no privileges but requiring user interaction to trigger high-severity information disclosure and denial of service in versions prior to 3.24.2. The vulnerability involves a READ operation at 24 bytes before heap allocation boundaries (CWE-125: Out-of-bounds Read). Vendor-released patch version 3.24.2 available via GitHub commit a48dbde2c8. EPSS data not provided; no public exploit identified at time of analysis. Affects all FreeRDP installations below 3.24.2, tracked across 7 Debian releases.
Cross-Site Request Forgery (CSRF) in WatchGuard Fireware OS WebUI allows remote attackers to trigger a denial-of-service condition against the Web UI by tricking an authenticated administrator into visiting a malicious webpage. This affects Fireware OS versions 11.8 through 11.12.4+541730, 12.0 through 12.11.8, and 2025.1 through 2026.1.2. The CVSS v4.0 score of 7.1 reflects high availability impact (VA:H) with no user authentication required (PR:N) but requiring user interaction (UI:P). No public exploit identified at time of analysis, though the attack complexity is low and the CSRF nature makes weaponization straightforward for adversaries targeting firewall administrators.
Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.
Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.
Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.
Hard-coded AWS credentials in AL-KO Robolinho Update Software allow unauthenticated attackers to directly access AL-KO's AWS S3 bucket with read permissions and potentially escalated privileges beyond the application's intended access model. Version 8.0.21.0610 is confirmed vulnerable; the full affected version range is unknown due to lack of vendor cooperation. No public exploit code or active exploitation has been reported, but the credentials are trivially extractable from the application binary.
Server-side request forgery in Docker Model Runner allows unprivileged containers or malicious OCI registries to make arbitrary GET requests to internal services by exploiting unvalidated realm URLs in the OCI registry token exchange flow. Affected versions prior to 1.1.25 (Docker Desktop prior to 4.67.0) permit attackers to access host-local services and reflect response bodies back to the caller, potentially exfiltrating sensitive data from internal endpoints. No public exploit code or active exploitation has been reported at time of analysis.