Use-after-free in Linux kernel Bluetooth L2CAP layer allows local attackers to cause denial of service or potentially execute code via a race condition in l2cap_unregister_user(). The vulnerability arises because l2cap_register_user() and l2cap_unregister_user() access conn->users without proper locking (conn->lock), while l2cap_conn_del() protects the same structure with conn->lock, creating concurrent access to freed memory. All Linux kernel versions with Bluetooth L2CAP support are affected. Patch available via Linux stable kernel commits.
Linux kernel KVM ARM64 fails to properly initialize ID registers for non-protected pKVM guests, causing feature detection checks to incorrectly return zero and preventing proper save/restore of system registers like TCR2_EL1 during world switches, potentially leading to state corruption. The vulnerability affects the hypervisor's ability to detect CPU features in non-protected virtual machines despite the initialization flag being incorrectly set. This is a kernel-level logic error that impacts system register handling in ARM64 virtualization.
Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.
Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to trigger denial of service through maliciously crafted input that overwhelms parsing logic. CVSS 7.5 (High) reflects network-accessible attack vector with low complexity and no prerequisites. EPSS data not provided, but no public exploit or CISA KEV listing identified at time of analysis. Amazon has released patches for Windows, Linux, and macOS platforms.
Remote code execution in Budibase low-code platform versions prior to 3.33.4 enables authenticated attackers to execute arbitrary system commands through the bash automation step feature. The vulnerability stems from unsanitized user input processed via template interpolation in execSync calls, allowing command injection with low attack complexity. No public exploit identified at time of analysis, though the technical details disclosed in the GitHub Security Advisory provide a clear exploitation path for authenticated users with automation privileges.
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.
SQL injection in Piwigo photo gallery application versions prior to 16.3.0 allows unauthenticated remote attackers to extract the entire database, including user password hashes, via unsanitized date filter parameters in the ws_std_image_sql_filter() function. The vulnerability stems from direct SQL concatenation of four date parameters without input validation or escaping. Vendor-released patch available in version 16.3.0. EPSS and KEV data not provided, but the combination of unauthenticated access, low attack complexity, and full database disclosure represents critical risk for internet-facing Piwigo installations.
Stored cross-site scripting (XSS) in Budibase's Builder Command Palette (versions prior to 3.32.5) enables authenticated Builder users to inject malicious HTML payloads via entity names (tables, views, queries, automations), achieving session hijacking and account takeover when other Builder-role users invoke the Command Palette. CVSS 8.7 with changed scope reflects the cross-user attack vector. No public exploit identified at time of analysis, though the attack technique is straightforward for authenticated insiders. EPSS data unavailable; patch available in version 3.32.5.
Cross-Site Request Forgery (CSRF) in Emlog CMS versions prior to 2.6.8 enables remote attackers to execute arbitrary SQL commands and write arbitrary files to the web root without authentication. The vulnerability exploits an unprotected backend upgrade interface that accepts remote SQL and ZIP URLs via GET parameters, requiring only that an authenticated administrator visit a malicious link. EPSS data not available; no public exploit identified at time of analysis, though exploitation complexity is low given the CSRF nature and network attack vector.
Authorization bypass vulnerabilities in prompts.chat (pre-commit 7b81836) expose private prompt data to unauthenticated remote attackers. Missing isPrivate validation checks across multiple API endpoints and metadata generation functions allow unauthorized retrieval of version history, change requests, examples, content, and HTML meta tag information for prompts marked private. No public exploit identified at time of analysis, though CVSS 8.7 reflects network-accessible, low-complexity attack requiring no privileges. Vendor-released patch available via GitHub commit 7b81836b21.
Hirschmann Industrial HiVision versions 08.1.03 prior to 08.1.04 and 08.2.00 contains an untrusted search path vulnerability that allows local attackers to execute arbitrary binaries by placing a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information disclosure in Azure SRE Agent can be exploited by remote unauthenticated attackers via improper authentication mechanisms. The vulnerability carries an 8.6 CVSS score with network attack vector requiring low complexity and no user interaction, enabling attackers to extract high-confidentiality data with scope change impact. No public exploit identified at time of analysis, though the authentication bypass nature and network accessibility present significant risk to Azure infrastructure components.
Path traversal in prompts.chat skill file extraction allows unauthenticated remote attackers to write arbitrary files and execute code on client systems through malicious ZIP archives. The vulnerability (CVSS 8.6) stems from missing server-side filename validation enabling ../ sequences in archive filenames that overwrite shell initialization files during extraction. VulnCheck identified this issue; vendor-released patch available in commit 0f8d4c3. No public exploit identified at time of analysis, though EPSS data not available for risk quantification.
Identity confusion in prompts.chat (prior to commit 1464475) enables authenticated attackers to impersonate users and hijack profile URLs by creating case-variant usernames (e.g., 'Alice' vs 'alice'). Inconsistent case-handling between write and read operations allows bypass of uniqueness validation, letting attackers inject malicious content on canonical victim profiles. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS:4.0 AC:L) requiring only low-privilege access (PR:L). VulnCheck disclosed this vulnerability with vendor patch released via GitHub commit.
Integer truncation in Linux kernel netfilter SIP helper allows remote attackers to bypass Content-Length validation and cause information disclosure via malformed SIP messages. The sip_help_tcp() function stores SIP Content-Length header values (returned as unsigned long) into an unsigned int variable, causing values exceeding UINT_MAX (4,294,967,295) to truncate silently on 64-bit systems. This miscalculation causes the parser to misidentify message boundaries, treating trailing TCP segment dat
Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.
Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Directory traversal in BizTalk360 before version 11.5 allows authenticated attackers to write files outside the intended upload directory and potentially coerce authentication from the service through mishandling of user input in an upload mechanism. The vulnerability requires valid authentication credentials but enables arbitrary file write capabilities that could lead to remote code execution or service compromise.
Out-of-bounds read in Linux kernel netfilter H.323/RAS packet decoding allows local or remote attackers to read 1-4 bytes beyond allocated buffer boundaries via malformed packets. The vulnerability exists in decode_int() within nf_conntrack_h323, where insufficient boundary validation before reading variable-length integer fields permits information disclosure or potential denial of service. No CVSS score or KEV status published; patch available across multiple stable kernel branches via upstream commits.
Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.
Arbitrary file deletion in Perfmatters WordPress plugin (≤2.5.9.1) allows authenticated attackers with Subscriber-level access to delete critical files including wp-config.php via path traversal, enabling full site takeover. The vulnerability stems from unsanitized GET parameter processing in PMCS::action_handler() without authentication or nonce checks. CVSS 8.1 reflects network-accessible attack requiring only low-privilege authentication with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of input validation.
Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.
Out-of-bounds read in Linux kernel Bluetooth L2CAP layer allows remote attackers to read adjacent kernel memory via truncated L2CAP_INFO_RSP packets with insufficient payload length. The l2cap_information_rsp() function validates only the fixed 4-byte header but then unconditionally accesses variable-length payload fields (feat_mask at offset +4 and fixed_chan at offset +1) without verifying the payload is present, triggering kernel memory disclosure on specially crafted Bluetooth frames.
Linux kernel SMB client incorrectly reuses Kerberos authentication sessions across multiple mounts with different username options, allowing an attacker or misconfigured system to access shares using unintended credentials. The vulnerability affects CIFS/SMB mounting with Kerberos (sec=krb5) when the username mount option is specified; the kernel fails to validate that the username parameter matches the authenticated session, causing subsequent mounts to inherit the first mount's credentials rather than failing with ENOKEY when the requested principal is absent from the keytab. This is a session management flaw that enables credential confusion and potential unauthorized share access.
Second-order SQL injection in Focalboard 8.0 and earlier allows authenticated attackers to exfiltrate password hashes and other sensitive data via time-based blind injection through the category reorder API. Malicious SQL payloads injected into category ID fields persist in the database and execute unsanitized during subsequent reorder operations. Focalboard standalone is unsupported and will not receive a security patch. EPSS score of 0.01% indicates very low observed exploitation probability, consistent with the narrow attack surface requiring authenticated access to an end-of-life product.
Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execut
Use-after-free in Linux kernel NFSD /proc/fs/nfs/exports proc entry allows information disclosure when a network namespace is destroyed while an exports file descriptor remains open. The vulnerability occurs because exports_proc_open() captures a network namespace reference without holding a refcount, enabling nfsd_net_exit() to free the export cache while the fd is still active, leading to subsequent reads dereferencing freed memory. The fix holds a struct net reference for the lifetime of the
Use-after-free in the Linux kernel's nvdimm/bus subsystem allows local privileged users to potentially trigger memory corruption when device_add() fails during nd_async_device_register() asynchronous initialization. The flaw stems from the parent device reference being dropped before the parent pointer is accessed on allocation failure paths. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free vulnerability in Linux kernel's Cadence MAC (macb) driver allows local attackers to read freed memory via ethtool get_ts_info calls on PTP-capable network interfaces. The PTP clock is registered when the interface opens and destroyed when it closes, but the ethtool handler can still access it after deallocation, causing a kernel memory access violation. No active exploitation confirmed; patch available in stable kernel releases.
Use-after-free vulnerability in Linux kernel SPI controller registration allows local attackers to trigger unclocked register accesses and potential information disclosure when per-CPU statistics allocation fails during controller initialization. The vulnerability affects all Linux kernel versions and is fixed via proper driver core deregistration on allocation failure; no CVSS score or active exploitation data available at time of analysis.
Use-after-free in Linux kernel netfilter ctnetlink module allows local attackers to read freed kernel memory by triggering multiple-round netlink dump operations on conntrack expectations, exploiting improper reference counting in ctnetlink_dump_exp_ct() that drops conntrack references before the dump callback completes. The vulnerability requires local network namespace access and CAP_NET_ADMIN capability but enables information disclosure of kernel heap contents via KASAN-detected slab-use-after-free on ct->ext dereference.
Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Buffer overflow in Linux kernel HID-BPF subsystem allows arbitrary return values from dispatch_hid_bpf_raw_requests() to overflow the hid_hw_request buffer without validation. The vulnerability affects all Linux kernel versions with HID-BPF support; attackers with the ability to load or influence BPF programs targeting HID devices can trigger memory corruption. No CVSS score, EPSS data, or confirmed active exploitation has been assigned at time of analysis.
Linux kernel DRM/xe driver fails to protect GPU memory (GGTT) MMIO access during failed driver load or asynchronous buffer object teardown, potentially enabling information disclosure or memory corruption. The vulnerability affects systems with Intel Xe graphics where the driver's hotplug-based protection mechanism does not activate if initialization fails, leaving GGTT memory accessible after the driver should have been disabled. CVSS and KEV status not available; patches have been released in upstream Linux stable branches.
Out-of-bounds read in the Linux kernel's cdc_ncm USB networking driver allows a local attacker with a malicious or compromised USB CDC NCM device to read kernel memory beyond the skb buffer. The flaw lives in cdc_ncm_rx_verify_ndp16(), where the NDP16 nframes bounds check omits the ndpoffset value, letting DPE array iteration in cdc_ncm_rx_fixup() walk past the legitimate buffer when wNdpIndex points near the end of the NTB. No public exploit identified at time of analysis and EPSS exploitation probability is 0.02% (5th percentile), but a patch is available from upstream Linux maintainers.
Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.
Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.
A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.
NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.
Linux kernel mm/rmap subsystem fails to correctly preserve page table entry attributes (writable and soft-dirty bits) when batching unmap operations on lazyfree folios, causing kernel panic via page table check violation when a large folio with mixed writable/non-writable PTEs is unmapped across multiple processes. The vulnerability affects all Linux kernel versions with the vulnerable folio_unmap_pte_batch() code path and can be triggered by local attackers through a specific sequence of memory management syscalls (MADV_DONTFORK, fork(), MADV_DOFORK, MADV_FREE, and memory reclaim), resulting in denial of service via kernel crash.
Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.
Memory leak in Linux kernel mac80211 subsystem's ieee80211_tx_prepare_skb() function fails to free socket buffers (skb) in one of three error paths, allowing local denial of service through memory exhaustion. The vulnerability affects all Linux kernel versions with the vulnerable code path in wireless MAC 802.11 handling; no active exploitation has been reported, but the fix addresses a resource leak that could be triggered by applications exercising error conditions in Wi-Fi frame preparation.
Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.
Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.
Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-
Thread exhaustion in Mesop WebSocket handler (pkg:pip/mesop) allows unauthenticated remote attackers to crash applications via message flooding. The framework spawns unbounded OS threads for each received WebSocket message without rate limiting or pooling, enabling complete denial of service with minimal bandwidth. CVSS 7.5 (High). Publicly available exploit code exists. EPSS data not provided, but the low attack complexity (AC:L) and zero authentication requirement (PR:N) combined with working proof-of-concept significantly elevate real-world exploitation risk. Vendor-released patch available in version 1.2.5 (commit 760a207).