Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.
Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.
A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.
NULL pointer dereference in Linux kernel NFSD export cache cleanup allows local denial of service when RCU readers in e_show() and c_show() concurrently access export path and client name objects while cache_clean removes entries and drops the last reference prematurely. The vulnerability stems from path_put() and auth_domain_put() executing before the RCU grace period completes, freeing sub-objects still in use by readers. A fix has been merged upstream that defers these cleanup operations to a dedicated workqueue after the RCU grace period, ensuring safe resource release in process context where sleeping is permitted.
Linux kernel mm/rmap subsystem fails to correctly preserve page table entry attributes (writable and soft-dirty bits) when batching unmap operations on lazyfree folios, causing kernel panic via page table check violation when a large folio with mixed writable/non-writable PTEs is unmapped across multiple processes. The vulnerability affects all Linux kernel versions with the vulnerable folio_unmap_pte_batch() code path and can be triggered by local attackers through a specific sequence of memory management syscalls (MADV_DONTFORK, fork(), MADV_DOFORK, MADV_FREE, and memory reclaim), resulting in denial of service via kernel crash.
Linux kernel memory management allows installation of PMD entries pointing to non-existent physical memory or causes NULL pointer dereferences in move_pages_huge_pmd() when handling huge zero page migrations via UFFDIO_MOVE. The vulnerability occurs because the function incorrectly handles NULL folio pointers for huge zero pages, either producing bogus page frame numbers on SPARSEMEM_VMEMMAP systems or dereferencing NULL on other memory models. Additionally, destination PMD entries lose special mapping metadata (pmd_special flag), causing subsequent page reference counting corruption. No CVSS score is available; no active exploitation reported.
Memory leak in Linux kernel mac80211 subsystem's ieee80211_tx_prepare_skb() function fails to free socket buffers (skb) in one of three error paths, allowing local denial of service through memory exhaustion. The vulnerability affects all Linux kernel versions with the vulnerable code path in wireless MAC 802.11 handling; no active exploitation has been reported, but the fix addresses a resource leak that could be triggered by applications exercising error conditions in Wi-Fi frame preparation.
Linux kernel net shaper module fails to validate netdev liveness during hierarchy read operations, allowing information disclosure through use-after-free conditions when a network device is unregistered while RCU-protected read operations are in progress. The vulnerability affects the netlink operation callbacks in the shaper subsystem, where references acquired during pre-callbacks are not validated before later lock/RCU acquisitions, creating a race condition that can expose kernel memory or cause denial of service. No public exploit code has been identified at time of analysis, and the issue requires local access to trigger netlink operations.
Linux kernel crashes in iommu_sva_unbind_device() when accessing a freed mm structure after iommu_domain_free() deallocates domain->mm->iommu_mm, causing denial of service on systems using IOMMU Shared Virtual Addressing (SVA). The fix reorders code to access the structure before the domain is freed. No CVSS score, EPSS, or KEV status available; no public exploit code identified.
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.
Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-
Thread exhaustion in Mesop WebSocket handler (pkg:pip/mesop) allows unauthenticated remote attackers to crash applications via message flooding. The framework spawns unbounded OS threads for each received WebSocket message without rate limiting or pooling, enabling complete denial of service with minimal bandwidth. CVSS 7.5 (High). Publicly available exploit code exists. EPSS data not provided, but the low attack complexity (AC:L) and zero authentication requirement (PR:N) combined with working proof-of-concept significantly elevate real-world exploitation risk. Vendor-released patch available in version 1.2.5 (commit 760a207).
Memory leak in Linux kernel's TI ICSSG PRU Ethernet driver XDP_DROP path causes page pool exhaustion and out-of-memory conditions on systems using XDP packet dropping in non-zero-copy mode. The vulnerability affects all Linux kernel versions with the vulnerable icssg-prueth driver code; page recycling was incorrectly removed from the XDP_DROP handler to support AF_XDP zero-copy mode, but this created a resource leak in standard mode. No active exploitation identified; this is a kernel stability and denial-of-service issue affecting embedded and edge systems using TI PRU Ethernet hardware.
Infinite loop in Linux kernel bonding device header parsing allows local denial of service when two bonding devices are stacked. The bond_header_parse() function can recurse indefinitely because skb->dev always points to the top of the device hierarchy. The fix adds a bounded recursion parameter to the header_ops parse() method to ensure the leaf parse method is called and prevent endless loops. This vulnerability affects all Linux kernel versions with the vulnerable bonding code and requires local access to trigger.
Linux kernel net/mlx5e driver suffers a race condition during IPSec ESN (Extended Sequence Number) update handling that causes incorrect ESN high-order bit increments, leading to anti-replay failures and IPSec traffic halts. The vulnerability affects systems using Mellanox ConnectX adapters with IPSec full offload mode enabled. Attackers with local network access or the ability to trigger IPSec traffic patterns could exploit this to disrupt encrypted communications, though no public exploit code or active exploitation has been reported.
Linux kernel RDS TCP subsystem resolves circular locking dependency in rds_tcp_tune() function where socket lock contention with fs_reclaim memory allocation creates deadlock potential. The vulnerability affects all Linux kernel versions with the vulnerable code path in net/rds/tcp.c; the fix relocates sk_net_refcnt_upgrade() outside the socket lock critical section to eliminate the circular lock dependency without compromising synchronization semantics.
Out-of-bounds read in Apple swift-crypto X-Wing HPKE decapsulation allows remote attackers to trigger memory disclosure or denial of service by supplying a malformed encapsulated key. The vulnerability affects swift-crypto versions prior to 4.3.1 and any macOS or downstream applications using vulnerable versions of the cryptographic library.
JWT token validation bypass in fast-jwt npm library (all versions through 3.3.3) allows unauthenticated remote attackers to forge tokens with critical header parameters, achieving authentication bypass and security policy circumvention. The library violates RFC 7515 by accepting JWS tokens containing unrecognized 'crit' extensions that MUST be rejected per specification. No public exploit identified at time of analysis, though proof-of-concept code demonstrates trivial exploitation. CVSS 7.5 (Hi
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.
Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.
Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.
Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.
Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.
Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.
Path traversal in Emlog CMS 2.6.2 and earlier enables authenticated administrators to achieve remote code execution by uploading malicious ZIP archives containing directory traversal sequences. The emUnZip() function fails to sanitize entry paths during plugin/template uploads and backup imports, allowing arbitrary file writes including PHP webshells. CVSS 7.2 (High) with network attack vector and low complexity. No vendor-released patch identified at time of analysis; publicly available exploit code exists via GitHub Security Advisory GHSA-2jg8-rmhm-xv9m.
Privilege escalation in Ajenti panel allows authenticated non-superuser accounts to install arbitrary Python packages, bypassing role-based access controls. Affects installations using the auth_users plugin authentication method. Vendor-released patch available in version 2.2.15. No public exploit identified at time of analysis, though the privilege bypass mechanism is straightforward for authenticated users to abuse.
Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.
Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the
SQL injection in Piwigo's Activity List API endpoint allows authenticated administrators to extract sensitive database contents including user credentials and email addresses. This vulnerability affects Piwigo versions prior to 16.3.0 and requires high-level privileges (administrator access) to exploit. CVSS score of 7.2 reflects the network-accessible attack vector with low complexity, though exploitation requires prior administrative authentication. No public exploit code or active exploitation (CISA KEV) identified at time of analysis. The vendor has released version 16.3.0 addressing this issue.
SQL injection in Piwigo photo gallery application allows authenticated administrators to execute arbitrary SQL commands via the pwg.users.getList Web Service API method. Piwigo versions prior to 16.3.0 are affected due to improper sanitization of the filter parameter, which is directly concatenated into database queries. Vendor-released patch version 16.3.0 addresses this vulnerability. EPSS data not provided; no public exploit identified at time of analysis. Authentication requirements (PR:H) significantly limit attack surface to users with administrative privileges.
Path traversal in Kedro's versioned dataset loader allows authenticated remote attackers to read arbitrary files outside intended data directories. Kedro versions before 1.3.0 fail to sanitize user-supplied version strings in catalog.load(), DataCatalog.from_config(), and CLI operations, enabling traversal sequences (../) to escape versioned dataset boundaries. Attackers with API or CLI access can exfiltrate sensitive files, poison training data, or access other tenants' data in multi-tenant ML pipelines. EPSS probability indicates moderate exploitation likelihood (specific score not provided), with publicly available exploit code exists via the referenced GitHub pull request demonstrating the vulnerability mechanics. Vendor-released patch available in Kedro 1.3.0.
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.
Server-side request forgery (SSRF) in prompts.chat allows authenticated users to force the server to make arbitrary HTTP requests with the application's FAL_API_KEY exposed in Authorization headers. Attackers can exploit unvalidated URL parameters in Fal.ai media status polling to exfiltrate API credentials, probe internal networks, and abuse the victim's Fal.ai account resources. Patch available via GitHub commit 30a8f04. No public exploit identified at time of analysis, though CVSS vector indicates low attack complexity with network-based attack vector requiring only low privileges.
Out-of-bounds read and write in the Broadcom bnxt_en network driver of the Linux kernel allows a malicious or compromised NIC to corrupt kernel heap memory or crash the system. The flaw resides in the DBG_BUF_PRODUCER async event handler, which uses a firmware-supplied 16-bit 'type' field as an unchecked index into the bp->bs_trace[] array. No public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%, but the impact on confidentiality and availability is high where the trust boundary between NIC firmware and kernel is relevant.
Linux kernel accel/amdxdna driver fails to validate command buffer payload count, allowing out-of-bounds reads in AMD XDNA accelerator command processing. The vulnerability affects the accel/amdxdna subsystem across unspecified Linux kernel versions and permits information disclosure through unvalidated payload size interpretation. No active exploitation, public proof-of-concept, or CVSS data currently available.
Unauthorized resource modification in Juju application orchestration engine allows any authenticated controller user to tamper with application resources across the entire controller scope. Affects Juju 2.9.0-2.9.55 and 3.6.0-3.6.18. Patched in versions 2.9.56 and 3.6.19. EPSS score of 0.01% suggests low probability of mass exploitation. No active exploitation confirmed (not in CISA KEV). Authentication requirement (PR:L) limits attack surface to compromised credentials or malicious insiders.
IPv6 Pod traffic in Antrea dual-stack Kubernetes clusters transmits in plaintext despite IPsec encryption configuration, exposing inter-node communication to network eavesdropping. Affects Antrea versions prior to 2.6.0, 2.5.2, and 2.4.5 when dual-stack networking is enabled with trafficEncryptionMode: ipsec. Vendor-released patches are available across multiple stable branches. No public exploit identified at time of analysis, though the vulnerability bypasses intended encryption controls and could enable passive network monitoring in multi-tenant or untrusted network environments.
Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Use-after-free in Linux kernel MANA hardware channel teardown (net/mana driver) allows concurrent interrupt handlers to dereference freed memory in mana_hwc_destroy_channel(), potentially causing NULL pointer dereference or memory corruption. The vulnerability stems from improper teardown ordering where hwc->caller_ctx is freed before CQ/EQ IRQ handlers are fully synchronized, affecting all Linux kernel versions with the MANA driver. Fixes are available across stable kernel branches via upstream commit reordering.
Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.
Hirschmann Industrial HiVision version 08.1.03 prior to 08.1.04 and 08.2.00 contains a vulnerability in the execution of user-configured external applications that allows a local attacker to execute. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.