BookStack chapter export functionality allows unauthenticated remote attackers to bypass access controls via manipulation of the pages parameter in the chapterToMarkdown function, enabling improper access to restricted content. Affects BookStack versions up to 26.03; patch available in version 26.03.1. Publicly available exploit code exists and CVSS 5.5 reflects low confidentiality impact with no integrity or availability compromise.
SandboxJS versions 0.8.35 and below allow untrusted sandboxed code to leak internal interpreter scope objects through the `new` operator, exposing raw Prop wrappers that reference the host's global variable storage (scope.allVars). An attacker controlling code execution within the sandbox can extract this scope object and modify variables in the sandbox hierarchy, though prototype chain and code evaluation remain protected. Vendor-released patch available; no active KEV status or public exploit code confirmed.
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentication, allowing information disclosure via an authentication bypass vulnerability. The CVSS 6.9 score reflects the network accessibility and lack of required privileges, though impact is limited to confidentiality. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in @nyariv/sandboxjs through unbounded recursion in the parser allows remote attackers to crash Node.js processes by submitting deeply nested expressions (approximately 2000 nested parentheses or brackets), triggering a RangeError that terminates the application. All public API methods (Sandbox.parse, Sandbox.compile, Sandbox.compileAsync, Sandbox.compileExpression, Sandbox.compileExpressionAsync) are vulnerable with no input validation or depth limiting. A proof-of-concept demonstrating the crash exists; no public active exploitation has been reported at the time of analysis.
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.
Juju application orchestration engine versions 2.9 to 2.9.55 and 3.6 to 3.6.18 allow a compromised workload machine to read arbitrary log files for any entity across any model without proper authorization checks. This authentication bypass (CWE-863) affects high-privilege scenarios where an attacker already controls a machine within a Juju-managed infrastructure, enabling lateral information disclosure to extract sensitive operational logs. The vulnerability has been patched in Juju 2.9.56 and 3.6.19.
Biztalk360 through version 11.5 contains a directory traversal vulnerability allowing Super User attackers to read arbitrary files on the system and coerce authentication from the service through mishandled user input in file path parameters. The vulnerability enables local file access and potential credential extraction by authenticated administrators with Super User privileges.
Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.
Path traversal in OpenPrinting CUPS RSS notifier (versions 2.4.16 and prior) allows unauthenticated remote IPP clients to write arbitrary files outside the intended CacheDir/rss directory via a crafted notify-recipient-uri parameter. By exploiting default group-writable permissions on CacheDir, attackers can overwrite critical state files such as job.cache, causing the CUPS scheduler to fail parsing job queues and resulting in loss of previously queued print jobs. No public exploit code or vendor patch is currently available, though the vulnerability is demonstrated with proof-of-concept exploitation.
Local file inclusion in Emlog admin/plugin.php allows authenticated attackers to execute arbitrary PHP code via unsanitized $plugin parameter in GET requests, provided CSRF token validation can be bypassed. Emlog versions 2.6.2 and prior are affected. An authenticated attacker with high privileges can include arbitrary files from the server filesystem, achieving remote code execution without requiring user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.
Denial of service in vLLM's VideoMediaIO.load_base64() method allows authenticated remote attackers to crash the server via memory exhaustion by sending API requests with thousands of comma-separated base64-encoded JPEG frames. The vulnerability bypasses the default 32-frame limit enforced in other video loading code paths, allowing attackers to decode gigabytes of image data into memory (e.g., 5000 frames ≈ 4.6 GB for 640x480 RGB) with a small compressed payload. CVSS 6.5 (network-accessible, low complexity, requires authentication, high availability impact); no public exploit code identified at time of analysis.
Denial of Service in vLLM OpenAI-compatible API server allows unauthenticated remote attackers to crash the service via a single HTTP request containing an extremely large n parameter. The lack of upper bound validation causes the asyncio event loop to freeze while allocating millions of request object copies, leading to rapid Out-Of-Memory crashes. CVSS 6.5 with moderate real-world risk due to authentication requirement in the disclosed CVSS vector (PR:L), though the description indicates unauthenticated exploitability - a significant discrepancy warranting clarification from the vendor.
SQL injection in Emlog tag management allows authenticated administrators to execute arbitrary SQL queries through the updateTagName() function in include/model/tag_model.php. Versions 2.6.2 and prior are affected. An attacker with administrative privileges can exploit this via direct SQL manipulation to modify or exfiltrate database contents. No public exploit code or active exploitation has been confirmed; patch status remains unavailable as of publication.
Electron's moveToApplicationsFolder() API on macOS improperly sanitizes application bundle paths in AppleScript fallback code, allowing arbitrary AppleScript execution when a user accepts a move-to-Applications prompt on a system with a crafted path. Remote code execution is possible if an attacker can control the installation path or launch context of an Electron application; however, this requires user interaction (accepting the move prompt) and is limited to local attack surface. No public exploit code or active exploitation has been identified. CVSS 6.5 reflects moderate risk due to local-only attack vector and user interaction requirement, though the impact (code execution) is severe.
Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.
Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-pre allow unauthenticated users to enumerate and view hidden staff-only tags and associated metadata through an authorization bypass flaw. All instances with tagging enabled and staff-only tag groups configured are vulnerable. The issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0 final. No public exploit code or active exploitation has been confirmed at the time of analysis.
Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.
Unauthenticated remote code execution in OpenPrinting CUPS 2.4.16 and earlier allows attackers to send print jobs to shared PostScript queues without authentication, exploit a newline injection vulnerability in page-border parameter handling, and execute arbitrary binaries as the lp user by chaining a follow-up raw print job. CISA KEV status and active exploitation confirmation not provided; no publicly available patches identified at publication.
Cross-site scripting (XSS) in Roundcube Webmail before versions 1.5.14 and 1.6.14 allows remote attackers to inject malicious scripts via insufficient HTML sanitization in text/html attachment preview mode. An authenticated user must preview a malicious text/html attachment to trigger the vulnerability, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of the victim. No public exploit code or active exploitation has been confirmed; EPSS score of 6.1 reflects moderate real-world risk given the user interaction requirement.
Stored cross-site scripting (XSS) in Emlog's comment module allows unauthenticated remote attackers to inject malicious scripts via URI scheme validation bypass, affecting all versions prior to 2.6.8. The vulnerability requires user interaction (clicking a malicious link) and can result in session hijacking, credential theft, or malware distribution to website visitors. No public exploit code or active exploitation has been confirmed at time of analysis.
Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server filesystem and copy them into the uploads directory via a crafted export tarball containing specially crafted paths in uploads/records.json. Zulip versions 1.4.0 through 11.5 are affected; the vulnerability requires local access and user interaction (import initiation) but can expose sensitive server data readable by the Zulip application user. No active exploitation has been confirmed; a vendor-released patch is available in version 11.6.
OpenClaw before version 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in Gemini OAuth flows, exposing cryptographic material through the redirect URL and enabling attackers who capture the URL to obtain both the authorization code and PKCE verifier, defeating PKCE protection and allowing unauthorized token redemption. The vulnerability requires user interaction (redirect capture) but has high confidentiality impact affecting OAuth security mechanisms; it is an information disclosure flaw in the OAuth implementation itself rather than a remote code execution threat.
Memory exhaustion denial of service in jupyterhub-litauthenticator 1.6.2 and earlier allows unauthenticated remote attackers to crash the LTI 1.1 validator by submitting repeated requests with unique OAuth nonces. The vulnerability exists because nonces are stored in an unbounded class-level dictionary before signature validation occurs, enabling an attacker with knowledge of a valid consumer key to gradually exhaust server memory without authentication. EPSS score of 5.9 (medium-high) reflects the network attack vector and practical exploitability, though the requirement to know a valid consumer key and achieve high authentication complexity moderates real-world risk.
HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.
Electron's service worker implementation allows spoofing of internal IPC reply messages, enabling a malicious service worker to inject attacker-controlled data into the main process's promise resolution from webContents.executeJavaScript() and related methods. This affects Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6, and impacts only applications that register service workers and rely on executeJavaScript() return values for security decisions. The vulnerability requires local authenticated access and medium attack complexity, with no public exploit code or active exploitation confirmed at analysis time.
Use-after-free in Electron framework allows memory corruption when native save-file dialogs remain open during session teardown. Affected Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.7 enable local attackers with UI interaction to trigger freed memory dereference via downloaded files, potentially causing application crashes or memory corruption. Only applications that programmatically destroy sessions at runtime and permit downloads are vulnerable; no public exploit code or active exploitation has been identified.
AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.
Buffer overflow in Linux kernel's RedBoot partition table parser allows kernel panic during boot when CONFIG_FORTIFY_SOURCE is enabled with recent compilers. The MTD (Memory Technology Devices) subsystem reads beyond allocated buffer boundaries in partition name validation, triggering fortify-source detection and kernel crash (oops). This affects systems using RedBoot bootloader partitioning on embedded devices; exploitation is involuntary (denial of service via boot failure) rather than attacker-driven, with no public exploit code identified.
Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.
Memory leak in Linux kernel atmel-sha204a cryptographic driver allows local denial of service via resource exhaustion. The vulnerability occurs when memory allocation fails during tfm_count counter management; the counter is not properly decremented, causing subsequent read operations to block indefinitely. This affects all Linux kernel versions with the vulnerable atmel-sha204a implementation until patched.
NULL-pointer dereference in Linux kernel SPI subsystem allows local denial of service via sysfs attribute access. The SPI controller's per-CPU statistics structure is not allocated until after the controller registers with the driver core, creating a race window where sysfs attribute reads can trigger a kernel panic. This affects all Linux kernel versions with the vulnerable SPI statistics implementation; exploitation requires local system access to read sysfs files.
NULL pointer dereference in Linux kernel ROSE socket implementation allows local denial of service when rose_connect() is called twice during an active connection attempt. The vulnerability occurs because rose_connect() fails to validate TCP_SYN_SENT state, permitting rose->neighbour to be overwritten with NULL, which later causes a kernel crash when rose_transmit_link() dereferences the NULL pointer during socket closure. No active exploitation reported; fix available in upstream kernel commits.
Linux kernel aqc111 USB driver deadlock in power management allows local denial of service via task hang during runtime suspend. The vulnerability occurs when aqc111_suspend() calls power-managed write operations during device suspension, triggering nested runtime PM calls that deadlock waiting for a state change that never occurs. This blocks the rtnl_lock and freezes the entire networking stack. Affected systems running vulnerable kernel versions with USB AQC111 network adapters are susceptible to local DoS that requires no authentication or user interaction beyond normal device suspension. No public exploit code identified; fix requires kernel upgrade or manual patch application.
Use-after-free vulnerability in Linux kernel ACPI processor errata handling allows local attackers to cause denial of service or potentially execute code via device pointer dereference after reference dropping in acpi_processor_errata_piix4(). The vulnerability affects multiple Linux kernel versions and was introduced in a previous fix attempt (commit f132e089fe89); it has been resolved across stable kernel branches with no active public exploitation identified.
Linux kernel NULL pointer dereference in UDP tunnel socket creation when IPv6 is disabled causes denial of service. When CONFIG_IPV6=n, the udp_sock_create6() function incorrectly returns success (0) without creating a socket, leading callers such as fou_create() to dereference an uninitialized pointer. The vulnerability is triggered via netlink socket operations and requires privileged user access; no public exploit code or active exploitation has been identified at time of analysis.
Denial of service in Linux kernel mvpp2 network driver occurs when MTU changes or other operations trigger buffer pool switching on Marvell hardware lacking CM3 SRAM support, causing NULL pointer dereference in flow control register access. Affects systems running vulnerable kernel versions on Marvell Armada platforms where the CM3 SRAM device tree entry is absent; no authentication required. Upstream fix available via stable kernel commits.
NAND flash device lock/unlock operations in the Linux kernel MTD subsystem can race with concurrent erase/write operations, causing cmd_pending conflicts on certain NAND controllers that use PIO-based SET_FEATURES. This race condition is resolved by serializing lock/unlock calls with the NAND device lock, preventing data corruption or system instability on affected controller implementations. The vulnerability affects all Linux kernel versions prior to the fix and is present in systems using raw NAND devices with specific controller hardware implementations.
Linux kernel drm/logicvc driver fails to release a device node reference in logicvc_drm_config_parse(), causing a reference leak that can exhaust kernel memory resources over time. The vulnerability affects all Linux kernel versions with the logicvc DRM driver enabled; it requires local access to trigger repeated calls to the vulnerable code path. This is a low-severity resource exhaustion issue resolved via kernel patch implementing automatic cleanup attributes.
Mutex lock-unlock mismatch in the Linux kernel's wlcore Wi-Fi driver allows potential information disclosure or system instability through improper synchronization. The vulnerability occurs when wl->mutex is unlocked without being locked first, detected by the Clang thread-safety analyzer. This affects all Linux kernel versions with the wlcore Wi-Fi driver. No active exploitation has been identified, but the bug creates a race condition that could be leveraged to access shared kernel state.
Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.
Linux kernel drm/imagination driver deadlock in soft reset sequence allows local denial of service when the soft reset handler calls disable_irq() from within a threaded IRQ handler context, creating a self-deadlock condition. The fix replaces disable_irq() with disable_irq_nosync() to prevent the handler from waiting on itself. Affected systems running vulnerable kernel versions with imagination GPU drivers can experience system hangs during GPU reset operations; no public exploit code identified at time of analysis.
Linux kernel btrfs filesystem fails to log new directory dentries when the parent directory of a conflicting inode is logged, causing new files and subdirectories to become inaccessible after power failure or system crash. The vulnerability affects all Linux kernel versions with btrfs; an attacker or system malfunction can trigger data loss through specific filesystem operation sequences involving deleted and recreated inodes with naming conflicts.
Memory leak in Linux kernel Microchip MPFS system controller driver (mpfs_sys_controller_probe) allows local attackers to exhaust kernel memory by repeatedly triggering the MTD device lookup failure path, eventually causing denial of service through memory exhaustion.
NULL pointer dereference in Linux kernel IPv6 SRv6 path processing allows local denial of service when __in6_dev_get() returns NULL due to missing IPv6 configuration or device unregistration. The vulnerability affects seg6_hmac_validate_skb() and ipv6_srh_rcv() functions which lacked NULL checks on the returned idev pointer, enabling a local attacker to crash the kernel by triggering these code paths on misconfigured or unregistering network devices.
Null pointer dereference in Linux kernel arm_mpam memory bandwidth monitoring causes kernel oops when an MSC supporting bandwidth monitoring transitions offline and back online. The mpam_restore_mbwu_state() function fails to initialize a value buffer before passing it to __ris_msmon_read() via IPI, triggering a crash in the bandwidth counter restoration routine. This affects ARM systems with MPAM (Memory Partitioning and Monitoring) support and results in denial of service through system instability when memory controllers are toggled.
Linux kernel xe (Intel GPU) driver leaks dynamically allocated virtual memory area (VMA) structures when argument validation fails in the xe_vm_madvise_ioctl handler, allowing local attackers to exhaust kernel memory and trigger denial of service. The vulnerability has been patched upstream in stable kernel branches with proper cleanup path addition.
Infinite loop in Linux kernel serial core driver handle_tx() affects systems using uninitialized PORT_UNKNOWN serial ports, where uart_write_room() and uart_write() behave inconsistently regarding null transmit buffers, causing denial of service through system hangs. The vulnerability impacts caif_serial and other drivers that rely on tty_write_room() to determine write capacity. Patch available in upstream kernel commits; no CVSS score assigned due to kernel-specific nature and relatively limited exposure scope.
Denial of service in Linux kernel amdgpu driver allows local attackers to exhaust system memory by passing an arbitrarily large BO (buffer object) list entry count via userspace, bypassing existing overflow checks but causing excessive allocation and processing delays; fixed by enforcing a 128k entry limit per BO list.