Local privilege escalation in Qualcomm Snapdragon allows authenticated users to execute arbitrary code through memory corruption when processing frame requests. This CWE-121 stack-based buffer overflow enables complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with CVSS 7.8 indicating high severity requiring low attack complexity and low privileges. Qualcomm's April 2026 security bulletin addresses this vulnerability.
Local privilege escalation via memory corruption in Qualcomm Snapdragon JPEG driver allows authenticated local users to achieve full system compromise (high confidentiality, integrity, and availability impact). The buffer overflow vulnerability (CWE-126) occurs during IOCTL request preprocessing, a common attack surface in kernel-mode device drivers. CVSS 7.8 indicates high severity with low attack complexity. No public exploit identified at time of analysis, and EPSS data not available in provided intelligence. Qualcomm's April 2026 security bulletin addresses this issue, indicating coordinated disclosure timeframe.
Local privilege escalation in Qualcomm Snapdragon components enables authenticated users to achieve arbitrary code execution with elevated privileges through memory corruption triggered by integer overflow during attestation report generation. The vulnerability requires low attack complexity and low-level authentication (CVSS:3.1/AV:L/AC:L/PR:L), allowing complete compromise of confidentiality, integrity, and availability on affected devices. With CVSS 7.8 (High severity) and local attack vector, this represents a significant risk on multi-user Android devices where malicious apps could exploit the flaw to break out of sandboxing. No public exploit identified at time of analysis, though the buffer overflow class (CWE-120) is well-understood by exploit developers.
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated users to execute arbitrary commands on cluster-manager EC2 instances through unsanitized input in the FileBrowser API. Vendor-released patch available (version 2026.03). No public exploit identified at time of analysis, though CVSS 7.7 reflects high impact if exploited by low-privileged authenticated users with network access.
Buffer over-read (CWE-126) in Qualcomm Snapdragon devices causes denial-of-service when processing malformed Neighborhood Awareness Networking (NAN) service data frames with excessive length values. Attack requires network proximity, high attacker privileges, user interaction, and high complexity (CVSS 7.6), yielding CVSS scope change with potential high confidentiality/integrity impact beyond availability disruption. Qualcomm April 2026 bulletin addresses this transient DOS condition. No public exploit identified at time of analysis, though the specific protocol implementation flaw in NAN device discovery presents measurable risk in adjacent network scenarios where attackers have elevated Wi-Fi protocol access.
Out-of-bounds read in Qualcomm Snapdragon WiFi firmware triggers denial-of-service when processing malformed FILS Discovery frames during network scans. Remote attackers on the same wireless network can crash affected devices by broadcasting specially crafted 802.11ai Fast Initial Link Setup frames with invalid action field sizes. CVSS 7.6 (High) reflects the high attack complexity and required high privileges, though the confidentiality/integrity impacts appear overstated for a transient DOS condition. EPSS data not available; no public exploit identified at time of analysis.
Authentication bypass in Strawberry GraphQL WebSocket subscriptions (versions <0.312.3) allows unauthenticated remote attackers to access protected GraphQL subscription endpoints by exploiting the legacy graphql-ws subprotocol handler. Attackers can skip the on_ws_connect authentication hook by connecting with graphql-ws and sending subscription start messages without completing the connection_init handshake. No public exploit identified at time of analysis, though exploitation is straightforward given the protocol-level nature of the bypass. CVSS 7.5 reflects network-accessible unauthenticated attack with high confidentiality impact.
AMF daemon in OpenAirInterface V2.2.0 crashes upon receipt of malformed NGAP control-plane messages containing mismatched procedure codes or PDU type violations (e.g., successfulOutcome where InitiatingMessage is required). Remote attackers can trigger denial of service without authentication (CVSS AV:N/PR:N), exploiting improper input validation (CWE-20) in 5G core network signaling. Publicly available exploit code exists, SSVC framework classifies as automatable with partial technical impact, and EPSS data not provided but attack simplicity (AC:L) indicates low barrier to exploitation.
Stored XSS in GLPI 11.0.0-11.0.5 allows remote attackers to inject malicious scripts via the inventory endpoint without authentication, leading to potential session hijacking and unauthorized actions when victims interact with poisoned inventory data. CVSS 7.5 (High) with Network attack vector and no privileges required (PR:N). No public exploit identified at time of analysis, though the unauthenticated nature and stored XSS persistence elevate practical risk for environments with publicly accessible GLPI installations.
Unauthenticated denial-of-service in Strawberry GraphQL WebSocket handlers allows remote attackers to crash Python servers via subscription flooding. The vulnerability affects both graphql-transport-ws and legacy graphql-ws protocol implementations, which fail to enforce per-connection subscription limits. An attacker can exhaust server memory and saturate the asyncio event loop by sending unlimited subscribe messages over a single WebSocket connection, leading to service degradation or out-of-memory crashes. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation is trivial given the low attack complexity (CVSS AC:L) and lack of authentication requirement (PR:N).
Denial of Service in Samsung Exynos processors and modems (including 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, and Modems 5123, 5300, 5400, 5410) allows unauthenticated remote attackers to cause complete service disruption via network-based attacks requiring low complexity and no user interaction. The vulnerability stems from improper input validation (CWE-20) affecting mobile, wearable, and baseband modem chipsets used across Samsung's semiconductor product line. No public exploit identified at time of analysis, though the CVSS vector indicates trivial exploitation conditions (AV:N/AC:L/PR:N/UI:N) that could enable network-accessible denial of service attacks against devices containing these chipsets.
Heap buffer overflow in ZLMediaKit's VP9 RTP payload parser allows remote unauthenticated attackers to trigger denial of service by sending a single malformed RTP packet. The vulnerability stems from insufficient buffer length validation in ext-codec/VP9Rtp.cpp, where flag bits in a 1-byte payload (0xFF) cause out-of-bounds reads. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a low-probability but remotely exploitable attack surface against any ZLMediaKit server processing VP9 streams. Fixed in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Unbounded HTTP redirect following in Fedify's ActivityPub document loaders enables resource exhaustion attacks. Remote unauthenticated attackers can trigger denial of service by controlling ActivityPub key or actor URLs that redirect indefinitely, forcing affected servers (Fedify versions before 1.9.6, 1.10.5, 2.0.8, and 2.1.1) to make repeated outbound requests from a single inbound request. No public exploit identified at time of analysis, though the attack vector is straightforward given the low complexity (CVSS AC:L). CVSS base score 7.5 (High) reflects network-reachable, unauthenticated access with high availability impact.
Distribution container registry versions ≤3.0.x and ≤2.8.x restore read access to explicitly deleted blobs when Redis blob descriptor caching and storage deletion are both enabled. After an administrator deletes a blob from repository A, the deletion briefly succeeds, but when repository B later accesses the same digest, it repopulates the shared Redis descriptor cache. Repository A then regains unauthorized read access to the deleted blob because stale repository-scoped membership metadata was never invalidated from Redis. This authorization bypass defeats repository-local content revocation with concrete confidentiality impact. CVSS 7.5 (HIGH) with network attack vector, low complexity, and no authentication required. EPSS exploitation probability is very low (0.03%, 9th percentile), suggesting limited real-world targeting despite public POC availability. Vendor-released patch confirms the issue and provides a fix in version 3.1.0.
Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).
Denial of service in Samsung Exynos USIM firmware across mobile, wearable, and modem processors allows unauthenticated remote attackers to crash affected devices via maliciously crafted SIM card proactive commands. The vulnerability affects over 20 Exynos chipset families (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400) due to improper handling of USIM proactive commands, classified as CWE-400 (Uncontrolled Resource Consumption). EPSS exploitation probability is low (0.02%, 5th percentile), no public exploit identified at time of analysis, and not currently listed in CISA KEV. Despite the high CVSS base score of 7.5, the practical exploitation requires attacker control over cellular network infrastructure or compromised SIM cards, significantly limiting real-world attack surface.
System crash in Samsung Exynos processors (980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, Wearable W920/W930/W1000, Modems 5123/5300/5400) allows unauthenticated remote attackers to trigger denial-of-service via malformed RRCReconfiguration message exploiting improper memory initialization in the Radio Resource Control (RRC) layer. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) indicates very low probability of imminent exploitation despite network-reachable attack surface and low complexity (CVSS 7.5, AV:N/AC:L/PR:N).
Denial of service in Samsung Exynos chipsets' NAS (Non-Access Stratum) layer allows remote unauthenticated attackers to crash mobile devices via malformed Downlink NAS Transport packets. Affects 23+ Exynos processor and modem variants used in mobile phones, wearables, and cellular modems (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400). Despite CVSS 7.5, EPSS shows only 0.02% exploitation probability (5th percentile), and no public exploit or active exploitation confirmed at time of analysis.
Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve arbitrary code execution via the 'page' parameter in the fromNatStaticSetting function at /goform/NatStaticSetting endpoint. Publicly available exploit code exists. EPSS data not provided, but CVSS 7.4 (High) with network attack vector and low complexity indicates significant risk for exposed administrative interfaces.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete device compromise via the formSetFirewall firewall configuration function. The vulnerability has publicly available exploit code and carries an EPSS exploitation probability that warrants attention, though no active exploitation has been confirmed by CISA KEV at time of analysis. The vendor (Belkin) was notified but did not respond, leaving legacy hardware users without an official remediation path.
Remote stack-based buffer overflow in Tenda CX12L router firmware version 16.03.53.12 allows authenticated attackers to execute arbitrary code via crafted 'page' parameter to the RouteStatic configuration endpoint. CVSS 7.4 with publicly available exploit code (E:P in vector). EPSS and KEV data not provided, but public POC availability elevates immediate risk for exposed management interfaces.
Arbitrary file write in PraisonAI's recipe registry allows malicious publishers to overwrite files outside intended directories when victims pull recipes. Affects all users pulling recipes from shared or untrusted registries via both local and HTTP transports. The vulnerability stems from unsafe tar.extractall() calls that process attacker-controlled path traversal sequences (../) embedded in .praison bundle archives. Exploitation requires low-privilege publisher access and user interaction (victim must pull the malicious recipe), but no special client configuration. EPSS score of 0.04% suggests low automated exploitation probability, though a working proof-of-concept exists demonstrating file creation outside victim-selected output directories. Vendor patch available in release v4.5.113.
Stored cross-site scripting (XSS) in CI4MS administrative settings allows authenticated administrators to inject malicious scripts that execute on public-facing pages. The vulnerability affects CI4MS versions prior to 0.31.2.0, where unsanitized input in System Settings - Company Information fields is stored in the database and rendered without proper output encoding on the public frontend. CVSS 7.2 (High) with network attack vector and low complexity, requiring high privileges (PR:H). No public exploit identified at time of analysis. EPSS data not available.
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
SQL injection in GLPI asset management software versions 10.0.0 through 10.0.23 and 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary SQL commands through the logs export feature. The vulnerability requires high-level privileges (PR:H), limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit identified at time of analysis. CVSS 7.2 reflects the high impact but limited attacker base, while the network attack vector (AV:N) means exploitation requires only network access to the GLPI instance.
Path traversal in PraisonAI's recipe registry publish endpoint allows authenticated users with publish access to write arbitrary files outside the configured registry root. The vulnerability affects the pip package 'praisonai' and stems from trusting attacker-controlled manifest.json name/version fields before validation, enabling directory traversal sequences like '../../' to bypass intended storage boundaries. While the malicious publish request returns HTTP 400, the out-of-bounds file write persists on disk. EPSS exploitation probability is low (0.06%, 18th percentile) with no active exploitation reported. Vendor patch available in version 4.5.113.
Unaligned memory write in OpenEXR DWA decoder causes immediate crashes on ARM/RISC-V architectures and enables potential exploitation on x86 systems via compiler optimization abuse. Affects OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8 when processing DWA/DWAB-compressed EXR files with FLOAT-type channels. Remote attackers can trigger this by convincing users to open malicious EXR files (CVSS 7.1, AV:N/PR:N/UI:R). No public exploit identified at time of analysis, though the technical details are fully disclosed in the GitHub security advisory.
Authenticated users in Brave CMS can delete arbitrary article images belonging to other users via an Insecure Direct Object Reference (IDOR) flaw in versions prior to 2.0.6. The deleteImage method in ArticleController.php accepts filenames without verifying ownership, allowing any authenticated user with edit permissions to delete images from articles they don't own. CVSS 7.1 reflects high integrity impact with low availability impact. No public exploit identified at time of analysis, and EPSS data not available for this recent vulnerability.
Heap out-of-bounds read in SDL_image library's XCF format parser allows remote information disclosure when processing malicious GIMP files. Attackers can craft .xcf files with undersized colormaps and invalid pixel indices to leak up to 762 bytes of heap memory into rendered image data, potentially exposing sensitive process memory. The vulnerability affects both indexed color code paths (1-bit and 2-bit per pixel). No public exploit identified at time of analysis, but EPSS and exploitation likelihood are notable given the library's widespread use in gaming and multimedia applications requiring minimal user interaction (opening a file).
Heap buffer overflow in openFPGALoader 1.1.1 and earlier allows local attackers to read sensitive heap memory and cause denial-of-service by supplying a maliciously crafted .pof FPGA bitstream file. The vulnerability triggers during POF file parsing without requiring physical FPGA hardware, enabling information disclosure (high confidentiality impact) and application crashes (high availability impact). EPSS data not available; no public exploit identified at time of analysis, though GitHub security advisory confirms the flaw in open-source FPGA programming utility used by hardware developers and researchers.
Heap-buffer-overflow in openFPGALoader 1.1.1 and earlier allows local attackers to trigger information disclosure and denial-of-service through maliciously crafted .bit FPGA configuration files. The vulnerability requires user interaction (opening a malicious file) but requires no authentication or FPGA hardware. CVSS base score is 7.1 (High). No public exploit identified at time of analysis, though proof-of-concept development is feasible given the specific vulnerability class and file format parsing context. EPSS data not available.
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
Buffer overread in Qualcomm Snapdragon cryptographic implementation allows authenticated local attackers to expose sensitive memory contents and potentially manipulate cryptographic operations. The vulnerability (CWE-126) stems from copying data to a destination buffer without size validation, creating high confidentiality and integrity risk. EPSS scoring and KEV status not available at time of analysis; no public exploit identified. Affects Qualcomm Snapdragon chipsets with fix documented in April 2026 security bulletin.
Race condition in Samsung Exynos Wi-Fi drivers enables local privilege escalation to kernel execution via double-free memory corruption. Affects 11 mobile and wearable processors (Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000). Local attackers with low privileges can trigger memory corruption by racing ioctl calls across threads, achieving high confidentiality, integrity, and availability impact. EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation likelihood despite CVSS 7.0 severity. No public exploit identified at time of analysis.
Use-after-free in Samsung Exynos Wi-Fi driver affects 11 mobile and wearable processor models via race condition triggered by concurrent ioctl calls. Local attackers with low privileges can exploit improper synchronization on a global variable to achieve high-impact compromise (confidentiality, integrity, availability). EPSS data not available; no confirmed active exploitation (not in CISA KEV); public exploit code status unknown. Attack complexity rated high (AC:H) due to race condition timing requirements, reducing immediate weaponization risk despite 7.0 CVSS score.