Malicious D-Bus peers can execute three distinct attacks against applications using Tmds.DBus or Tmds.DBus.Protocol .NET libraries: signal spoofing via well-known name impersonation (integrity compromise), file descriptor exhaustion causing resource depletion or fd spillover, and application crashes through malformed message bodies triggering unhandled exceptions on SynchronizationContext. Attack requires local access with low-privileged D-Bus peer presence (PR:L). Vendor-released patches available in versions 0.92.0 (both libraries) and 0.21.3 (Protocol only). No public exploit identified at time of analysis.
Cross-Site Request Forgery in Dotstore Extra Fees Plugin for WooCommerce versions through 4.3.3 allows remote attackers to execute unauthorized administrative actions on behalf of authenticated WordPress administrators by tricking them into visiting malicious websites or clicking crafted links. The vulnerability enables attackers to modify plugin settings, create unauthorized fees, or alter checkout configurations without the administrator's knowledge. While no active exploitation is confirmed (CISA KEV absent) and EPSS probability is minimal (0.01%, 1st percentile), the CVSS score of 7.1 reflects potential for broad impact across WordPress e-commerce sites using this plugin.
Memory corruption in Go compiler cmd/compile versions before 1.25.9 and 1.26.0-1.26.1 allows local authenticated attackers to achieve integrity compromise and denial of service. A flaw in pointer unwrapping logic during memory move operations causes the compiler to incorrectly assess overlapping memory regions, potentially corrupting compiled binaries. EPSS score of 0.01% indicates minimal real-world exploitation probability, and no public exploit or active exploitation (non-KEV) has been identified at time of analysis.
Moxa MxGeneralIo utility versions prior to 1.4.0/1.5.0 expose IOCTL interfaces allowing authenticated high-privilege local attackers to directly access Model-Specific Registers (MSR) and system memory, enabling privilege escalation on Windows 7 or denial-of-service crashes (BSoD) on Windows 10/11. While CVSS 7.0 reflects high availability impact and network attack vector classification, the actual exploit requires local high-privilege access (PR:H), significantly reducing practical risk. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept has been identified at time of analysis, though vendor advisory confirms patch availability.