SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in /util/BookVehicleFunction.php. The vulnerability has publicly available exploit code (GitHub POC), enabling trivial exploitation with low attack complexity. CVSS 7.3 reflects medium-severity impacts across confidentiality, integrity, and availability. No vendor patch has been identified at time of analysis.
SQL injection in code-projects Vehicle Showroom Management System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the BRANCH_ID parameter in MonthTotalReportUpdateFunction.php. Publicly available exploit code exists (GitHub POC published), enabling trivial exploitation with no user interaction required. CVSS 7.3 reflects network-accessible attack with low complexity and no authentication barrier, creating immediate risk for internet-exposed instances.
SQL injection in tushar-2223 Hotel Management System /admin/roomdelete.php allows unauthenticated remote attackers to manipulate database queries via the ID parameter, potentially compromising confidentiality, integrity, and availability of hotel management data. Publicly available exploit code exists (CVSS 7.3, EPSS not provided). The vulnerability affects all versions up to commit bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15 in this rolling-release project, and the maintainer has not responded to responsible disclosure attempts.
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.
Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.
Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. Patches are available in versions 0.30.5 and 0.31.1. No public exploit identified at time of analysis, though the attack vector is relatively straightforward for authenticated users.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.
CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances are reused after MemoryError exceptions under memory pressure. Affects all CPython versions before 3.15.0. Exploitation requires network-accessible Python service that decompresses attacker-controlled data, operates under memory constraints, and reuses decompressor objects across multiple operations-a narrow but realistic scenario in containerized environments or resource-limited systems. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV). Patch available via CPython 3.15.0.
Denial-of-service in ABB industrial control system products (AC800M, Symphony Plus SD/MR, S+ Operations) allows attackers on adjacent IEC 61850 networks to crash communication modules via malformed protocol packets. The vulnerability affects critical infrastructure PLCs and SCADA systems widely deployed in power substations and industrial automation. CVSS 7.1 (High) but low EPSS (0.02%) indicates limited attacker interest to date. No public exploit identified at time of analysis, and CISA SSVC a
Weak session ID generation in Solstice::Session for Perl (all versions through 1440) enables session prediction and hijacking attacks by unauthenticated remote attackers. The vulnerability stems from cryptographically weak entropy sources (MD5 with predictable epoch time, stringified hash references, 16-bit rand() seeding, and limited process IDs), allowing attackers to forge valid session tokens and impersonate legitimate users. EPSS score of 0.02% (4th percentile) indicates low observed exploi
Remote code execution in Apache Storm before 2.8.6 allows authenticated users with topology submission rights to execute arbitrary code on Nimbus and Worker JVMs via crafted serialized objects in Kerberos TGT credentials. The vulnerability exploits unsafe deserialization in the Nimbus Thrift API (CWE-502) with CVSS 8.8. No active exploitation confirmed (EPSS 0.30%, SSVC exploitation status: none), but the low attack complexity and network attack vector make this a critical patch priority for Storm deployments with authenticated users.
OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the Network Report functionality. The vulnerability stems from improper input sanitization of special elements used in OS commands. With CVSS 8.7 (HIGH) severity and network-accessible attack vector requiring only low privileges, this poses significant risk to monitoring infrastructure despite no confirmed active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Remote code execution in Apache Airflow 3.1.x allows authenticated DAG Authors to execute arbitrary code in the webserver context through crafted XCom payloads exploiting insecure deserialization (CWE-502). Affects Apache Airflow versions 3.1.8 through <3.2.0. Despite CVSS 8.8, vendor rates severity as Low due to DAG Authors being highly trusted roles. No public exploit identified at time of analysis, with EPSS exploitation probability at 0.07% (21st percentile), indicating minimal real-world risk. Vendor-released patch: Apache Airflow 3.2.0.
Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.
The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the WebServerModuleDebug component. With low attack complexity and no user interaction required, attackers with low-level privileges can achieve high confidentiality and integrity impact on the vulnerable system, plus limited impact on connected systems (CVSS 8.7). No public exploit identified at time of analysis, though the vulnerability has medium remediation effort according to CVSS 4.0 metadata.
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.
Stored cross-site scripting in Note Mark note-taking application allows authenticated users to execute arbitrary JavaScript in victims' browsers by uploading HTML/SVG files as note assets. The vulnerability affects the Go backend's asset delivery mechanism (github.com/enchant97/note-mark), which serves uploaded files inline without setting Content-Type headers or X-Content-Type-Options: nosniff, enabling browser MIME-sniffing attacks. Attackers with low-privilege accounts can create malicious asset URLs that, when opened by victims, execute scripts with full access to authenticated API endpoints, private notes, and user data. CVSS 8.7 (High) reflects the changed scope impact where one user's malicious upload affects other users' security context. Vendor-released patch available in v0.19.2.
SQL injection in Craft Commerce 5.0.0-5.5.4 allows authenticated control panel users to extract arbitrary database contents via ProductQuery::hasVariant and VariantQuery::hasProduct parameters that bypass prior sanitization fixes. Attackers can retrieve security keys to forge admin sessions and escalate privileges. Fixed in version 5.6.0. EPSS 0.03% (8th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.
SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.
Remote code execution in Pandora FMS versions 777 through 800 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from inadequate file type validation during upload operations, allowing attackers with high-privilege credentials to bypass security controls. With a CVSS 4.0 score of 8.6 and attack complexity rated as low, this represents a significant risk for organizations using affected versions, though exploitation requires prior administrative access to the monitoring platform.
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
Cross-site Scripting (XSS) in LibreNMS versions before 26.3.0 allows authenticated administrators to inject malicious scripts on the showconfig page, enabling attacks against other authorized users. The vulnerability requires high administrative privileges and user interaction (clicking a malicious link) to execute, resulting in integrity impact to other users' sessions. Publicly available exploit code exists, though CISA KEV status is not confirmed.
Unauthorized access to configuration endpoints in Pandora FMS versions 777 through 800 exposes sensitive system information to low-privileged authenticated users. The missing authorization control (CWE-276) allows privilege escalation where authenticated users can access configuration data they should not have permissions to view, potentially revealing credentials, internal architecture details, and security settings. With CVSS 8.4 (High) and low attack complexity, this vulnerability poses significant risk in multi-tenant or role-separated Pandora FMS deployments. No public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, requires only basic authentication) makes exploitation highly feasible.
Stack-based buffer overflow in Dynabook Bluetooth ACPI drivers (tosrfec.sys, drfec.sys) allows local administrators to execute arbitrary code by manipulating specific registry values. This CVSS 8.4 vulnerability requires high privileges (administrative access) but enables complete system compromise with low attack complexity. No public exploit identified at time of analysis, though the attack surface is limited to users who already possess elevated credentials.
Heap use-after-free in Nitro PDF Pro 14.41.1.4 for Windows allows local code execution via malicious PDF containing crafted JavaScript calling this.mailDoc(). The vulnerability stems from premature deallocation of an XID object whose freed pointer is passed to wcscmp() and other functions, where attacker-controlled strings in the freed heap region can manipulate program flow. CVSS 8.4 (AV:L/PR:N) indicates local attack vector requiring no privileges or user interaction. EPSS 0.01% suggests low immediate exploitation probability; no public exploit identified at time of analysis.
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.
LDAP injection in maddy mail server versions before 0.9.3 allows remote unauthenticated attackers to extract sensitive directory attributes and spoof user identities. The auth.ldap module fails to escape user-supplied usernames before interpolating them into LDAP search filters and DN strings, despite having the ldap.EscapeFilter() function available. Attackers can exploit this via SMTP AUTH PLAIN or IMAP LOGIN interfaces to perform boolean-based blind injection attacks that extract password hashes, email addresses, group memberships, and other LDAP attributes character-by-character. While CVSS rates this 8.2 (High) for network-accessible unauthenticated exploitation with high confidentiality impact, no active exploitation (KEV) or weaponized POC has been identified at time of analysis. EPSS data not available for this recent CVE.
Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attackers to crash processes or potentially achieve code execution via crafted queries producing strings exceeding 2^31 bytes. Integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() functions causes undersized buffer allocation followed by heap corruption. Publicly available exploit code exists (SSVC: POC). EPSS score of 0.04% (12th percentile) suggests low observe
Command injection in simple-git npm package versions ≤3.28.0 enables arbitrary code execution via crafted Git options. Attackers who control Git command options can bypass the allowUnsafePack safety restriction using malformed variations of the -u flag (e.g., -vu, -4u, --u) to execute shell commands on Linux systems. This vulnerability stems from an incomplete fix for CVE-2022-25860, with proof-of-concept code publicly available demonstrating file creation via touch command. EPSS data not provid
Integer overflow in Samsung Escargot JavaScript engine allows remote attackers to trigger buffer overflows without authentication via network-delivered crafted JavaScript code. Affects commit 97e8115ab and prior versions. No public exploit identified at time of analysis, though upstream fix available (PR/commit); released patched version not independently confirmed. With CVSS 8.1 (High) and network attack vector requiring high complexity, this represents significant risk for devices and applications embedding the Escargot engine, particularly Samsung smart TV and appliance platforms.
HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.
Arbitrary code execution in Keras 3.13.0 occurs because the TFSMLayer class unconditionally loads attacker-supplied TensorFlow SavedModels while deserializing a .keras model, even with safe_mode=True engaged. Any user who loads a malicious model triggers attacker-controlled code at inference time under their own privileges, defeating the protection safe_mode is supposed to provide. The flaw (CWE-502) has publicly available exploit code via huntr but is not in CISA KEV; EPSS is very low at 0.06% (19th percentile), consistent with the local, user-interaction-dependent attack path.
Use-after-free in Linux kernel bonding driver allows local authenticated attackers with low privileges to trigger memory corruption via race condition during concurrent slave device operations. The vulnerability (CVSS 7.8, EPSS 0.02%) affects the bond_xmit_broadcast() function where concurrent slave enslave/release operations can mutate the slave list during RCU-protected iteration, causing the original skb to be double-consumed and double-freed. Vendor patches are available for kernel versions 6.18.22, 6.19.12, and 7.0. No public exploit or active exploitation confirmed at time of analysis.
Remote code execution via SQL injection in Craft Commerce 4.x (4.0.0-4.10.2) and 5.x (5.0.0-5.5.4) allows authenticated control panel users to write PHP webshells through a four-step exploitation chain. Attack exploits unsanitized TotalRevenue widget settings interpolated into SQL, PDO multi-statement support, and unsafe PHP deserialization in yii2-queue to instantiate a GuzzleHttp FileCookieJar gadget chain. Complete exploitation requires only three HTTP requests and low-privileged authenticati
Permission bypass in Huawei HarmonyOS and EMUI LBS (Location-Based Services) module enables highly-privileged local attackers with user interaction to achieve full compromise across security contexts (confidentiality, integrity, availability impact). CVSS 7.7 HIGH severity. No public exploit identified at time of analysis. Attack requires local access, high privileges (administrator/root), user interaction, but succeeds with low complexity once prerequisites met. Scope change (S:C) indicates container escape or privilege boundary violation beyond the vulnerable component.
OS command injection in Pandora FMS versions 777 through 800 enables high-privileged remote attackers to execute arbitrary operating system commands through the Event Response execution functionality. While requiring administrative credentials (PR:H), successful exploitation grants extensive system access with high confidentiality and integrity impact. No public exploit identified at time of analysis, though the specific attack vector through Event Response features provides a clear exploitation pathway for authenticated administrators or compromised admin accounts.
Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An unauthenticated network attacker exploits an off-by-one bounds check error (using > instead of >=) to trigger an out-of-bounds index panic before signature verification occurs. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a straightforward denial-of-service vector against Proof-of-Stake validators in the Nimiq blockchain network, though no public exploit
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Stack exhaustion in ImageMagick's XML tree parser allows remote unauthenticated attackers to trigger denial-of-service conditions by submitting specially crafted XML files with deeply nested structures. Affects all versions below 6.9.13-44 and 7.1.2-19 across multiple platforms including the Magick.NET wrapper. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, though the network-accessible attack vector (AV:N) and lack of authentication requirements (PR:N) present theoretical risk for internet-facing deployments processing untrusted XML input.
Heap buffer overflow in FFmpeg 8.0.1's av_bprint_finalize() function enables remote denial-of-service attacks through maliciously crafted media files. Exploitation requires no authentication (CVSS AV:N/AC:L/PR:N/UI:N), making this accessible to any network-based attacker who can deliver manipulated input to vulnerable FFmpeg instances. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. While CVSS rates this 7.5 HIGH due to availability impact, real-world risk is primarily limited to public-facing media processing services.
Out-of-bounds read in FFmpeg 8.0.1's AV1 decoder allows remote denial-of-service via malicious video files. Attackers craft inputs targeting read_global_param() in libavcodec/av1dec.c to trigger memory access violations, crashing the decoder. Affects applications processing untrusted AV1 video content (media servers, transcoders, browsers with FFmpeg). CVSS 7.5 (High) reflects network-exploitable DoS; EPSS 0.04% indicates low observed exploitation probability. No active exploitation confirmed (n
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.
Heap buffer overflow in ImageMagick's MVG decoder enables network-based denial of service through crafted image files. Affects all ImageMagick versions prior to 6.9.13-44 and 7.1.2-19. CVSS 7.5 (HIGH) with remote unauthenticated exploitation (AV:N/PR:N), but EPSS score of 0.04% (11th percentile) indicates minimal observed exploitation probability. No active exploitation confirmed (not in CISA KEV), no public POC identified. Vendor-released patches available in versions 6.9.13-44 and 7.1.2-19, with upstream fix committed at 4c72003e9e54.
Resource deallocation flaw in FFmpeg 8.0.1's zmqsend.c utility enables remote denial of service through crafted input files. Attackers can trigger improper cleanup of allocated resources without authentication (CVSS AV:N/AC:L/PR:N/UI:N), exhausting system resources. EPSS score of 0.04% (11th percentile) indicates low real-world exploitation probability, and no active exploitation confirmed (not in CISA KEV). The vulnerability affects a non-core utility component used for ZeroMQ message sending, limiting practical attack surface compared to main FFmpeg libraries.
Integer overflow in Linux kernel X.25 protocol stack allows remote unauthenticated attackers to trigger denial of service via fragmented packet accumulation. The fraglen field in x25_sock structure can overflow when processing fragmented X.25 packets, causing kernel crashes or resource exhaustion. Vendor-released patches confirm the vulnerability exists since initial Git history (2005) through kernel 6.19.x. EPSS score of 0.02% suggests low observed exploitation activity, though the network-accessible attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any exposed X.25 network interface. No active exploitation confirmed (not in CISA KEV), but public patches reveal implementation details that could facilitate exploit development.
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.