### Summary A broken access control vulnerability allows unauthenticated users to retrieve note assets directly from the asset download endpoint when they know both the note UUID and asset UUID. This exposes the full contents of private note assets without authentication, even when the associated book is not public. ### Details The issue is caused by the asset download route being registered without authentication middleware. Relevant route registration: - `handlers/assets.go`, line 40 ```go huma.Get(api, "/api/notes/{noteID}/assets/{assetID}", h.GetNoteAssetContentByID) ``` By contrast, other asset operations correctly apply authentication middleware. For example: ```go huma.Delete(api, "/api/notes/{noteID}/assets/{assetID}", h.DeleteNoteAsset, huma.WithMiddleware(h.authMiddleware.AuthRequiredMiddleware)) ``` The backend service for asset retrieval also does not enforce ownership or visibility checks. According to the provided code references, the lookup only queries the asset table by asset ID and note ID: ```sql SELECT * FROM note_assets WHERE id = ? AND note_id = ? ``` Because the retrieval path does not join against the related `notes` or `books` records, it does not verify: - whether the requester owns the parent book - whether the parent book is public or private - whether the related note has been deleted As a result, possession of a valid `noteID` and `assetID` is sufficient to retrieve the asset binary, regardless of whether the note belongs to a private book. The exploitability is constrained by identifier knowledge. Both `noteID` and `assetID` are UUIDv4 values, so blind guessing is impractical. However, the endpoint remains vulnerable whenever those identifiers are disclosed through another channel, such as leaked links, browser history, proxy logs, shared URLs, or other application behaviors that expose internal asset references. ### PoC The issue can be reproduced by creating a private note with an attached asset, then requesting the asset download endpoint without authentication using the valid `noteID` and `assetID`. The server returns the asset content even though the associated note is private. ### Impact - **Type:** Broken access control / unauthenticated information disclosure - **Who is impacted:** Any deployment exposing the affected asset download endpoint - **Security impact:** Full binary contents of private note assets can be disclosed to unauthenticated users who know the required identifiers - **Attack preconditions:** The attacker must know both the target `noteID` and `assetID`; no authentication is required - **Attack complexity:** High, because successful exploitation depends on prior disclosure of both UUIDs rather than feasible online guessing
In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.
Use-after-free vulnerability in Huawei HarmonyOS and EMUI kernel module allows local attackers without privileges to read sensitive memory, modify data, and crash the system (confidentiality, integrity, and availability impact). The vulnerability affects an unspecified range of HarmonyOS and EMUI versions; no public exploit code or active exploitation has been identified at the time of analysis. CVSS score of 5.9 reflects moderate local attack risk with low complexity.
HAProxy versions 2.6 through 3.3.5 fail to validate that received HTTP/3 message body lengths match the announced Content-Length header when streams close via empty-payload frames, enabling request smuggling and backend desynchronization attacks. An unauthenticated remote attacker can exploit this via network-level HTTP/3 traffic to cause integrity violations (integrity impact rated low by CVSS), though practical exploitation requires high attack complexity. No public exploit code or active CISA KEV designation has been confirmed; the moderate CVSS 4.0 and high attack complexity suggest this is a specialized HTTP/3 protocol abuse requiring precise crafting.
Out-of-bounds write vulnerability in Huawei HarmonyOS and EMUI kernel modules allows local privileged attackers to achieve arbitrary memory corruption, potentially compromising system confidentiality and availability. The vulnerability requires high privilege context and nontrivial user interaction to trigger, limiting real-world exploitation scope despite moderate CVSS scoring.
Use-after-free vulnerability in HarmonyOS and EMUI kernel modules enables local attackers with high privileges to disclose sensitive information and cause denial of service through improper memory management. CVSS 5.7 reflects limited attack scope (local only, requires elevated privileges, high attack complexity), though the vulnerability impacts both confidentiality and availability. No public exploit code or active exploitation has been confirmed at time of analysis.
Double free vulnerability in Huawei HarmonyOS multi-mode input system allows local authenticated users with user interaction to cause information disclosure and denial of service. The vulnerability affects availability through memory corruption, with a CVSS score of 5.6 indicating moderate risk. No public exploit code or active exploitation has been confirmed at time of analysis.
Integer overflow in the Linux kernel's IPv6 sendmsg ancillary-data path allows a local user with CAP_NET_RAW (or namespaced CAP_NET_RAW via unprivileged user namespaces) to crash the kernel via skb_under_panic(), constituting a local denial of service. The 16-bit opt_flen accumulator in ip6_datagram_send_ctl() wraps around when flooded with large IPV6_DSTOPTS cmsgs, causing the transmit path to underallocate sk_buff headroom while dst1opt still references a large destination-options header - the mismatch triggers BUG() on subsequent packet transmission. A proof-of-concept (poc.c) was submitted with the bug report; no public exploit identified at time of analysis as actively exploited (no CISA KEV listing), and EPSS is very low at 0.03%.
Uninitialized heap memory leaks to userspace via the Linux kernel's netfilter logging subsystem (nfnetlink_log), exposing 1-3 bytes of stale kernel heap content per logged packet through the NFULA_PAYLOAD netlink attribute. Affected systems are those running Linux kernel versions dating back to commit df6fb868d611 (circa 2.6.24) where NFLOG-based packet logging is configured. A low-privileged local attacker with access to an NFLOG netlink socket can passively harvest kernel memory fragments, potentially useful for defeating KASLR or reconstructing sensitive in-memory data. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 7th percentile), but the vulnerability class is well-understood by kernel exploit developers.
Stack corruption in the Linux kernel's netfilter SIP connection tracking helper (`nf_conntrack_sip`) allows a local low-privileged attacker to disrupt SIP call establishment by triggering use of an uninitialized `rtp_addr` stack variable in `process_sdp()`. When SDP bodies contain no valid media sections, the uninitialized address is passed to `nf_nat_sdp_session()`, which rewrites SDP `o=` and `c=` lines with either zeroes (when `CONFIG_INIT_STACK_ALL_ZERO` is active) or arbitrary stack contents, corrupting session negotiation. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile), and this vulnerability is not listed in CISA KEV.
Null pointer dereference in the Linux kernel's RDS-over-InfiniBand (RDS/IB) subsystem allows a local low-privileged user to crash the kernel by sending an RDS_CMSG_RDMA_MAP control message before an IB connection is fully established. The impact is a complete denial of service (kernel panic) with no confidentiality or integrity exposure, scoring CVSS 5.5. No public exploit code has been identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02%, consistent with the specialized InfiniBand hardware prerequisite.
NULL pointer dereference in the Linux kernel's netfilter x_tables subsystem allows a local attacker with CAP_NET_ADMIN privileges to crash the system by loading an NFPROTO_UNSPEC-registered xt_match or xt_target (e.g., xt_devgroup) into an ARP nftables chain via nft_compat, triggering a kernel panic and complete availability loss. CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local-only, availability-only impact, and EPSS at 0.02% (7th percentile) indicates very low real-world exploitation probability. No active exploitation confirmed (not in CISA KEV); vendor-released patches are available across multiple stable kernel branches.
Divide-by-zero in the Linux kernel's HFSC traffic scheduler (net/sched/sch_hfsc.c) allows a local authenticated user to crash the kernel via a denial-of-service oops. The flaw is triggered by enqueueing packets through an HFSC qdisc configured with slope values that cause a u64-to-u32 arithmetic truncation to yield a zero divisor in rtsc_min(). With EPSS at 0.02% (7th percentile), no CISA KEV listing, and no public exploit code identified at time of analysis, real-world exploitation risk is currently low, though the crash path is deterministic and reproducible by anyone with HFSC configuration access.
NULL pointer dereference in the Linux kernel's net/sched cls_flow traffic classifier allows a local low-privileged attacker to crash the kernel (denial of service) by creating a flow filter on a shared traffic control block without a fully qualified baseclass. The crash occurs in flow_change() at net/sched/cls_flow.c:508, confirmed by a KASAN trace showing null-ptr-deref when block->q is dereferenced on a shared block where it is intentionally NULL. No active exploitation confirmed - not listed in CISA KEV - and EPSS stands at 0.02% (7th percentile), indicating negligible real-world exploitation probability at time of analysis.
NULL pointer dereference in the Linux kernel's cls_fw traffic classifier (net/sched/cls_fw.c) crashes the kernel when authenticated local users configure an old-method cls_fw filter on a shared tc block and traffic with a nonzero major skb mark is processed. The flaw exists because the old classification path in fw_classify() calls tcf_block_q() and dereferences q->handle, but shared blocks hold a NULL block->q pointer. The impact is limited to local denial of service (kernel panic); no confidentiality or integrity compromise is possible. EPSS is 0.02% (7th percentile), this vulnerability is not in CISA KEV, and no public exploit has been identified at time of analysis.
Local denial-of-service via kernel memory leak in the Linux kernel's netfilter ipset subsystem affects multiple stable branches from Linux 5.6 through the fixed releases 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0. The mtype_del() function contains a logic flaw that prevents proper bucket release when all live entries are deleted but the positional counter (n->pos) still references past-deleted slots, causing accumulated unreleased kernel memory across repeated ipset add/delete operations. No public exploit code exists and this CVE is not listed in the CISA KEV catalog; EPSS at 0.02% (7th percentile) reflects very low real-world exploitation probability.
Local denial-of-service in the Linux kernel's netfilter nfnetlink_log subsystem allows a low-privileged local user to trigger a kernel WARN splat and cause netlink message drops. The root cause is an accounting error in NLMSG_DONE that omits the netlink header size, counting only the attribute size. With a CVSS score of 5.5 (AV:L/AC:L/PR:L) and EPSS at 0.02% (7th percentile), this has no public exploit code identified at time of analysis and is not listed in the CISA KEV catalog - impact is limited to netlink logging availability, with no code execution or data exposure.
Uncontrolled resource exhaustion in the Linux kernel bridge MRP subsystem allows a locally authenticated attacker to trigger a kernel OOM panic by supplying a zero-value test interval via netlink. The br_mrp_start_test() and br_mrp_start_in_test() functions lack input validation for the interval parameter; when set to zero, usecs_to_jiffies(0) yields 0, causing delayed work items on system_percpu_wq to reschedule themselves at maximum rate while continuously allocating and transmitting MRP test frames until all system memory is exhausted. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (6th percentile) reflects low current exploitation probability, though the denial-of-service impact is severe - a full kernel panic.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Stored cross-site scripting in Apache Storm UI before 2.8.6 allows authenticated users with topology submission rights to inject malicious HTML/JavaScript via unsanitized component identifiers, stream names, and grouping values in the visualization component. The payload persists in Nimbus and executes in the browser of any administrator viewing the topology visualization, enabling privilege escalation in multi-tenant deployments. EPSS score of 0.04% and SSVC assessment of partial technical impact with no automated exploitation indicate relatively low real-world risk despite the concerning privilege-escalation scenario.
Bluetooth maintenance mode in Samsung Mobile devices prior to April 2026 SMR Release 1 permits physical attackers to bypass Extend Unlock authentication due to incorrect privilege assignment, enabling unauthorized device access without requiring prior authentication. The vulnerability requires physical proximity and user interaction but grants full confidentiality and integrity compromise of the device. No public exploit code has been identified at the time of analysis.
Reflected cross-site scripting (XSS) in Vtiger CRM 8.4.0 MailManager module allows authenticated attackers to execute arbitrary JavaScript in a user's browser session via a specially crafted double URL-encoded payload in the _folder parameter. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity within the scope of the authenticated session. With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite public disclosure.
Stored cross-site scripting in Snipe-IT asset management system v8.3.0-8.3.1 allows authenticated users with basic login privileges to inject malicious JavaScript via Name and Surname fields, which executes when other users view Activity Reports or modified profiles. This vulnerability requires the victim's Display Name to be unset and affects all users with sufficient permissions to access those views. Patch available in v8.3.2; EPSS score is minimal (0.01%), indicating low empirical exploitation likelihood despite network-accessible attack vector.
MongoDB C Driver bson_validate function returns early on specific inputs and incorrectly reports successful validation, allowing malformed or invalid UTF-8 sequences in BSON data to bypass validation checks. This affects MongoDB C Driver versions prior to 1.30.5, 2.0.0, and 2.0.1, and impacts applications that depend on this validation function to process untrusted BSON data. Authenticated remote attackers can exploit this to inject invalid BSON data, potentially causing integrity issues in downstream processing; EPSS 0.48 indicates this is a moderate-priority issue that warrants patching but is not among the highest-risk vulnerabilities.
When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.
Denial of service in Nimiq Core consensus peer handler allows unauthenticated remote attackers to crash the RequestMacroChain message handler by sending a crafted message where the first locator hash on the victim's main chain is a micro block instead of a macro block, triggering an unhandled panic via unwrap() on BlockIsNotMacro error. Vendor-released patch: v1.3.0. EPSS score of 0.04% (12th percentile) indicates low real-world exploitation probability despite network-accessible attack vector.
Open redirect vulnerability in ChurchCRM prior to 7.0.0 allows authenticated users to be redirected to arbitrary URLs via malicious 'linkBack' parameters across multiple application pages, including DonatedItemEditor.php. An attacker can craft a link embedding an attacker-controlled URL that executes when a victim clicks the 'Cancel' button, enabling phishing and credential harvesting attacks. EPSS scoring (0.04%, percentile 11%) indicates low real-world exploitation probability despite authenticated access requirement.
Stored cross-site scripting (XSS) in Prometheus web UI allows remote code execution in user browsers when viewing metrics with injected HTML/JavaScript in metric names or label values. Attackers who can inject metrics via compromised scrape targets, remote write, or OTLP receivers can execute arbitrary JavaScript to exfiltrate configuration, delete time-series data, or shut down Prometheus if admin APIs are enabled. Prometheus 3.5.2 LTS and 3.11.2 patch this by escaping all user-controlled value
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Improper input validation in Samsung Mobile devices prior to SMR April 2026 Release 1 allows physical attackers to bypass network restrictions without authentication. The vulnerability affects data handling related to network restriction policies, enabling unauthorized modification of network access controls. CVSS score of 5.2 reflects the physical attack requirement, though integrity and availability impacts are rated high for affected functions.
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Samsung Mobile S Share application prior to the April 2026 SMR Release 1 exposes sensitive information to adjacent network attackers without requiring authentication, achieved through a low-complexity attack requiring only user interaction. The vulnerability has a CVSS 5.1 score reflecting limited confidentiality impact over an adjacent network, and is addressed in the April 2026 security patch release.
Integer overflow in Samsung Open Source Escargot causes undefined behavior and potential denial of service on local systems. The vulnerability affects the Escargot JavaScript engine (commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and related versions) and requires local access with low complexity to trigger. With CVSS 5.1 and EPSS not specified, the risk is moderate; no public exploit code or active exploitation has been confirmed at time of analysis.
Samsung Camera prior to version 16.5.00.28 allows local attackers with limited privileges to access device location data through improper access control, requiring user interaction to trigger. This information disclosure vulnerability affects Samsung's mobile camera application and represents a localized privacy exposure on affected devices.
An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. ``` ==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38 WRITE of size 8 at 0xea2fb818 thread T0 ```
Out-of-bounds write in Huawei HarmonyOS WEB module allows local attackers without privileges to cause integrity and availability impact through a classic buffer overflow condition. CVSS 5.1 (moderate) reflects local-only attack vector and limited scope, though the vulnerability affects a core web rendering component. No active exploitation or public proof-of-concept confirmed at time of analysis.
Samsung DeX prior to the April 2026 Release 1 update contains improper access control that allows physical attackers to access hidden notification contents on affected Samsung mobile devices. The vulnerability requires direct physical access to the device but carries high scope and information integrity impact due to potential exposure of sensitive notification data. No public exploit code has been identified at the time of analysis.
Use-after-free vulnerability in Huawei HarmonyOS communication module allows authenticated local attackers with high privileges to trigger denial of service and disclose limited information via a race condition. CVSS score 4.7 reflects the high privilege requirement and local attack vector, though the vulnerability impacts both availability and confidentiality. No public exploit code or active exploitation has been confirmed at this time.
Device Care in Samsung Mobile devices prior to the April 2026 SMR Release 1 contains an improper exception handling vulnerability that permits physical attackers to bypass Knox Guard authentication enforcement. With a CVSS score of 4.4 and attack vector requiring physical access, this vulnerability poses a localized but serious integrity and confidentiality risk to device security architecture, particularly for devices left unattended or in corporate environments where physical access controls may be compromised.
Samsung Mobile's Recents application prior to SMR Apr-2026 Release 1 fails to properly validate exceptional conditions, allowing a physical attacker to bypass App Pinning security controls. The vulnerability requires physical device access and has a CVSS score of 4.1 reflecting the physical attack vector and confidentiality impact; no public exploit code or confirmed active exploitation has been identified.
Improper access control in Huawei HarmonyOS memo module allows local, unauthenticated users to bypass authentication and read sensitive memo data, affecting confidentiality and system availability. The vulnerability requires user interaction (UI interaction flag set) and involves high attack complexity, resulting in a CVSS score of 4.1. No public exploit code or active exploitation has been confirmed at time of analysis.
Use-after-free vulnerability in Huawei HarmonyOS communication module allows authenticated local attackers with high privileges to cause denial of service through a race condition. CVSS score of 4.1 reflects low attack complexity and local-only vector, though availability impact is significant. No public exploit code or active exploitation confirmed at time of analysis.
Cortex XDR agent on Windows versions 7.9-CE through 9.0 allows authenticated local administrators to disable the agent through a protection mechanism bypass, enabling malware to operate undetected. The vulnerability requires high privileges and local access, but creates a critical detection evasion vector when exploited by administratively compromised systems or insider threats. No public exploit code or active exploitation has been reported at time of analysis.