Nitro PDF Pro for Windows version 14.41.1.4 crashes when processing maliciously crafted XFA (XML Forms Architecture) packets due to a NULL pointer dereference, enabling remote denial-of-service attacks without authentication. An attacker can deliver a weaponized PDF containing the crafted XFA packet, causing the application to terminate when opened. EPSS exploitation probability is very low (0.01%, 2nd percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis. Despite CVSS 7.5 (High), real-world risk is limited to availability impact only - no code execution, data theft, or privilege escalation possible.
Nitro PDF Pro 14.41.1.4 for Windows crashes when processing maliciously crafted PDFs that invoke app.alert() with null arguments, causing denial of service through NULL pointer dereference in the JavaScript engine. Remote attackers can deliver weaponized PDF files requiring no authentication or user interaction beyond opening the document (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (2nd percentile), indicating low real-world targeting despite theoretical automation potential.
Improper access control in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) exposes WiFi credentials to network-adjacent attackers without authentication. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote exploitation with no authentication required, though the vulnerability description specifies 'access to the UniFi Play network' as a prerequisite. Reported via HackerOne bug bounty. EPSS score of 0.01% (1st percentile) suggests minimal observed exploitation activity, and no public exploit code or CISA KEV listing identified at time of analysis.
Denial of service in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) allows unauthenticated remote attackers to crash devices via improper input validation. CVSS 7.5 (High) with network-based attack requiring no privileges or user interaction. EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation likelihood. No public exploit identified at time of analysis. Vendor-released patches available: PowerAmp 1.0.38+ and Audio Port 1.1.9+.
Stack-based buffer overflow in Tenda F451 router firmware 1.0.0.7_cn_svn7958 allows authenticated remote attackers to achieve complete system compromise (confidentiality, integrity, availability breach) via malformed ADSL/WAN configuration parameters. The vulnerability resides in the fromAdvSetWan function handling wanmode and PPPOEPassword arguments. Publicly available exploit code exists, significantly lowering the barrier to exploitation. CVSS 7.4 (High) with low attack complexity and network-reachable attack vector indicates substantial risk for exposed management interfaces.
Out-of-bounds write in Samsung Open Source Escargot JavaScript engine allows local attackers to execute arbitrary code or corrupt memory through buffer overflow conditions. This vulnerability affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and prior versions. With a 7.4 CVSS score (high confidentiality, integrity, and availability impact) but high attack complexity and local attack vector, exploitation requires specialized conditions. No public exploit identified at time of analysis, and EPSS data not available for this CVE.
Heap-based buffer overflow in Samsung Open Source Escargot JavaScript engine enables out-of-bounds memory writes with high integrity and availability impact through local attack vectors. Affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335. CVSS 8.1 severity driven by scope change and low attack complexity despite local access requirement. Upstream fix available (PR/commit); released patched version not independently confirmed. No public exploit identified at time of analysis, and exploitation requires high attack complexity (AC:H), limiting immediate risk despite elevated CVSS score.
SQL injection in Sourcecodester Online Thesis Archiving System v1.0's /otas/view_archive.php endpoint allows remote unauthenticated attackers to manipulate database queries, potentially extracting sensitive thesis data, authentication credentials, or modifying database contents. No public exploit identified at time of analysis, with minimal observed exploitation probability (EPSS 0.01%, 2nd percentile). The vulnerability affects a PHP-based academic archiving platform with limited deployment footprint.
Use-after-free in Huawei HarmonyOS communication module allows local attackers to cause denial of service and potentially disclose information without authentication. The vulnerability stems from a race condition (CWE-362) enabling memory corruption with high availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor has released security bulletin with remediation guidance.
Cryptographic signature bypass in Palo Alto Networks Cortex XSOAR and XSIAM Microsoft Teams integrations (versions 1.5.0 through 1.5.51) allows unauthenticated remote attackers to access and modify protected resources. The vulnerability stems from improper JWT verification (CWE-347), enabling attackers to forge authentication tokens. With CVSS 7.2 (High complexity, network-accessible, no privileges required) and tags indicating JWT attack vectors and information disclosure potential, this represents a critical integration security flaw requiring immediate patching to version 1.5.52 or later.
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipulating the original_username cookie in the runSwitchUser() action, enabling unauthorized access to user ID 1 (admin) session tokens and password hashes. SSVC confirms proof-of-concept exists with partial technical impact, though EPSS indicates low exploitation probability (0.07%, 22nd percentile) and no active exploitation confirmed via CISA KEV.
DNS exfiltration in External Secrets Operator (ESO) allows authenticated Kubernetes users with ExternalSecret write permissions to leak secret material through controller-side DNS queries. The v2 template engine exposes Sprig's getHostByName function to user-controlled templates, enabling attackers to encode fetched secrets into DNS lookups performed by the ESO controller process. Patch available in v2.3.0 (commit 6800989b). No public exploit code identified at time of analysis, though the attack primitive is straightforward for actors with the requisite Kubernetes RBAC permissions.
Password reset vulnerability in ZTE ZXEDM iEMS cloud management portal allows authenticated attackers with low privileges to enumerate all user accounts and reset arbitrary user passwords. This authentication bypass enables unauthorized administrative operations across the entire EMS system. Attack requires user interaction and moderate complexity (CVSS AC:H), but no public exploit identified at time of analysis. CVSS 7.1 reflects high confidentiality, integrity, and availability impact within the vulnerable component's scope.
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redirecting victims to attacker-controlled domains after login. With CVSS 7.1 (High) and EPSS 0.03% (9th percentile), exploitation requires user interaction but no authentication, making it effective for social engineering attacks. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though detailed advisories exist from ZeroScience and VulnCheck.
Server-Side Request Forgery in Apache SkyWalking MCP 0.1.0 allows authenticated remote attackers to access internal network resources and exfiltrate sensitive data via a malicious SW-URL header. CVSS 7.1 (High severity) with network attack vector and low complexity. No public exploit identified at time of analysis, SSVC framework indicates no active exploitation and non-automatable attack requiring manual interaction with internal architecture knowledge.
Use-after-free in Linux kernel ACPI EC driver allows local authenticated attackers with low privileges to achieve high integrity, confidentiality, and availability impact on reduced-hardware platforms when GPIO IRQ provider defers probing. Vendor patches are available across stable branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). The vulnerability triggers when EC handler cleanup fails during probe deferral, leaving a dangling pointer that is later dereferenced during AML evaluation of EC OpRegion accesses (battery, thermal, backlight operations).
Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted URLs containing '%action' patterns. All CPython versions prior to 3.15.0 are affected, allowing local attackers with user interaction to execute arbitrary commands through underlying shell injection. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed (not in CISA KEV), but publicly available patches exist via multiple GitHub commits. The incomplete mitigation highlights the challenge of securing browser-handling code across diverse browser implementations.
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information through incorrect default file or directory permissions, exposing high-value data on affected wearable devices. The vulnerability requires local access but no authentication or user interaction, making it exploitable by any user on the device.
Type confusion vulnerability in Samsung Open Source Escargot JavaScript engine allows local attackers with user interaction to manipulate pointers and achieve memory corruption, enabling information disclosure and privilege escalation through heap spray and type-confusion exploitation techniques. CVSS score is 6.5; no public exploit code or CISA KEV status confirmed at time of analysis.
HarmonyOS and EMUI theme setting modules fail to enforce proper permission controls, allowing local attackers with user interaction to read sensitive system information across security boundaries. The vulnerability requires physical or local access and user interaction but can compromise confidentiality of protected data; CVSS 6.9 reflects moderate-to-high real-world risk due to local attack surface and CVSS vector showing high confidentiality impact (C:H) despite lower integrity and availability consequences.
External control of file name in Samsung AODManager prior to April 2026 SMR Release 1 allows privileged local attackers to create files with system privileges, potentially leading to privilege escalation or system compromise. The vulnerability requires high-level local privileges and affects Samsung Mobile devices through a path traversal or file name manipulation flaw in the AODManager component. No public exploit code has been identified at the time of analysis.
Local privilege escalation in HarmonyOS application read module allows unauthenticated local attackers to cause memory corruption through a boundary-unlimited buffer overflow, potentially achieving code execution or system crash with high availability impact. CVSS 6.8 reflects local attack vector with integrity and availability consequences. Huawei has released security bulletins addressing this CWE-119 vulnerability affecting HarmonyOS devices.
Out-of-bounds read in Samsung Open Source Escargot JavaScript engine allows local attackers to leak sensitive memory contents and cause denial of service. Affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and potentially other versions; the vulnerability requires local access and specific conditions to trigger but can expose confidential data and crash the application without authentication. No public exploit identified at time of analysis.
Out-of-bounds write in HarmonyOS file system allows local privileged attackers to corrupt memory with high impact on confidentiality, integrity, and availability. The vulnerability affects HarmonyOS across versions and requires high-level local system privileges to exploit, making it a critical concern for multi-user systems and containerized deployments where privilege escalation vectors exist.
Improper input validation in Samsung Mobile Retail Mode prior to SMR April 2026 Release 1 allows local attackers with limited privileges to trigger privileged functions, potentially leading to information disclosure and unauthorized modification of device state. The vulnerability requires physical or local access and low-privilege credentials, limiting immediate remote exploitation risk but posing significant concern for retail environments where devices are physically accessible to untrusted parties.
Out-of-bounds read in Samsung Open Source Escargot JavaScript engine exposes sensitive memory content to remote attackers through user interaction. The vulnerability affects Escargot commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and allows information disclosure with partial availability impact. CVSS 5.9 (medium) reflects the requirement for user interaction and high complexity attack prerequisites, though the memory exposure potential warrants monitoring for patches.
Denial of service in Parani M10 Motorcycle Intercom v2.1.3 via crafted Bluetooth RFCOMM frames allows unauthenticated attackers within wireless range to crash the device. The vulnerability exploits a buffer overflow in the RFCOMM service handler, causing high availability impact. A proof-of-concept exists but active exploitation has not been confirmed; EPSS score of 0.02% suggests limited real-world exploitation pressure despite the accessible attack vector.
Stored cross-site scripting (XSS) in NightWolf Penetration Testing Platform 2.1.5 allows authenticated users to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires user interaction is absent from the CVSS vector (UI:N), meaning the injected payload executes automatically when a victim views affected content. No public exploit code or active exploitation has been confirmed at the time of analysis.
Race condition in Huawei HarmonyOS power consumption statistics module allows local privileged users to disclose information and modify system integrity, potentially affecting service availability. The vulnerability requires high privilege level and local access but enables information disclosure combined with integrity and availability impact. CVSS 6.3 reflects moderate real-world risk given the privilege requirement; Huawei has issued security advisories indicating patch availability.
Race condition in Huawei HarmonyOS thermal management module allows local authenticated users to disclose information and modify system integrity through concurrent access exploitation. An attacker with high privileges can trigger a timing-dependent race condition to achieve information disclosure, integrity compromise, and potential availability impact. CVSS 6.3 reflects the attack's requirement for high privilege escalation and local access, though the integrity impact (I:H) signals significant potential for system manipulation despite the officially stated availability focus.
Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Stack overflow in tinyobjloader's experimental MTL file parser (tinyobj_loader_opt.h) allows local attackers to trigger denial of service by supplying a malformed .mtl file. The vulnerability affects the library's material file parsing logic and crashes the application via stack memory corruption, though with EPSS score of 0.01% and no confirmed active exploitation, real-world risk is minimal despite the moderate CVSS 6.2 rating.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.
A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.
Cross-site scripting (XSS) in Simple ChatBox up to version 1.0 allows remote attackers to inject malicious scripts via the msg parameter in the /chatbox/insert.php endpoint, with user interaction required. The vulnerability has publicly available exploit code and affects the PHP-based chat application component. Impact is limited to integrity of user sessions, but the attack vector is remote and requires no authentication.
Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject arbitrary scripts via the serviceId parameter in /checkupdatestatus.php. The vulnerability requires user interaction (UI:R) and results in low integrity impact, but is publicly available with exploit code and has been disclosed. CVSS base score is 4.3 with relatively low real-world risk due to UI requirement and limited impact scope, though the presence of public POC increases adoption likelihood among less-skilled attackers.
A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.
SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.
Permissive cross-domain policy in farion1231 cc-switch up to version 3.12.3 allows authenticated remote attackers to access sensitive information and modify data across untrusted domains via misconfigured CORS headers in the ProxyServer component. Publicly available exploit code exists, and vendor patches are available; this represents a moderate but actively exploitable configuration flaw affecting networked deployments.
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
Stack overflow in HarmonyOS media platform allows authenticated local attackers to cause denial of service and potentially achieve limited information disclosure or integrity compromise through malicious user interaction. CVSS 6.1 reflects moderate severity with local attack vector, low complexity, and requirement for user interaction; EPSS and KEV status not provided. No public exploit code or active exploitation confirmed at time of analysis.
A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.
Reflected cross-site scripting (XSS) in PHPGurukul Company Visitor Management System 2.0 allows authenticated remote attackers to inject malicious scripts via the fromdate parameter in /bwdates-reports-details.php. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 5.1.
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.