Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. The vulnerability stems from a hardcoded MurmurHash3 seed (0x432A9843) that enables offline collision calculation. Fixed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVSS 7.5 (High severity, network-exploitable, no authentication required). No public exploit identified at time of analysis, but attack technique is well-documented and feasible.
Decidim GraphQL API exposes all commentable resources platform-wide without permission checks, enabling unauthorized access to comments and associated data across public and private participation spaces. Affects decidim-api and decidim-comments Ruby gems with default configurations exposing the /api endpoint publicly. No vendor patch available - only workarounds via authentication enforcement or IP allowlisting. CVSS 7.5 (High) reflects network-accessible confidentiality breach, though real-world impact depends heavily on whether the Decidim instance hosts non-public participation spaces.
Authorization bypass in Decidim Core allows any authenticated user to accept or reject amendments on proposals belonging to other users, effectively hijacking proposal authorship. Affects decidim-core gem versions 0.19.0 and later. The flaw stems from insufficient permission checks (CWE-266) that only verify if amendment reactions are enabled at the component level, not whether the user owns the proposal. CVSS 7.5 (High) reflects network-based integrity impact, though the PR:N (no privileges required) rating appears inconsistent with the description stating 'registered and authenticated user' - this discrepancy should be verified with the vendor. No patch version identified in available data; vendor advisory recommends disabling amendment reactions as a workaround. No active exploitation (CISA KEV) or public POC reported at time of analysis.
Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services.
Fortinet FortiSOAR transmits sensitive information in cleartext over the network, allowing authenticated remote attackers to disclose confidential data. The vulnerability affects both PaaS and on-premise deployments across versions 7.3 through 7.6.x, with CVSS 6.5 reflecting moderate confidentiality impact requiring low-privilege authentication. No public exploit code or active exploitation has been confirmed at time of analysis.
Sensitive authentication tokens in Apache APISIX OpenID Connect plugin transmit in cleartext when connecting to identity providers, affecting versions 0.7 through 3.15.0. The ssl_verify parameter defaults to false, disabling TLS certificate validation and enabling potential man-in-the-middle interception of authentication credentials. With CVSS 7.5 (High), network-based attackers can intercept confidential data without authentication. EPSS probability is minimal (0.01%, 2nd percentile) with no confirmed active exploitation (CISA KEV absent), indicating theoretical risk despite high CVSS severity.
Local code execution in Windows Universal Plug and Play (UPnP) Device Host across all supported Windows 10, 11, and Server versions allows unauthenticated attackers to achieve high-impact compromise via use-after-free memory corruption. The vulnerability affects Windows 10 versions 1607 through 22H2, Windows 11 versions 22H3 through 26H1, and Windows Server 2012 through 2025 (including Server Core installations). Despite requiring local access and high attack complexity (CVSS:3.1/AV:L/AC:H), the
Misconfigured .NET impersonation in upKeeper Instant Privilege Access through version 1.5.0 enables authenticated remote attackers to hijack privileged execution threads, leading to high confidentiality and integrity impact on underlying system resources. The vulnerability requires low-level privileges and presents network-based attack vector with high complexity. No public exploit identified at time of analysis, and CISA SSVC framework classifies this as non-automatable with partial technical impact. EPSS data not available for risk quantification.
Windows Hyper-V local privilege escalation via improper input validation (CWE-20) enables authenticated low-privilege attackers with user interaction to execute arbitrary code with high confidentiality, integrity, and availability impact across Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server (2016-2025). Microsoft released patches addressing the vulnerability with EPSS exploitation probability data not available; no public exploit identified at time of analys
Use-after-free in libsixel 1.8.7 and earlier enables local attackers to crash applications or execute arbitrary code via crafted SIXEL image frames. The vulnerability occurs when sixel_encoder_encode_bytes() processes resize operations that free caller-owned pixel buffers, creating dangling pointers exploitable through repeated, predictable frame manipulation. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but the technical details suggest reliable exploitation potential for local privilege escalation or RCE scenarios.
Out-of-bounds write in FortiWeb administrative interface enables authenticated remote code execution on web application firewall appliances. Affects FortiWeb 7.4.0-7.4.11, 7.6.0-7.6.6, and 8.0.0-8.0.3. CVSS 7.2 indicates high-privilege authenticated network attack with low complexity. No public exploit identified at time of analysis, though the incomplete advisory description ('<insert attack vector here>') suggests disclosure may be pending or sanitized. Memory corruption class (CWE-787) typically enables arbitrary code execution, confirmed by CVSS impact ratings (High C/I/A). EPSS data not available for risk probability assessment.
Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.
Local File Inclusion in BoidCMS versions prior to 2.1.3 enables authenticated administrators to execute arbitrary PHP code via path traversal in the tpl parameter combined with file upload. The vulnerability chains unsanitized require_once() inclusion with media upload functionality, allowing attackers to upload malicious files and force their execution with web server privileges. Vendor-released patch available in version 2.1.3. CVSS 7.2 reflects high-privilege requirement (administrator access), but exploitation complexity is low once authenticated. No CISA KEV listing or public exploit code identified at time of analysis.
Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int
Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L). EPSS data not provided. Vendor-released patch: version 2.0.0-RC.3.
PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.
SQL injection in Fortinet FortiAnalyzer and FortiManager versions 7.0-7.6 allows privileged authenticated attackers to execute unauthorized code or commands via the JSON RPC API. This affects both on-premises and cloud variants across multiple major version branches (7.0, 7.2, 7.4, 7.6). The vulnerability requires high-privilege authentication (CVSS PR:H) but is remotely exploitable with low attack complexity. No public exploit identified at time of analysis, though the network attack vector and code execution capability make this a priority for organizations running affected Fortinet management infrastructure.
SMTP header injection in Serendipity CMS allows remote unauthenticated attackers to inject arbitrary email headers via malicious Host header during email-triggering operations (comments, subscriptions, password resets). The unsanitized $_SERVER['HTTP_HOST'] value is embedded directly into Message-ID headers without validation, enabling BCC injection, email spoofing, and reply hijacking. CVSS 7.2 with Changed scope indicates cross-domain impact. EPSS data not available; no public exploit identified at time of analysis, though a detailed proof-of-concept exists in the GitHub security advisory demonstrating successful header injection via comment submission.
SQL identifier injection in PraisonAI's SQLiteConversationStore allows authenticated local attackers with configuration control to extract database schema and manipulate query results. The vulnerability affects PraisonAI versions prior to 4.5.133, where unsanitized table_prefix values are concatenated into SQL queries via f-strings. Attackers controlling configuration inputs (from_yaml/from_dict) can inject SQL fragments to access internal SQLite tables like sqlite_master and execute UNION-based injections. A vendor patch is available in version 4.5.133. No public exploit code or active exploitation confirmed at time of analysis. CVSS 7.2 indicates local attack vector with low complexity but requires low privileges and present attack complexity conditions.
Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight
Path traversal in Zarf package inspection commands enables arbitrary file write when processing malicious packages. Attackers can craft Zarf packages with traversal sequences in the Metadata.Name field (e.g., '../../etc/cron.d/malicious'), bypassing input validation to write attacker-controlled content to sensitive system locations when users run 'zarf package inspect sbom' or 'zarf package inspect documentation'. Fixed in version v0.74.2. CVSS 7.1 (High) with network attack vector but requires user interaction. No public exploit identified at time of analysis, though exploitation complexity is low as attackers only need to modify zarf.yaml and sboms.tar in a package archive.
Out-of-bounds read in Microsoft Office Word enables local information disclosure when a user opens a malicious document, affecting Microsoft 365 Apps for Enterprise and Office LTSC for Mac 2021/2024. The vulnerability requires user interaction (document opening) but does not require elevated privileges, with a CVSS score of 6.1 reflecting moderate severity. Microsoft has released patches addressing this issue across affected product lines.
Authenticated remote attackers can overwrite eight-character executable ABAP reports in SAP ERP and SAP S/4HANA systems due to missing authorization checks, enabling denial-of-service conditions when legitimate users execute corrupted reports. This authorization bypass (CWE-862) requires low-privilege authenticated access (CVSS PR:L) and has low attack complexity, combining limited integrity impact with high availability impact (CVSS 7.1). EPSS data not provided; no public exploit identified at time of analysis. Affects SAP ERP and SAP S/4HANA Private Cloud and On-Premise deployments.
SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.
Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v
SQL injection in Krayin CRM 2.2.x allows authenticated remote attackers to extract sensitive database contents via the rotten_lead parameter in LeadDataGrid.php. CVSS 7.1 severity with network attack vector and low complexity enables database enumeration with low-privilege credentials. No public exploit identified at time of analysis, though EPSS data unavailable. Technical advisory published on GitHub indicates vulnerability affects lead management functionality in this Laravel-based open-source CRM platform.
Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.
Stored cross-site scripting (XSS) in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files by crafting malicious HTML payloads in design names that trigger when exported to CSV format. The vulnerability requires no authentication but depends on user interaction (opening the exported CSV). Vendor patch available via updated client installers for Windows and macOS. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code identified at time of analysis.
Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.
Heap buffer overflow in libsixel 1.8.7 and earlier allows local attackers to achieve arbitrary code execution by providing a maliciously crafted large palettised PNG image that triggers integer overflow in RGB888 conversion routines. The vulnerability requires user interaction to process the malicious image but no authentication. EPSS data not available; no public exploit identified at time of analysis, though the technical details in the advisory provide sufficient information for weaponization. Vendor-released patch: version 1.8.7-r1.
Out-of-bounds heap read in libsixel img2sixel via integer overflow allows local attackers to crash the application and potentially leak sensitive memory contents when processing malicious --crop arguments with otherwise valid images. Affects libsixel 1.8.7 and earlier; patched in 1.8.7-r1. EPSS data not available, but exploitation requires local access with user interaction (CVSS AV:L/UI:R). No CISA KEV listing; no public exploit identified at time of analysis.
Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 leak NTLMv2 machine-account hashes through an unauthenticated SOAP endpoint on TCP port 1208, enabling remote attackers to force SMB authentication attempts and relay credentials for privilege escalation or lateral movement. The WCF service accepts unsanitized file paths in the ReadLicense action, allowing UNC path injection to trigger outbound SMB connections. CVSS 7.0 with network attack vector, low complexity, and no authentication required (PR:N). No public exploit code identified at time of analysis, though the attack technique is straightforward for adversaries familiar with NTLM relay tactics.
NTLMv2 credential leakage in Unisys WebPerfect Image Suite 3.0.3960.22810 and 3.0.3960.22604 enables remote unauthenticated attackers to extract machine-account hashes via deprecated .NET Remoting TCP channels, facilitating network-wide lateral movement and privilege escalation through hash relay attacks. Disclosed by VulnCheck, this flaw exploits insecure object deserialization to coerce NTLM authentication to attacker-controlled UNC paths. EPSS data not available; no KEV listing or public exploit code identified at time of analysis, though the disclosed technical details provide sufficient information for weaponization.
Local privilege escalation in Windows Cryptographic Services affects Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 due to insecure storage of cryptographic material. Authenticated attackers with low privileges can exploit this CWE-922 weakness (insecure storage of sensitive information) to gain high-level access to confidentiality, integrity, and availability. Microsoft has released patches for all affected versions. No public exploit identified at time of analysis,
Use-after-free in Windows TDI Translation Driver (tdx.sys) allows local privilege escalation to SYSTEM by authenticated low-privileged users on Windows 10/11 and Server 2012-2025. Microsoft has released security updates addressing this CWE-416 memory corruption flaw across all supported Windows versions. CVSS 7.0 reflects high attack complexity but full system compromise if successfully exploited. No public exploit identified at time of analysis, though the vulnerability's local attack vector an
Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privilege users to gain SYSTEM-level access through use-after-free memory corruption. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025, including Server Core installations. Vendor-released patches available across all affected platforms. No public exploit identified at time of analysis, though high-complexity local exploitation (CVSS AC:H)
Local privilege escalation in Windows Ancillary Function Driver for WinSock affects all supported Windows 10, 11, and Server versions through use-after-free memory corruption. Authenticated local attackers with low privileges can exploit this CWE-416 vulnerability to gain SYSTEM-level access, achieving high impact to confidentiality, integrity, and availability. Vendor-released patches are available across all affected platforms. No public exploit identified at time of analysis, though the high
Local privilege escalation in Windows Shell via double-free memory corruption allows low-privileged authenticated users to gain SYSTEM-level access across Windows 11 (versions 22H3 through 26H1) and Windows Server 2022/2025 environments. The CWE-415 double-free vulnerability requires high attack complexity but no user interaction, enabling complete system compromise once exploited. Vendor-released patches are available with specific build numbers identified for each affected version. No public exploit identified at time of analysis, though the CVSS 7.0 score reflects significant impact potential when successfully exploited.
Windows Shell use-after-free memory corruption enables local privilege escalation to SYSTEM on Windows 11 (all versions 22H3 through 26H1) and Windows Server 2022/2025. Authenticated low-privileged users can exploit freed memory references in Shell components despite high attack complexity requirements. Vendor-released patches address all affected versions. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability class (CWE-416) is well-understood and commonly weaponized in Windows privilege escalation chains.
Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) across Windows 10, 11, and Server 2012-2025 allows low-privileged authenticated attackers to gain SYSTEM-level access via race condition exploitation. The vulnerability affects widespread Windows deployments spanning a decade of operating system versions, from Server 2012 (6.2.9200.0) through Windows 11 26H1 and Server 2025. Microsoft has released patches for all affected versions. No public exploit identified
Local privilege escalation in Windows TCP/IP stack across Windows 10, 11, and Server editions allows low-privileged authenticated users to gain SYSTEM-level access by exploiting a race condition in shared resource synchronization. This CWE-362 flaw affects every supported Windows version from legacy Server 2012 through cutting-edge Windows 11 26H1, with vendor-released patches available. The local attack vector (AV:L) and high complexity (AC:H) reduce immediate mass-exploitation risk, though the
Windows Server Update Service (WSUS) race condition enables local privilege escalation to SYSTEM on Windows 10, 11, and Server 2012-2025. Authenticated users with low-level privileges can exploit improper synchronization in concurrent execution paths to gain full system control. Attack complexity is high (AC:H), requiring precise timing to win the race window. Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the high CVSS 7.0 s
Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. The CWE-416 use-after-free memory corruption flaw allows low-privileged authenticated attackers with local access to elevate to SYSTEM privileges, achieving complete control over confidentiality, integrity, and availability. SSVC framework rates this as non-automatable with total technical impact. No public exploit
Local privilege escalation via use-after-free in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privileged attackers to execute arbitrary code with SYSTEM privileges across all supported Windows versions. Microsoft has released patches for Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-25H2), and Windows Server (2012-2022 23H2). The vulnerability requires local access and low privileges (PR:L) with high attack complexity (AC:H), but no public exploit
Local privilege escalation in Microsoft Windows WalletService across Server 2016 through Server 2025 allows low-privileged authenticated attackers to gain SYSTEM-level access by exploiting a use-after-free memory corruption flaw. Attack complexity is high (CVSS AC:H), requiring precise timing or race condition exploitation. Patch available per vendor advisory (MSRC). No public exploit identified at time of analysis, EPSS data not provided.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) affects all Windows 10, Windows 11, and Windows Server versions from 2012 through 2025 via a use-after-free memory corruption flaw. Authenticated local attackers with low privileges can exploit this CWE-416 vulnerability to achieve full system compromise (SYSTEM-level access), though the high attack complexity (AC:H) suggests exploitation requires precise timing or race condition manipulation. No public exp
Local privilege escalation in Windows Server Update Service (WSUS) on Windows 11 version 26H1 allows low-privileged authenticated users to gain SYSTEM-level access via use-after-free memory corruption. Exploitation requires local access and high attack complexity (CVSS AC:H), indicating timing-dependent or race condition triggers. Microsoft has released patch version 10.0.28000.1836 to address this vulnerability. No public exploit code or active exploitation confirmed at time of analysis.
Local privilege escalation in Windows Universal Plug and Play (UPnP) Device Host allows authenticated attackers with low privileges to achieve system-level access through use-after-free memory corruption. Affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. Microsoft has released patches across all affected product lines. No public exploit identified at time of analysis, though the local attack vector and authentication requirement (PR:L) limit immedi
Local privilege escalation via use-after-free in Windows Ancillary Function Driver for WinSock (AFD.sys) affects all supported Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012-2025. Authenticated local attackers with low privileges can exploit memory corruption to gain SYSTEM-level access, though high attack complexity suggests reliable exploitation requires sophisticated techniques. Vendor-released patches are available across all affected versions. No publi
Local privilege escalation in Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) across Windows 10, 11, and Server 2012 R2-2025 allows authenticated attackers with low privileges to gain SYSTEM-level access via use-after-free memory corruption. Microsoft released patches addressing versions from Windows 10 1607 through Windows 11 26H1 and Server 2012 R2 through Server 2025. CVSS 7.0 rating reflects high attack complexity; no public exploit identified at time of analysis. EPSS data not prov