Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5.
Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector.
Reflected cross-site scripting (XSS) in XWiki's compare view allows unauthenticated attackers to execute arbitrary JavaScript in a user's browser by injecting malicious code through unescaped URL parameters in the page revision comparison feature. When the victim is an administrator, successful exploitation compromises the confidentiality, integrity, and availability of the entire XWiki instance. Vendor-released patch is available; no public exploit code or active exploitation has been confirmed at time of analysis.
Improper TLS certificate validation in Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge SE2025/SE2026, and Tecnomatix Plant Simulation allows unauthenticated remote attackers to perform man-in-the-middle attacks against the Analytics Service endpoint. An attacker positioned on the network path can intercept and decrypt communications, potentially disclosing sensitive information. CVSS 3.7 reflects low-severity impact; no public exploit or active exploitation confirmed, but the low attack complexity and network vector indicate practical exploitability in targeted enterprise environments.
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally via improper neutralization of SQL command elements. Affected versions include SQL Server 2016 SP3, 2017, 2019, 2022, and 2025 across multiple cumulative updates and GDR releases. The CVSS 6.7 score reflects the requirement for high-privilege authentication and local attack vector, but the high confidentiality, integrity, and availability impact makes this a material risk f
SQL injection in Microsoft SQL Server 2016-2025 allows authenticated high-privilege attackers to elevate privileges locally through improper neutralization of special elements in SQL commands. Affected versions span SQL Server 2016 SP3 through 2025, with patch available from Microsoft. Attack requires local access and high-privilege credentials (PR:H in CVSS vector), limiting real-world impact to insider threats or compromised administrative accounts; CVSS 6.7 reflects high confidentiality, integrity, and availability impact but constrained by authentication and local-only attack vector.
Out-of-bounds read in Microsoft Office Word enables local information disclosure when a user opens a malicious document, affecting Microsoft 365 Apps for Enterprise and Office LTSC for Mac 2021/2024. The vulnerability requires user interaction (document opening) but does not require elevated privileges, with a CVSS score of 6.1 reflecting moderate severity. Microsoft has released patches addressing this issue across affected product lines.
Denial of service in Microsoft .NET Framework 3.5 and 4.7.2-4.8.1 via race condition in shared resource synchronization allows unauthenticated remote attackers to crash affected applications with high complexity attack requirements. Microsoft has released patches addressing improper concurrent access handling across multiple .NET Framework versions.
{subsId} endpoint, allowing unintended modification of Policy Data notification subscriptions with invalid or partially processed input. The handler lacks return statements following error responses, causing execution to continue to the downstream processor with uninitialized or empty subscription objects. No public exploit code or active exploitation has been confirmed; this is a robustness and input validation flaw affecting write operations on a core 5G network function.
Schneider Electric Easergy MiCOM protective relays contain hard-coded SNMP credentials that allow unauthenticated remote attackers to access sensitive device information and system configurations. An attacker can directly query the SNMP port (UDP 161) without authentication to retrieve operational data, relay status, and device parameters. This vulnerability affects 12 product lines across multiple versions and is classified as an authentication bypass with a CVSS 6.9 (medium-to-high confidentiality impact).
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.
Schneider Electric PowerChute Serial Shutdown v1.4 and prior allows remote credential brute force attacks due to missing rate limiting on authentication endpoints, enabling attackers to enumerate valid credentials across multiple API endpoints with no authentication prerequisite. The vulnerability has a CVSS score of 6.9 with network-based attack vector and no user interaction required, though the impact is limited to information disclosure rather than full account takeover.
Authentication bypass in Siemens SINEC NMS versions prior to V4.0 SP3 with UMC allows unauthenticated remote attackers to gain unauthorized access due to insufficient user identity validation in the UMC component (CWE-347: Improper Verification of Cryptographic Signature). The vulnerability enables network-based attacks with low complexity requiring no user interaction (CVSS 7.3, AV:N/AC:L/PR:N/UI:N), granting partial access to confidentiality, integrity, and availability. ZDI tracking ID CAN-27564 suggests coordinated disclosure. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though JWT-related authentication bypasses are well-understood attack primitives.
Stored Cross-Site Scripting (XSS) via Eval Injection in MaxKB's Markdown rendering engine allows authenticated users to execute arbitrary JavaScript in other users' browsers, including administrators. MaxKB versions 2.7.1 and below are affected. The vulnerability requires user interaction (UI:P) and low privileges (PR:L) to exploit, but delivers high integrity impact (VI:H) to victim sessions. A vendor-released patch is available in version 2.8.0.
Stored Cross-Site Scripting (XSS) in MaxKB 2.7.1 and below allows authenticated users to inject malicious JavaScript through application name or icon fields, which is then executed in victims' browsers when accessing the public chat interface. The vulnerability stems from unsanitized data insertion into HTML responses by ChatHeadersMiddleware, enabling arbitrary code execution with user interaction. MaxKB 2.8.0 has released a patch to fix this issue.
Serendipity's serendipity_setCookie() function accepts unsanitized HTTP_HOST header values as the cookie domain parameter, allowing remote attackers to scope authentication cookies (session tokens, auto-login tokens) to attacker-controlled domains and facilitate session hijacking. The vulnerability requires user interaction (victim authentication during poisoned Host header) and man-in-the-middle or reverse proxy misconfiguration to exploit, affecting all versions of Serendipity that use the vulnerable function. A proof-of-concept demonstrating cookie domain poisoning exists; exploitation probability is moderate (EPSS 6.9, CVSS AC:H reflects attack complexity), and no evidence of active exploitation has been identified.
Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remote attackers to forge or inject malicious log entries by sending crafted POST requests to the /j_security_check endpoint, potentially obscuring attack trails or triggering false alerts.
Denial of service via resource exhaustion in XWiki REST API endpoints that list database properties without respecting configured query limits, allowing remote attackers to enumerate all pages on large wiki installations and exhaust server resources. Affects XWiki Platform versions before 16.10.16, 17.4.8, and 17.10.1. Vendor-released patches are available; no public exploit code or active exploitation confirmed at time of analysis.
PowerChute Serial Shutdown allows authenticated administrative users to overwrite critical system files via path traversal in the POST /REST/upssleep endpoint when maliciously crafting request payloads, potentially causing complete system compromise or denial of service. The vulnerability requires high-privilege Web Admin credentials and adjacent network access, but results in total integrity and availability impact across the affected system. No public exploit code has been identified at the time of analysis.
FlashArray Purity applies snapshot retention policies with timing deviations from configured schedules, allowing authenticated administrators to inadvertently trigger premature or delayed data lifecycle actions. This affects FlashArray versions 5.0.0 through 6.10.0, impacting data retention integrity and compliance posture. The vulnerability requires high administrative privileges to exploit and results in integrity compromise of snapshot management operations.
Heap-based buffer overflow in Windows USB Print Driver allows local privilege escalation via physical device access. Affects Windows 11 (versions 24H2, 25H2, 26H1) and Windows Server 2025, with patch available from Microsoft. Attack requires physical USB access and no user interaction; no public exploit identified at time of analysis.
Command injection in GitHub Copilot Chat Extension for Visual Studio Code allows authenticated attackers with user interaction to disclose sensitive information over a network. The vulnerability affects CoPilot Chat Extension versions before 0.37.3 and requires an authorized user to interact with a crafted prompt or input. Microsoft has released a patched version (0.37.3) to remediate this CWE-77 command injection flaw.
Windows Boot Loader accepts untrusted inputs for security decisions, allowing authorized local attackers to bypass security features with high confidentiality, integrity, and availability impact. This authentication bypass vulnerability (CVSS 6.7) affects Windows 10 versions 1607, 1809, 21H2, and 22H2, as well as Windows Server 2016, 2019, and 2022. Microsoft has released patches addressing the root cause of reliance on untrusted security-critical inputs.
Path traversal vulnerability in Fortinet FortiSandbox allows privileged super-admin users with CLI access to delete arbitrary directories on the system via crafted HTTP requests. Affects FortiSandbox 5.0.0-5.0.5, 4.4.0-4.4.8, 4.2 all versions, FortiSandbox Cloud 5.0.4, and FortiSandbox PaaS 5.0.4. CVSS 6.7 reflects high integrity and availability impact but requires authenticated super-admin privileges; no public exploit code or active KEV designation identified at time of analysis.
SQL injection in Fortinet FortiClientEMS 7.0 through 7.4.5 allows high-privileged local attackers to execute unauthorized code or commands with high integrity and confidentiality impact. The vulnerability requires local access and high privileges (PR:H per CVSS vector), making it a risk primarily in environments where administrative users are untrusted or compromised. CISA SSVC framework rates this as non-exploitable via automation due to privilege requirements, though the technical impact is total (confidentiality, integrity, and availability compromise). No public exploit code has been identified at the time of analysis.
Local privilege escalation in Fortinet FortiWeb 7.0.10-8.0.2 allows high-privileged local attackers to execute arbitrary code or commands through relative path traversal, exploiting improper file path validation with CVSS 6.7 (high confidentiality, integrity, and availability impact). No public exploit code or active exploitation confirmed at time of analysis.
Microsoft Local Security Authority Subsystem Service (LSASS) information disclosure vulnerability allows authenticated network attackers to read sensitive memory contents via a bounds check bypass in the LSASS process. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, and 2025. No public exploit code or active exploitation has been reported; vendor-released patches are available across all affected versions.
Unauthenticated attackers can execute arbitrary WordPress shortcodes in the Germanized for WooCommerce plugin (all versions up to 3.20.5) via the 'account_holder' parameter, which bypasses shortcode validation in the do_shortcode() function. This enables remote code execution with medium severity (CVSS 6.5) affecting any WordPress site with the vulnerable plugin installed. No public exploit code or active exploitation has been confirmed at the time of analysis.
Windows Shell information disclosure vulnerability (CVE-2026-32151) allows authenticated network attackers to read sensitive data without authorization. The vulnerability affects Windows 10 versions 1607-22H2, Windows 11 versions 22H3-26H1, Windows Server 2012-2025, and associated Server Core installations. Microsoft has released vendor patches for all affected versions; exploitation requires valid credentials and network access but no user interaction.
Use-after-free memory corruption in Windows UPnP Device Host enables unauthenticated adjacent network attackers to disclose sensitive information with CVSS 6.5 high severity. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and multiple Windows Server editions (2012 through 2025). Microsoft has released patches with specific version thresholds; exploitation requires network adjacency but no authentication or user interaction.
Fortinet FortiSOAR (both PaaS and on-premise versions 7.3-7.6.3) contains a path traversal vulnerability in File Content Extraction actions that allows authenticated remote attackers to read arbitrary files outside the intended directory with high confidentiality impact. The vulnerability requires valid credentials and is exploitable over the network with no user interaction; CVSS 6.5 reflects medium-to-high severity for a cloud security platform handling sensitive workflows.
Windows Kernel logs sensitive information that authenticated local users can read, enabling information disclosure on Windows 10 (versions 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2022, and Windows Server 2025. An attacker with local user privileges can access kernel log files to retrieve confidential data such as credentials, cryptographic material, or system secrets. Microsoft has released patches addressing this log injection vulnerability; no public exploit code or active exploitation has been confirmed.
Windows Kernel logs sensitive information that can be read by local authenticated users, allowing information disclosure on Windows 10 and Windows 11 systems across multiple versions as well as Windows Server 2012 through 2025. The vulnerability requires local access and valid user credentials (privilege level L) but results in high confidentiality impact. Microsoft has released patches for all affected versions.
Windows Kernel logs sensitive information that authenticated local users can read, enabling information disclosure on Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), Windows Server 2019, 2022, and 2025. An authorized local attacker with user-level privileges can access kernel log files to retrieve confidential data without elevated rights or user interaction. Microsoft has released patches addressing this CWE-532 insertion-of-sensitive-information vulnerability with specific build fixes across all affected editions.
Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.
Windows File Explorer information disclosure vulnerability in Windows 10 and Windows 11 allows authenticated local attackers to read sensitive files through a flaw in access control validation. CVSS 5.5 indicates moderate risk with confidentiality impact but no integrity or availability compromise. Patch available from Microsoft; no public exploit code or active exploitation confirmed at time of analysis.
Windows Remote Procedure Call (RPC) discloses sensitive information to local authenticated users in Windows 10, Windows 11, and Windows Server 2016-2025. An authorized attacker with local access and limited privileges can read confidential data without user interaction, affecting multiple Windows editions across a 9-year product span. Patch availability confirmed from Microsoft; no active exploitation reported.
Windows File Explorer information disclosure vulnerability in Windows 10 and Windows 11 allows authenticated local users to access sensitive information without authorization. The vulnerability affects multiple Windows 10 versions (1607, 1809, 21H2, 22H2), Windows 11 versions (22H3 through 26H1), and Windows Server 2016 through 2025. Microsoft has released patches addressing this CWE-200 information exposure flaw, with no evidence of active exploitation at the time of analysis.
SAP Human Capital Management for SAP S/4HANA allows authenticated users with low privileges to enumerate and guess sensitive information through specific authorization check messages, resulting in information disclosure beyond their authorized scope. The vulnerability affects SAP HCM across affected versions and requires low-privilege authenticated access to exploit, with a CVSS score of 6.5 reflecting high confidentiality impact but no integrity or availability compromise.
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students to read private course notes of any other user via an Insecure Direct Object Reference (IDOR) vulnerability in the notebook module's editnote action. An attacker can manipulate the notebook_id parameter to bypass ownership checks in the read path (get_note_information()), exposing note titles and HTML body content despite write-path protections existing in updateNote() and delete_note(). The vulnerability requires valid student credentials but impacts confidentiality of sensitive educational materials across the platform.
{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
SAP S/4HANA frontend OData Service (Manage Reference Structures) allows authenticated users to update and delete child entities without proper authorization checks, enabling privilege escalation and data integrity violations. The vulnerability requires valid user credentials but no special privileges, affecting systems running vulnerable S/4HANA versions. Attackers can exploit exposed OData endpoints to modify or remove reference structure data that should be protected from their access level.
SAP S/4HANA backend OData Service for Manage Reference Structures allows authenticated remote attackers to modify and delete child entities without proper authorization checks, compromising data integrity across reference data structures. The vulnerability requires valid user credentials but no elevated privileges, affecting organizations running vulnerable S/4HANA versions. CVSS 6.5 with confirmed patch availability via SAP Security Patch Day.
SAP S/4HANA OData Service for Manage Reference Equipment lacks authorization checks, allowing authenticated users to modify and delete child entities without proper access controls. The vulnerability affects S/4HANA instances with the vulnerable OData service and requires low-privilege network access, resulting in high integrity impact but no confidentiality or availability risk. No public exploit code or active exploitation has been confirmed.
Fortinet FortiSOAR (both PaaS and on-premise versions 7.3-7.6.x) transmits sensitive authentication credentials in cleartext in API responses for Secure Message Exchange and RADIUS configurations, allowing authenticated attackers with network access to intercept and view passwords. The vulnerability requires user interaction (UI:R) and prior authentication (PR:L), affecting confidentiality of stored credentials in these integrations with a CVSS score of 5.7.
Missing authorization checks in SAP Business Analytics and SAP Content Management allow authenticated users to invoke unauthorized remote function module calls, enabling confidential data access beyond their assigned permissions. The vulnerability affects all versions of the product and carries a CVSS score of 6.5 with confirmed high confidentiality impact. No public exploit code or active exploitation has been reported at time of analysis.
A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.
Fortinet FortiOS allows unauthenticated remote attackers to execute arbitrary code or commands on affected devices through specially crafted packets due to missing authentication controls on a critical function. This affects FortiOS versions 6.2.9 through 6.2.17, all 6.4.x versions, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, 7.4.0 through 7.4.8, and 7.6.0 through 7.6.3. With a CVSS score of 6.5 and an adjacent network attack vector, this represents a significant risk to FortiGate appliances accessible from local network segments. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in ShopLentor WordPress plugin (versions up to 3.3.5) via the woolentor_quickview_button shortcode's button_text attribute allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript that executes for all site visitors. The vulnerability stems from insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. With a CVSS score of 6.4 and confirmed patch availability in version 3.3.6, this poses a moderate risk to WordPress installations using the plugin, particularly those with multiple contributor-level users.
Stored cross-site scripting in the Surbma | Booking.com Shortcode WordPress plugin (all versions up to 2.1) allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization on the `surbma-bookingcom` shortcode attributes, causing arbitrary JavaScript execution for all site visitors accessing the compromised page. The vulnerability has a CVSS score of 6.4 with network-based attack vector and low complexity, requiring only contributor-level privileges to exploit. No public exploit code or active exploitation has been independently confirmed at the time of analysis.