A Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages-specifically those containing negative varints or deep recursion-can be used to crash the application, impacting service availability.
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server via the '/memory show' slash command. Affecting all versions prior to commit dd1d235, attackers can inject directory traversal sequences to escape the project memory directory and access any file readable by the OpenHarness process. CVSS 7.1 reflects high confidentiality impact with low-privilege network access. Vendor patch available via GitHub commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. No public exploit identified at time of analysis, EPSS data unavailable.
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution.
LINE for iOS versions before 26.3.0 suffer from dialog-based denial-of-service through the in-app browser. A remote attacker can render an iOS device temporarily inoperable by crafting a malicious web page that triggers infinite OS-level dialog loops when opened in LINE's browser, requiring only that a user click a malicious link. EPSS exploitation probability is minimal (0.01%, 1st percentile) with no active exploitation confirmed. Vendor patch released in version 26.3.0, addressing CWE-451 (user interface misrepresentation).