Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3.
Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
Eaton Intelligent Power Protector (IPP) software allows brute-force credential attacks against the web interface login page due to missing rate-limiting controls, enabling remote attackers to enumerate valid credentials and gain unauthorized access without authentication. CVSS 6.5 reflects moderate confidentiality and integrity impact via network access. Eaton has released a patched version available from their download center.
Yamaha SR-B30A sound bar firmware 2.40 allows remote attackers within Bluetooth Low Energy (BLE) radio range to connect to the device and modify settings without authentication via the Sound Bar Remote protocol. The vulnerability enables unauthenticated integrity compromise (modification of device configuration) but does not expose sensitive data or cause denial of service. This affects only devices within BLE proximity range, significantly limiting practical attack scope despite the moderate CVSS score.
SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.
The Email Encoder - Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.
Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.
Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.
Stored cross-site scripting in the Vantage WordPress theme up to version 1.20.32 allows authenticated contributors and higher-privileged users to inject malicious scripts into gallery block text content that execute for all site visitors. The vulnerability stems from insufficient output escaping in the gallery template, enabling attackers with contributor-level access to compromise page integrity and potentially steal session tokens or deface content.
Stored Cross-Site Scripting (XSS) in WP Docs plugin for WordPress (all versions through 2.2.9) allows authenticated attackers with subscriber-level access to inject malicious scripts via the 'wpdocs_options[icon_size]' parameter due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user accessing the affected page, enabling session hijacking, credential theft, or malware distribution with no user interaction required beyond normal site browsing. No public exploit code has been identified, but the vulnerability is technically straightforward to exploit given valid subscriber credentials.
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.
Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.
ONLYOFFICE DesktopEditors versions before 9.3.0 allow local attackers to perform arbitrary file operations with SYSTEM privileges via the update service, resulting in denial of service through resource exhaustion or file manipulation. The vulnerability requires local access and operates without user interaction, making it a significant privilege-escalation risk in multi-user or compromised-account scenarios.
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Reflected Cross-Site Scripting in Customer Reviews for WooCommerce plugin allows unauthenticated attackers to inject arbitrary JavaScript via the unescaped 'crsearch' parameter, affecting all versions up to 5.101.0. Exploitation requires social engineering (victim must click a malicious link), but successful attacks can steal session cookies, perform actions as the logged-in user, or redirect to phishing sites. No public exploit code or active exploitation has been identified, though the vulnerability is trivially reproducible given the simple parameter manipulation required.
Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. The vulnerability has a CVSS score of 6.1 with low complexity and no authentication required, but user interaction (visiting the affected page) is necessary for the payload to execute.
{{ .Error }} in HTML without escaping - endpoints/publicProxy/providerGithub.go - login callback closure (lines 93, 128, 130) - endpoints/dynamicProxy/providerGithub.go - loginHandler() (lines 110, 146, 148)
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
Eaton Intelligent Power Protector (IPP) software allows authenticated administrators with local system access to execute arbitrary commands via XML input validation bypass, requiring user interaction. The vulnerability impacts all versions of IPP software prior to the latest patched release available on Eaton's download center. CVSS score of 6.0 reflects high integrity and availability impact but is constrained by elevated privilege requirements and high attack complexity.
Missing lock check in AMD Platform Security Processor in AMD EPYC™ 9005 Series CPUs allows a privileged attacker to potentially impact guest confidentiality via local access.
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to perform web-based attacks including information disclosure and content modification. The vulnerability requires network access, unusual attack complexity, and user interaction (CVSS AV:N/AC:H/PR:N/UI:R), affecting all versions of IPP software prior to the patched release. No public exploit code or active exploitation has been identified at time of analysis.
Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.
{%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.
Insuffient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised HV to trigger an out of bounds condition without RMP checks resulting in a. Rated medium severity (CVSS 5.6).
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
TP-Link Archer C7 v5 and v5.8 routers use weak RSA-1024 encryption for admin password transmission during web login, allowing adjacent attackers with network traffic interception capability to perform cryptanalytic attacks (brute-force or key factorization) to recover plaintext credentials and gain unauthorized administrative access. EPSS score of P (Probable) and active POC availability indicate realistic exploitation risk in local network environments; however, exploitation requires both network adjacency and successful cryptanalysis of a 1024-bit RSA key, limiting attack scope to motivated adversaries on shared networks (e.g., compromised WiFi).
Privilege escalation in ASUS DriverHub through version 1.0.6.11 allows local authenticated users to modify update validation resources, bypassing security checks to execute arbitrary code with elevated privileges during driver updates. The vulnerability exploits improper file permission assignment in the update process, requiring user interaction to trigger the elevated execution. CVSS 5.4 indicates moderate severity; exploitation requires local access and authenticated user status with specific file system conditions.
Privilege escalation in ASUS Member Center (华硕大厅) versions 1.6.6.4 and earlier allows authenticated local users to achieve Administrator-level privilege escalation by exploiting a Time-of-check Time-of-use (TOC-TOU) race condition during the update process. An attacker can substitute a malicious payload for the legitimate downloaded update immediately after integrity verification completes but before execution, causing the compromised code to run with administrative privileges upon user consent. CVSS 5.4 reflects the requirement for local access, user interaction, and elevated (but non-Administrator) initial privileges; however, the vulnerability achieves full privilege escalation to Administrator with moderate technical difficulty.
SiYuan 3.6.1 through 3.6.3 allows arbitrary code execution when users view malicious bazaar packages in the marketplace UI. The vulnerability stems from an incomplete XSS fix (for CVE-2026-33066) that enabled an HTML sanitizer but failed to block iframe tags with srcdoc attributes containing embedded scripts. A malicious package author can inject JavaScript that executes in the Electron process with full application privileges, compromising the user's machine. The issue is confirmed fixed in version 3.6.4 and no public exploitation has been reported at time of analysis.
Riaxe Product Customizer plugin for WordPress versions up to 2.1.2 allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint lacking permission checks. The POST /wp-json/InkXEProductDesignerLite/customer/delete_customer route accepts a list of user IDs and directly deletes them without authentication or authorization validation, enabling attackers to remove administrator accounts and cause complete site lockout. This is confirmed by Wordfence and affects all installations running the vulnerable plugin version.
Summary The unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Attack Vector: Network - the endpoint is a standard HTTP API call. Attack Complexity: High - successful exploitation requires prior knowledge of a global frontend token. These tokens are not returned to non-admin users by any standard API endpoint; obtaining one requires an out-of-band step (e.g., leaked server logs, admin documentation for a self-hosted instance, or social engineering). Privileges Required: Low - a valid user account with at least one registered environment is required; no admin privileges needed. User Interaction: None. Scope: Unchanged - the impact stays within the same server instance. Confidentiality Impact: None - no data is disclosed. Integrity Impact: None - no data is improperly modified; the record is deleted (not corrupted). Availability Impact: High - deleting a global frontend disrupts every public share routed through it on the instance, constituting a platform-wide availability impact. Affected Component controller/unaccess.go - unaccessHandler.Handle (line 56)
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.
Unauthenticated attackers can modify post share count metadata in Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX (PostX) plugin versions up to 5.0.5 due to a missing capability check in the ultp_shareCount_callback() function. This allows unauthorized modification of share_count post meta for any post including private and draft posts, affecting all WordPress installations running the vulnerable plugin. No public exploit code or active exploitation has been identified at the time of analysis.
Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.
UDP Console in Arcserve allows information disclosure when an administrator configures the activation server hostname to an arbitrary or malicious URL, causing the product to unintentionally communicate with and leak data to the attacker-controlled domain. The vulnerability requires user interaction (configuring a malicious hostname) and affects all versions of Arcserve UDP Console, with CVSS 6.3 (network-accessible, low complexity) indicating moderate real-world risk. No active exploitation or public proof-of-concept has been identified at the time of analysis.
Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access.
ONLYOFFICE DocumentServer before 9.3.0 contains an untrusted pointer dereference vulnerability in XLS file processing that enables authenticated remote attackers to leak sensitive memory and bypass ASLR protections. The vulnerability affects XLS conversion workflows through multiple vectors including pictFmla.cbBufInCtlStm manipulation, allowing information disclosure without requiring user interaction. CVSS 5.0 reflects moderate risk given network accessibility and the authentication barrier, though the scope change to CVSS:C indicates potential cross-boundary impact.
{}", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details. This data is exposed to: - Anyone with access to application logs (stdout/log files) - Any Valtimo user with the admin role, through the logging module in the Admin UI `com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module. Fixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output. For versions before 13.22.0, consider: - Restricting access to application logs - Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration
Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds memory writes on local systems processing specially crafted MP4 files. The vulnerability requires attacker-controlled media file input and non-default system configuration, limiting exploitation to local contexts; no active exploitation or public exploit code has been identified. With a CVSS score of 4.9 and low attack complexity requirement, this represents a moderate local integrity and confidentiality risk primarily affecting users who process untrusted video files from untrusted sources.
MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject ANSI escape sequences through crafted PDF files. When a user runs mutool info on a malicious PDF, embedded escape codes can clear the terminal and display fabricated text for social engineering attacks such as fake login prompts or spoofed shell commands. This is a low-severity local vulnerability (CVSS 3.3) requiring user interaction, with a vendor-released patch available.
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass the security fix for CVE-2026-32303. The method hardcodes the URI scheme based on port number, causing HTTPS URLs with port 80 to produce the same authority string as HTTP URLs, which defeats both the consistency check and the HTTP block validation. An attacker with write access to a cloud-synced vault.cryptomator file can craft a Hub configuration where apiBaseUrl and authEndpoint use HTTPS with port 80 to pass auto-trust validation, while tokenEndpoint uses plaintext HTTP. The vault is auto-trusted without user prompt, and a network-positioned attacker can intercept the OAuth token exchange to access the Cryptomator Hub API as the victim. This issue has been fixed in version 1.19.2.