Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. CVSS 9.4 (Critical) reflects chained impact across multiple security boundaries (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H), though exploitation requires authenticated access (PR:L) to inject malicious protobuf definitions. No active exploitation confirmed (not in CISA KEV); vendor-released patches available.
Heap buffer overflow in SAIL image library's TGA decoder allows remote code execution via malformed RLE-compressed TGA files against all versions prior to commit 45d48d1. Network-accessible applications processing untrusted TGA images can be fully compromised without authentication or user interaction (CVSS 9.8). The raw-packet RLE decompression path permits writing up to 496 bytes of attacker-controlled data beyond allocated heap bounds. Vendor patch confirmed via GitHub commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302. No CISA KEV listing or public POC identified at time of analysis, but the straightforward exploitation conditions (parsing untrusted files) and complete technical disclosure create high weaponization risk.
Heap buffer overflow in SAIL PSD codec allows remote code execution when processing malicious LAB-mode PSD files. Affects all SAIL versions prior to commit c930284 (HappySeaFox/sail). Attackers can achieve arbitrary code execution (CVSS 9.8: AV:N/AC:L/PR:N/UI:N) by triggering a mismatch between computed bytes-per-pixel (6 bytes for 3-channel 16-bit LAB) and allocated buffer size (5 bytes for BPP40_CIE_LAB format). Every pixel write deterministically overflows the heap buffer. EPSS data not available. Not listed in CISA KEV. Patch available via GitHub commit c930284445ea3ff94451ccd7a57c999eca3bc979.
Out-of-bounds memory access in SAIL image library's XWD codec allows remote attackers to achieve arbitrary code execution via malformed image files. The vulnerability stems from a pixel format mismatch where buffer allocation uses pixmap_depth=8 (1 byte/pixel) but byte-swap operations use bits_per_pixel=32 (4 bytes/pixel), causing 4x buffer overrun. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation requiring only delivery of a crafted XWD file. EPSS data unavailable; no KEV listing indicates targeted rather than widespread exploitation. Fix available in commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02.
Syscall 12 (JumpToUser) in NovumOS versions prior to 0.24 executes arbitrary kernel code at Ring 0 privilege when invoked by unprivileged Ring 3 user-mode processes. The vulnerability stems from missing address validation on user-supplied entry points, enabling local privilege escalation from user mode to kernel mode with complete system control. CISA SSVC framework confirms publicly available exploit code (POC status) with total technical impact, though EPSS score remains low at 0.02% (5th percentile), suggesting limited real-world targeting of this niche custom operating system despite the severe technical flaw.
Authentication bypass in ChurchCRM versions prior to 7.2.0 allows remote unauthenticated attackers to obtain valid API keys by submitting credentials directly to the /api/public/user/login endpoint, circumventing account lockout policies and two-factor authentication enforcement. Attackers with stolen or compromised passwords can gain full API access with the victim's privileges even when the account is locked or protected by 2FA. CVSS 9.1 critical severity. Fixed in version 7.2.0 via GitHub commit 214694eb and PR #8607. No CISA KEV listing or public exploit code identified at time of analysis, though the vulnerability class (CWE-288: Authentication Bypass) is well-understood and straightforward to exploit once credentials are obtained through phishing, credential stuffing, or database leaks.
Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.
Privilege escalation in NovumOS versions prior to 0.24 allows local unprivileged attackers to gain kernel-level execution by manipulating core kernel structures. The vulnerable Syscall 15 (MemoryMapRange) permits user-mode processes to map arbitrary virtual memory regions, including protected kernel areas (IDT, GDT, TSS, page tables), enabling modification of interrupt handlers for privilege elevation. CISA SSVC framework confirms POC availability with total technical impact, though EPSS exploitation probability remains very low (0.01%, 2nd percentile), indicating research-phase discovery rather than widespread targeting. No CISA KEV listing at time of analysis. Vendor-released patch available in version 0.24.