Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.
Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary JavaScript into report titles via the Reports module, with payload execution triggered when staff members access the report link in the Manage Reports interface. The vulnerability requires attacker authentication and user interaction (clicking the report link), limiting real-world impact to internal staff compromise scenarios rather than mass exploitation. Patch is available from the vendor.
Double-free and use-after-free vulnerability in Mozilla's thin_vec Rust crate allows local attackers to read sensitive memory via panic-induced length corruption in IntoIter::drop and ThinVec::clear functions. The vulnerability occurs when a panic in ptr::drop_in_place fails to reset the vector length to zero, leaving dangling pointers accessible to subsequent operations. Affected applications linking thin_vec versions prior to the patched release face local information disclosure risk with low real-world exploitation probability (EPSS 0.02%).
Fudo Enterprise versions 5.5.0 through 5.6.2 permit low-privileged users to access administrator-only API endpoints, exposing sensitive system logs and configuration data due to improper authorization controls. Authenticated attackers with minimal privileges can escalate access to protected resources without additional user interaction. The vulnerability has been patched in version 5.6.3.
OpenMage LTS Dataflow module prior to version 20.17.0 allows authenticated administrators to read arbitrary files via a bypassable path traversal filter that uses simple string replacement (`str_replace('../', '', $input)`). Attackers can circumvent the blacklist by using nested patterns like `..././` or `....//` which resolve to valid `../` sequences after filtering. Remote administrative access is required, but the high confidentiality impact and confirmed patch availability make immediate patching necessary for affected deployments.
GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. This is a medium-risk vulnerability limited to authenticated administrators but affecting any admin viewer.
GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) payloads via the companyname parameter in template group creation and editing, with malicious scripts executing in the browsers of other administrators viewing the Templates > Groups page. The attack requires administrative credentials and user interaction (victim viewing the affected page), but succeeds against all administrator accounts with access to that interface.
Stored Cross-Site Scripting in wpDataTables WordPress plugin (all versions up to 6.5.0.4) allows unauthenticated attackers to inject malicious scripts into data tables via insufficient input sanitization in LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. Exploitation requires an Administrator to import attacker-controlled data with affected column types configured, but once injected, the malicious script executes for all users viewing the infected page. No public exploit code or active exploitation confirmed at time of analysis.
pip before version 26.1 incorrectly treats concatenated tar and ZIP archives as ZIP files regardless of filename, potentially installing unintended package contents when ambiguous archive formats are processed. Local attackers with user interaction can exploit this during package installation to cause integrity confusion, where an archive's actual contents diverge from its declared format. The vulnerability requires local access and user interaction (downloading/installing a crafted archive), limiting real-world impact to supply-chain scenarios or direct social engineering of pip users.
Uncontrolled resource consumption in OTRS admin interface SQL Box causes denial of service against the webserver, affecting OTRS 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and 2026.x before 2026.3. The vulnerability requires high-privilege admin access and user interaction, limiting real-world impact to authenticated administrators performing deliberate actions. No public exploit code or active exploitation has been identified.
DSL expression injection in ProjectDiscovery Nuclei before 3.8.0 allows remote code execution when using the -env-vars flag with multi-step templates against untrusted targets. An attacker can inject malicious expressions into environment variables that are evaluated as Nuclei DSL code, achieving arbitrary code execution with the privileges of the Nuclei process. This vulnerability requires non-default configuration (explicit -env-vars usage) and high attack complexity, limiting real-world impact despite the RCE tag.