Vulnerability in the PeopleSoft Enterprise FIN Maintenance Management product of Oracle PeopleSoft (component: Work Order Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Maintenance Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise FIN Maintenance Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are available.
Tekton Pipelines 0.43.0 through 1.11.0 allows authenticated attackers to bypass trusted resource verification policies via unanchored regular expression patterns that match substrings rather than exact resource sources, enabling policy manipulation and unauthorized verification mode changes. The vulnerability stems from Go's regexp.MatchString function matching patterns anywhere within a string rather than requiring full anchoring, permitting attackers to craft source URIs containing trusted patterns as substrings to trigger unintended policy matches and potentially apply weaker verification keys or modes.
Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Job Profile Manager). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
Vulnerability in the PeopleSoft Enterprise HCM Absence Management product of Oracle PeopleSoft (component: Absence Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Absence Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Absence Management accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Absence Management accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAuth tokens (access_token, refresh_token) for services like YouTube Live, Facebook Live, and Twitch. Commit d5992fff2811df4adad1d9fc7d0a5837b882aed7 fixes the issue.
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
SQL injection in the CMS für Motorrad Werkstätten WordPress plugin (versions up to 1.0.0) allows authenticated attackers with subscriber-level privileges to extract sensitive database information via an unsanitized 'arttype' parameter. The vulnerability requires valid WordPress user credentials but no special configuration, making it exploitable against any WordPress installation running the affected plugin. No public exploit code or active exploitation has been identified at the time of analysis.
blueprintUE prior to version 4.2.0 fails to invalidate active user sessions when passwords are changed or reset, allowing attackers with compromised sessions to maintain indefinite account access even after the legitimate user detects the breach and changes their password. The attacker retains full account privileges until the session naturally expires (default 24 hours) or is manually cleared, creating a critical window where password changes provide no security benefit.
Textpattern CMS 4.9.0 allows authenticated low-privilege users to modify articles owned by higher-privilege users by manipulating the article ID parameter in the duplicate-and-save workflow, bypassing authorization checks in the article management system. The vulnerability affects only authenticated users with existing CMS access and requires no user interaction or special network access. No public exploit code or active exploitation has been identified, though the EPSS score of 0.02% suggests minimal real-world attack probability despite the moderate CVSS 6.5 score.
A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
Vulnerability in the Oracle Security Service product of Oracle Fusion Middleware (component: C Oracle SSL API). Supported versions that are affected are 12.2.1.4.0 and 12.1.3.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Security Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Security Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Security Service accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: IDM Authentication). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Life Sciences InForm. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
Honor E App discloses sensitive information to unauthorized users via network-accessible endpoints, requiring user interaction but affecting service confidentiality across all product versions. The vulnerability carries a moderate CVSS score of 6.3 (AV:N/AC:L/PR:N/UI:R) indicating remote exploitation without authentication, though successful attack requires user interaction. Patch availability and exploitation status remain unconfirmed from available sources.
DOM spoofing in Firefox allows remote attackers to deceive users about webpage origin and integrity through rendering manipulation, requiring user interaction. Affects Firefox 149 and earlier, Firefox ESR 115.34 and earlier, and Firefox ESR 140.9 and earlier. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. EPSS score of 0.02% indicates low exploitation probability despite CVSS 6.3 rating, suggesting practical exploitation constraints despite network accessibility.
Invalid pointer handling in Firefox's JavaScript-WebAssembly component allows remote attackers to disclose information or cause limited memory corruption via a malicious webpage, requiring user interaction. The vulnerability affects Firefox versions prior to 150 and Firefox ESR prior to 140.10, with an EPSS score of 0.02% indicating minimal real-world exploitation probability despite moderate CVSS severity. Vendor-released patches are available in Firefox 150 and Firefox ESR 140.10.
Cassandra export module in Glances prior to version 4.5.4 allows local privilege-escalated users to redirect monitoring data to attacker-controlled databases by injecting CQL statements through unvalidated configuration parameters. An authenticated local attacker with write access to the Glances configuration file can modify keyspace, table, and replication_factor settings to execute arbitrary CQL, enabling data exfiltration or denial of service against the monitoring infrastructure. This vulnerability requires elevated local access but carries high confidentiality and integrity impact.
A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Denial of service in Next AI Draw.io prior to version 0.4.15 allows local attackers to crash the embedded HTTP sidecar by sending oversized request bodies to three POST endpoints (/api/state, /api/restore, /api/history-svg) without size limits, exhausting Node.js V8 heap memory and forcing an out-of-memory shutdown. CVSS 6.2 reflects local attack vector and high availability impact; no public exploit code confirmed at time of analysis.
Reflected cross-site scripting (XSS) in the Website LLMs.txt WordPress plugin versions up to 8.2.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'tab' parameter due to improper use of filter_input() without sanitization and insufficient output escaping. Exploitation requires social engineering an administrator to click a malicious link, but once successful grants the attacker ability to execute scripts in the admin's browser session with access to sensitive WordPress functions and data.
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
Server-side request forgery in Bagisto's Downloadable Link Handler component (versions up to 2.3.15) allows authenticated remote attackers to perform arbitrary HTTP requests on behalf of the server, potentially enabling access to internal resources, metadata services, or information disclosure. The vulnerability has publicly available exploit code and affects the copy function with low-to-moderate CVSS score (5.3) but concrete real-world impact if internal services are exposed. Vendor acknowledges the issue and states fixes are coming in upcoming releases.
## Summary The `defineScriptVars` function in Astro's server-side rendering pipeline uses a case-sensitive regex `/<\/script>/g` to sanitize values injected into inline `<script>` tags via the `define:vars` directive. HTML parsers close `<script>` elements case-insensitively and also accept whitespace or `/` before the closing `>`, allowing an attacker to bypass the sanitization with payloads like `</Script>`, `</script >`, or `</script/>` and inject arbitrary HTML/JavaScript. ## Details The vulnerable function is `defineScriptVars` at `packages/astro/src/runtime/server/render/util.ts:42-53`: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /<\/script>/g, // ← Case-sensitive, exact match only '\\x3C/script>', )};\n`; } return markHTMLString(output); } ``` This function is called from `renderElement` at `util.ts:172-174` when a `<script>` element has `define:vars`: ```typescript if (name === 'script') { delete props.hoist; children = defineScriptVars(defineVars) + '\n' + children; } ``` The regex `/<\/script>/g` fails to match three classes of closing script tags that HTML parsers accept per the [HTML specification §13.2.6.4](https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inbody): 1. **Case variations**: `</Script>`, `</SCRIPT>`, `</sCrIpT>` - HTML tag names are case-insensitive but the regex has no `i` flag. 2. **Whitespace before `>`**: `</script >`, `</script\t>`, `</script\n>` - after the tag name, the HTML tokenizer enters the "before attribute name" state on ASCII whitespace. 3. **Self-closing slash**: `</script/>` - the tokenizer enters "self-closing start tag" state on `/`. `JSON.stringify()` does not escape `<`, `>`, or `/` characters, so all these payloads pass through serialization unchanged. **Execution flow:** User-controlled input (e.g., `Astro.url.searchParams`) → assigned to a variable → passed via `define:vars` on a `<script>` tag → `renderElement` → `defineScriptVars` → incomplete sanitization → injected into `<script>` block in HTML response → browser closes the script element early → attacker-controlled HTML parsed and executed. ## PoC **Step 1:** Create an SSR Astro page (`src/pages/index.astro`): ```astro --- const name = Astro.url.searchParams.get('name') || 'World'; --- <html> <body> <h1>Hello</h1> <script define:vars={{ name }}> console.log(name); </script> </body> </html> ``` **Step 2:** Ensure SSR is enabled in `astro.config.mjs`: ```js export default defineConfig({ output: 'server' }); ``` **Step 3:** Start the dev server and visit: ``` http://localhost:4321/?name=</Script><img/src=x%20onerror=alert(document.cookie)> ``` **Step 4:** View the HTML source. The output contains: ```html <script>const name = "</Script><img/src=x onerror=alert(document.cookie)>"; console.log(name); </script> ``` The browser's HTML parser matches `</Script>` case-insensitively, closing the script block. The `<img onerror=alert(document.cookie)>` is then parsed as HTML and the JavaScript in `onerror` executes. **Alternative bypass payloads:** ``` /?name=</script ><img/src=x onerror=alert(1)> /?name=</script/><img/src=x onerror=alert(1)> /?name=</SCRIPT><img/src=x onerror=alert(1)> ``` ## Impact An attacker can execute arbitrary JavaScript in the context of a victim's browser session on any SSR Astro application that passes request-derived data to `define:vars` on a `<script>` tag. This is a documented and expected usage pattern in Astro. Exploitation enables: - **Session hijacking** via cookie theft (`document.cookie`) - **Credential theft** by injecting fake login forms or keyloggers - **Defacement** of the rendered page - **Redirection** to attacker-controlled domains The vulnerability affects all Astro versions that support `define:vars` and is exploitable in any SSR deployment where user input reaches a `define:vars` script variable. ## Recommended Fix Replace the case-sensitive exact-match regex with a comprehensive escape that covers all HTML parser edge cases. The simplest correct fix is to escape all `<` characters in the JSON output: ```typescript export function defineScriptVars(vars: Record<any, any>) { let output = ''; for (const [key, value] of Object.entries(vars)) { output += `const ${toIdent(key)} = ${JSON.stringify(value)?.replace( /</g, '\\u003c', )};\n`; } return markHTMLString(output); } ``` This is the standard approach used by frameworks like Next.js and Rails. Replacing every `<` with `\u003c` is safe inside JSON string contexts (JavaScript treats `\u003c` as `<` at runtime) and eliminates all possible `</script>` variants including case variations, whitespace, and self-closing forms.
Stored cross-site scripting (XSS) in FreeScout prior to version 1.8.213 allows remote attackers to inject arbitrary HTML attributes into email message bodies by embedding unescaped double-quote characters in URLs. When the linkify() function converts plain-text URLs to anchor tags without proper escaping, attackers can break out of the href attribute and inject malicious JavaScript or event handlers. This requires user interaction (UI:R) to view a crafted email, but once viewed, the injected script executes in the context of the victim's session with potential for account compromise or data theft.
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Identity Manager accessible data as well as unauthorized read access to a subset of Oracle Identity Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Parsing a malicious font file can cause excessive memory allocation.
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Cross-site scripting (XSS) in WebSystems WebTOTUM 2026 Calendar component allows authenticated remote attackers to inject malicious scripts via an unknown function, requiring user interaction for exploitation. Publicly available exploit code exists, and vendor has released a patched version following responsible disclosure.
Stored cross-site scripting (XSS) in Bagisto up to version 2.3.15 allows authenticated attackers to inject malicious scripts via the Custom Scripts Handler component, which are then executed in the browsers of other users with user-interaction. The vulnerability has publicly available exploit code and affects the integrity of user sessions. Vendor has acknowledged the issue and committed to fixes in upcoming releases but no patched version has been released at time of analysis.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
FreeScout versions prior to 1.8.214 allow authenticated agents in shared mailboxes to recall another agent's reply within a 15-second undo window due to insufficient authorization checks on the undo-send endpoint. The vulnerability requires agent-level authentication and shared mailbox access but enables one user to suppress a colleague's outbound communication, affecting message integrity and audit trails in multi-agent help desk environments.
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware (component: Microsoft Active Directory). The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identity Manager Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Identity Manager Connector accessible data as well as unauthorized read access to a subset of Oracle Identity Manager Connector accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N).
OpenClaw before version 2026.4.2 transmits stored gateway credentials over unencrypted WebSocket (ws://) connections when accepting non-loopback endpoints, allowing adjacent network attackers with user interaction to forge discovery results or craft malicious setup codes that redirect clients to attacker-controlled endpoints and exfiltrate plaintext credentials. No public exploit code has been identified, but the vulnerability requires proximity to the target network and user interaction to trigger the credential disclosure.
HTML injection in FreeScout prior to version 1.8.213 allows unauthenticated attackers to inject arbitrary HTML into outgoing support emails by crafting a malicious From display name. The unsanitized name is stored in the database and rendered unescaped via the {%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Shell accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N).
Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization vector (IV) for encryption, allowing authenticated administrative users to brute-force decryption of encrypted data. The vulnerability requires high-privilege access and computational effort but results in complete confidentiality loss of encrypted values. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.
FreeScout versions prior to 1.8.213 expose complete customer PII through an authentication bypass in the `load_customer_info` action of POST /conversation/ajax, allowing any authenticated user to retrieve sensitive profile data for arbitrary customers by providing only a valid email address. The vulnerability affects the authorization layer rather than authentication, enabling lateral access to customer records across mailboxes without proper access control verification.