Recursive chmod operations can bypass --preserve-root protection in uutils coreutils versions prior to 0.6.0, allowing local authenticated users to execute destructive permission changes across the entire root filesystem. The vulnerability stems from incomplete path canonicalization that permits path traversal variants (/../) and symbolic links to circumvent safety checks, potentially causing system-wide denial of service. EPSS score of 0.01% indicates minimal exploitation probability in the wild, with no public exploit code identified and vendor patch available in version 0.6.0.
Arbitrary file write in HTTP Headers plugin for WordPress versions ≤1.19.2 enables authenticated administrators to achieve remote code execution by manipulating htpasswd file path configuration and injecting PHP code via unsanitized username input. Administrators can set a malicious file path (e.g., webroot/shell.php) through 'hh_htpasswd_path' option and inject executable code via the 'hh_www_authenticate_user' field, which is written directly to disk without validation. Wordfence disclosure includes direct source code references showing the vulnerable apache_auth_credentials() and update_auth_credentials() functions. No public exploit code or active exploitation confirmed at time of analysis.
Memory corruption in rust-openssl's key derivation functions allows heap or stack buffer overflow when applications pass undersized buffers to Deriver::derive or PkeyCtxRef::derive on OpenSSL 1.1.x. The vulnerability affects X25519, X448, DH, and HKDF-extract operations where OpenSSL ignores the caller-specified buffer length and unconditionally writes the full shared secret, causing safe Rust code to trigger memory corruption. Vendor patch available in v0.10.78; OpenSSL 3.x deployments are not affected as newer providers correctly validate buffer lengths.
Out-of-bounds memory write in rust-openssl's AES key unwrap function allows attackers who control buffer sizes to corrupt memory via safe API misuse. The aes::unwrap_key() function contains an inverted bounds assertion that accepts undersized output buffers and rejects correctly sized ones, causing the function to write beyond allocated memory by in_.len() - 8 - out.len() bytes. Vendor patch available via GitHub PR #2604 and commit 718d07ff, released in openssl-v0.10.78. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis, but the logic flaw is clearly documented in vendor advisory GHSA-8c75-8mhr-p7r9.
Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe internal network services and access cloud metadata endpoints. The RestoreController.PostRestoreJob endpoint accepts arbitrary URLs without SSRF protection, enabling internal reconnaissance through the application's HTTP client. Exploitation requires high privileges (admin authentication) but grants access to confidential internal resources and sensitive cloud service metadata. Version 7.23.0 patches this vulnerability. EPSS exploitation probability and active exploitation status are not reported in available intelligence.
Missing authorization in a+HRD API allows authenticated low-privilege remote attackers to read arbitrary database contents. The vulnerability exists in a specific API method that fails to properly verify user permissions, enabling lateral privilege escalation to access sensitive data beyond the attacker's authorization scope. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with network attack vector and low attack complexity, though exploitation requires valid user credentials.
SQL injection in aEnrich a+HRD allows authenticated remote attackers to read database contents through malicious SQL command injection. The vulnerability requires low-privilege authentication but enables complete confidentiality breach of database information. No active exploitation confirmed via CISA KEV, and EPSS data not available, but the low attack complexity (AC:L) and network attack vector (AV:N) make this exploitable by any authenticated user with basic SQL injection knowledge.
In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.
A buffer validation flaw in Linux kernel's TDX guest driver (versions 6.7+) allows local authenticated attackers to leak kernel memory beyond allocated quote buffers into userspace, potentially crossing container isolation boundaries in multi-tenant TDX environments. The vulnerability stems from insufficient validation of host-controlled quote_buf->out_len values during remote attestation operations. Patches available for stable branches 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low exploitation probability in the wild, with no public exploit code or active exploitation confirmed at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_notifier_call_chain()) is often called with the mutex already held (e.g., from pmbus_fault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex. Rework pmbus_regulator_notify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker. Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devm_add_action_or_reset(). While at it, remove the unnecessary include of linux/of.h.
Path traversal in InstructLab's chat session handler enables local authenticated attackers to write files to arbitrary filesystem locations by manipulating the logs_dir parameter. Red Hat Enterprise Linux AI 3 deployments are confirmed affected. CVSS 7.1 (High) reflects significant confidentiality and integrity impact, though exploitation requires local access and low-level privileges. No active exploitation (CISA KEV) or public proof-of-concept identified at time of analysis. EPSS data not available, suggesting limited immediate widespread exploitation risk despite high severity rating.
Local privilege escalation in uutils coreutils mkfifo allows authenticated users to downgrade permissions on arbitrary files to world-readable mode. When mkfifo attempts to create a FIFO at a path where a file already exists, it erroneously continues execution and calls set_permissions on the existing file, changing its mode to default (typically 644 after umask). This can expose sensitive files like SSH private keys (~/.ssh/id_rsa) or application secrets to unauthorized local users. CISA SSVC confirms proof-of-concept code exists with total technical impact, though EPSS data is not available and the vulnerability is not yet in CISA KEV, indicating exploitation remains theoretical rather than widespread.
OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.
Privilege escalation in uutils coreutils mkfifo utility allows local attackers with low privileges to manipulate file permissions on arbitrary system files. A TOCTOU race condition between FIFO creation and permission setting enables symlink swapping attacks, redirecting chmod operations to unintended targets. SSVC framework indicates proof-of-concept exists with total technical impact. While CVSS rates this 7.0 (High), exploitation requires high attack complexity (race condition timing), low privileges, and write access to the parent directory where mkfifo is executed - most impactful when the utility runs with elevated privileges in automated scripts or system processes. No active exploitation confirmed (not in CISA KEV); EPSS data not available.