Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.
Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Denial of service in GitLab CE/EE versions 12.3 through 18.11.0 allows authenticated users to trigger excessive resource consumption during issue import operations due to improper input validation on user-supplied data. The vulnerability affects all minor versions from 12.3 onwards until patched versions 18.9.6, 18.10.4, and 18.11.1. Publicly available exploit code exists, and CISA SSVC assessment indicates the vulnerability is exploitable but not automatable at scale.
Authenticated users can trigger denial of service in GitLab CE/EE versions 10.6 through 18.11.0 by sending crafted requests to the discussions endpoint that exhaust server resources. The vulnerability requires valid authentication credentials and affects all affected versions across the 10.6, 18.9, 18.10, and 18.11 release branches. Publicly available exploit code exists; CISA has not yet listed this in the Known Exploited Vulnerabilities catalog, but active exploitation likelihood is moderate given public POC availability and the low complexity of resource exhaustion attacks.
Authenticated users can trigger denial of service in GitLab by overwhelming system resources through the GraphQL API due to insufficient resource allocation limits. Affected versions span from 12.4 through 18.11.0 across three release branches. Publicly available exploit code exists, though active exploitation has not been confirmed in CISA KEV. CVSS 6.5 reflects moderate severity with high availability impact but requires valid authentication.
Denial of service in GitLab CE/EE affects authenticated users who can trigger resource exhaustion when retrieving notes under specific conditions, causing service unavailability. Versions 9.2 through 18.9.5, 18.10.0 through 18.10.3, and 18.11.0 are vulnerable. An authenticated attacker with standard user privileges can exploit this remotely without user interaction via crafted note retrieval requests. A publicly available exploit exists, and patches have been released by GitLab.
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.
GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to bypass access controls and read titles of confidential or private issues in public projects through improper validation in the issue description rendering process. The vulnerability requires valid user credentials but no elevated privileges, affecting the confidentiality of issue metadata that should be restricted. Publicly available exploit code exists, and a vendor patch is available.
Denial of service in pypdf prior to version 6.10.1 allows remote attackers to craft malicious PDF files with oversized cross-reference stream `/Size` values or object stream `/N` values, causing excessive processing time and long runtimes. No authentication is required; the vulnerability is triggered by parsing a specially crafted PDF file. Patch version 6.10.1 is available from the vendor.
SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.
Remote denial-of-service in OpenVPN server allows a low-privileged network attacker possessing a valid tls-crypt-v2 client key to crash the server daemon by sending a suitably malformed packet that passes cryptographic validation but triggers a fatal ASSERT() failure, terminating the server process and disconnecting all active VPN sessions. The vulnerability is limited to deployments with tls-crypt-v2 enabled and requires possession of a legitimate client key, constraining the attacker pool. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
DOMPurify versions 3.0.1 through 3.3.3 fail to prevent prototype pollution-based XSS attacks when using default configurations. An attacker who can exploit a prototype pollution gadget elsewhere in the application can pollute Object.prototype with permissive regex values, causing DOMPurify to bypass sanitization and allow arbitrary custom elements with event handler attributes. The vulnerability affects the standard DOMPurify.sanitize(userInput) call without requiring special configuration.
The Nimiq staking contract accepts UpdateValidator transactions that omit proof-of-knowledge validation when updating voting keys, enabling rogue-key attacks against BLS signature aggregation used in Tendermint block justification. An attacker who can predict the next epoch's validator set could forge quorum-appearing block justifications with a single signature. Exploitation is constrained by the requirement to predict future validator set composition via VRF, making real-world attacks unlikely despite the critical cryptographic impact. Vendor-released patch v1.3.0 addresses the vulnerability.
Cross-site scripting (XSS) in DOMPurify when using SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT modes allows remote attackers to execute arbitrary JavaScript by crafting malformed HTML that reassembles into template expressions after DOM normalization. The vulnerability affects DOMPurify from v1.0.10 through at least v3.3.3, exploitable when sanitized output is mounted into template-evaluating frameworks like Vue 2. A proof-of-concept demonstrates reliable exploitation with alert(1) execution.
Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.
Improper validation of STRING tensor offsets in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user interaction to trigger out-of-bounds memory access during constant tensor import, potentially causing information disclosure, data modification, or denial of service. The vulnerability affects the tensor metadata parsing logic when processing malformed string tensor definitions.
Integer overflow in Samsung Open Source ONE's output tensor copy size calculation allows local attackers with user interaction to cause memory corruption and potential code execution through oversized tensor processing. The vulnerability affects versions prior to 1.30.0 and stems from improper integer arithmetic when computing copy lengths for tensor data, enabling an attacker to trigger buffer overflows by crafting malicious tensor inputs that bypass size validation.
The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.
The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.
Integer overflow in constant tensor data size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user interaction to cause incorrect buffer sizing for large constant nodes, leading to buffer overflow conditions that may result in information disclosure or denial of service. The vulnerability requires local access and user interaction but can trigger high-severity memory corruption due to incorrect buffer allocation for tensors exceeding integer size limits.
Integer overflow in tensor copy size calculation within Samsung Open Source ONE enables out of bounds memory access during loop state propagation. Unauthenticated local attackers with user interaction can trigger the overflow to read sensitive data, modify memory, or cause denial of service on affected versions prior to 1.30.0. CVSS 6.6 indicates moderate severity with high availability impact.
Integer overflow in memory copy size calculation in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user privileges to trigger invalid memory operations by supplying tensors with large shapes, potentially causing information disclosure, data corruption, or denial of service. The vulnerability requires user interaction (UI:R) and operates with low attack complexity on local systems. No public exploit code or active exploitation has been identified.
Integer overflow in tensor buffer size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user-level privileges to cause out-of-bounds memory access, leading to information disclosure and denial of service. The vulnerability requires user interaction to process specially crafted large tensor data. CVSS 6.6 indicates moderate severity with local attack vector and high availability impact.
Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.
Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.
Insecure direct object references in Augmentt 1.0 allow unauthenticated remote attackers to access and modify sensitive tenant data across different organizational contexts, bypassing authentication mechanisms through direct manipulation of object identifiers. The vulnerability enables both unauthorized information disclosure and modification of tenant configuration with CVSS 6.5 (medium severity); no public exploit code has been identified at the time of analysis, though the attack is automatable and requires no user interaction.
BigBlueButton versions prior to 3.0.24 allow authenticated viewers to inject or overwrite captions due to missing authorization controls, enabling unauthorized modification of classroom content. The vulnerability requires an authenticated session but does not need user interaction, affecting the integrity of real-time collaboration in virtual classroom deployments. Version 3.0.24 restricts caption submission permissions to authorized roles only.
Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.
PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, corrupting the LMDB backend database and causing service degradation or denial of availability. The vulnerability requires high-privilege REST API access and affects deployments using LMDB as the backend storage engine, with confirmed impact on data integrity and availability.
DNSdist is vulnerable to denial of service via out-of-bounds write when processing crafted UDP responses from a rogue backend server. An attacker controlling a backend DNS server can send a specially crafted UDP response with a query ID set off-by-one from the maximum configured value, triggering memory corruption that crashes the DNS forwarder. The CVSS score of 6.5 reflects network attack vector with high complexity and absence of confidentiality impact, though availability and integrity are affected.
Stored Cross-Site Scripting in the Gutentools WordPress plugin (versions up to 1.1.3) allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the Post Slider block's block_id attribute. The vulnerability exploits insufficient input sanitization combined with a custom unescaping routine that reintroduces dangerous characters, enabling persistent payload execution whenever users access injected pages. This affects all installations using the plugin at or below version 1.1.3 and requires only low-privileged WordPress authentication.
Stored Cross-Site Scripting (XSS) in the Gallagher Website Design WordPress plugin through version 2.6.4 allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages via the 'prefix' attribute of the login_link shortcode, bypassing input sanitization and output escaping controls. The injected scripts execute in the context of any user viewing the affected page, potentially enabling session hijacking, credential theft, or malicious redirection. Wordfence has documented the vulnerability with proof-of-concept references to the vulnerable code in the WordPress plugin repository.
Cross-site scripting in Marko template engine allows authenticated attackers to break out of script and style tags using mixed-case closing tags (e.g., </SCRIPT>, </Style>) and inject arbitrary HTML/JavaScript. The vulnerability affects any Marko template that interpolates untrusted user data inside <script> or <style> blocks, enabling stored XSS attacks against victim browsers with CVSS 6.4 (network-accessible, low complexity, requires low privileges). Vendor-released patch available.
Stored Cross-Site Scripting in Switch CTA Box WordPress plugin up to version 1.1 allows authenticated contributors and above to inject arbitrary JavaScript through unsanitized post meta fields including button link, button ID, button text, and description. The vulnerability arises from direct output of user-supplied data into HTML without escaping functions, enabling attackers to execute malicious scripts whenever pages containing injected shortcodes are accessed by any visitor.
Stored Cross-Site Scripting in the Quran Live Multilanguage WordPress plugin versions up to 1.0.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes ('cheikh' and 'lang'). The vulnerability exploits insufficient input validation in the quran_live_render() function and direct output of user-supplied values into inline <script> blocks without escaping, enabling injection of arbitrary web scripts that execute whenever a user accesses the compromised page.
Stored cross-site scripting in Slider Bootstrap Carousel WordPress plugin up to version 1.0.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized 'category' and 'template' shortcode attributes, executing malicious scripts in pages viewed by any user. The vulnerability stems from improper use of extract() on shortcode attributes combined with missing output escaping (esc_attr()) on multiple HTML attributes, enabling persistent XSS injection that affects site security and user data.
Stored cross-site scripting (XSS) in Easy Social Photos Gallery - MIF plugin for WordPress (versions up to 3.1.2) allows authenticated attackers with contributor-level access to inject arbitrary HTML and JavaScript via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode. The vulnerability exists because the plugin uses sanitize_text_field() instead of esc_attr() when outputting the attribute inside HTML class tags, allowing attackers to break out of the attribute context and inject event handlers that execute in users' browsers when they visit affected pages.
Stored Cross-Site Scripting in WPMK Block plugin for WordPress up to version 1.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'class' shortcode attribute, which is directly concatenated into HTML without proper escaping. The vulnerability affects all versions through 1.0.1 due to insufficient input sanitization in the wpmk_block_shortcode() function, enabling persistent XSS attacks that execute whenever users access compromised pages.
Stored cross-site scripting in Twittee Text Tweet WordPress plugin versions up to 1.0.8 allows authenticated users with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes. The ttt_twittee_tweeter() function uses extract() to process shortcode parameters and concatenates them directly into HTML and inline JavaScript contexts without escaping, enabling attackers to break out of attribute contexts and inject event handlers that execute against site visitors. The vulnerability affects the 'id', 'tweet', 'content', 'balloon', and 'theme' parameters.
Stored cross-site scripting in the ER Swiffy Insert WordPress plugin through version 1.0.0 allows authenticated users with Contributor access or higher to inject arbitrary JavaScript via unsanitized shortcode attributes that are directly interpolated into page output. The vulnerability affects all versions of the plugin and requires only contributor-level privileges to exploit, making it a persistence and privilege-escalation vector on WordPress sites with multiple user accounts.
Stored cross-site scripting in Bread & Butter plugin for WordPress up to version 8.2.0.25 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'event' attribute of the 'breadbutter-customevent-button' shortcode. The vulnerability arises from missing output escaping in the customEventShortCodeButton() function, which directly interpolates unsanitized user input into an onclick HTML attribute. Scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malicious content injection.
Stored cross-site scripting in CI HUB Connector plugin for WordPress up to version 1.2.106 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript through the 'id' attribute of the cihub_metadata shortcode, which executes in the context of any user visiting the injected page. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, enabling persistent XSS attacks that can compromise site visitors and administrative accounts.
Stored Cross-Site Scripting in Posts Map plugin for WordPress up to version 0.1.3 allows authenticated contributors to inject arbitrary JavaScript via the 'name' shortcode attribute. When any user accesses a page containing the malicious shortcode, the injected script executes in their browser with the privileges of their WordPress session, potentially enabling account compromise, admin impersonation, or malware distribution. The vulnerability requires contributor-level or higher access and affects all versions through 0.1.3.
Stored cross-site scripting (XSS) in the Text Snippets plugin for WordPress up to version 0.0.1 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via unsanitized shortcode attributes, which executes whenever any user visits the affected page. The vulnerability stems from insufficient input sanitization and output escaping on the `ts` shortcode, enabling persistent payload injection. No public exploit code or active exploitation has been identified at time of analysis.
Simple Random Posts Shortcode plugin for WordPress versions up to 0.3 contains stored cross-site scripting (XSS) via insufficient sanitization of the 'container_right_width' shortcode attribute, allowing authenticated contributors and above to inject arbitrary JavaScript that executes in browsers of all users accessing affected pages. No active exploitation has been confirmed, but the vulnerability requires only contributor-level access and carries network-based attack vector with low complexity.