Denial of service via improper resource handling in the Client Balance component of Hostbill v.2025-11-24 and v.2025-12-01 allows high-privileged remote attackers to disrupt service availability and trigger limited integrity impacts. The vulnerability stems from insufficient input validation in CWE-400 (Uncontrolled Resource Consumption), requiring administrator-level access but presenting moderate real-world risk due to the low attack complexity and network accessibility of the affected component.
Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.
Kimai's Team API endpoints fail to validate entity-level ownership due to incorrect Symfony IsGranted attribute syntax, allowing users with the edit_team permission to modify any team regardless of membership. The vulnerability arises because API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing the TeamVoter to abstain and fall back to role-only permission checks. In default configurations this is unexploitable since only admins hold edit_team permission, but if administrators grant edit_team to lower-privilege roles (such as ROLE_TEAMLEAD) via the permissions UI, those users can modify team memberships, customer assignments, project assignments, and activity assignments for any team without authorization. No public exploit code or active exploitation has been identified.
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
Stored XSS in AdaptiveGRC text-type form fields allows authenticated attackers to inject malicious JavaScript that executes in victims' browsers, potentially leading to theft of administrator authentication tokens and privilege escalation. The vulnerability affects multiple versions released before December 2025 due to improper server-side parameter validation. User interaction is required for exploitation, and the attacker must first authenticate to the application.
Reflected cross-site scripting (XSS) in Frappe Press login page redirect parameter allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser upon clicking a malicious link, with user interaction required. The vulnerability affects all versions prior to the patch commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6, which restricts redirects to internal URLs only. CVSS score of 1.3 reflects very low confidentiality, integrity, and availability impact due to scope limitations, though XSS vulnerabilities carry inherent session hijacking and credential theft risks.