Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.
NULL pointer dereference in ASR Lapwing Linux's IMS client (sipuri.c) allows authenticated remote attackers to trigger service crashes and potentially execute code with changed scope. The vulnerability exists in the SIP URI parsing logic of the ASR1903 hardware platform's ims_client module. With CVSS 7.4 and scope change to Container, successful exploitation enables lateral impact beyond the vulnerable component. No CISA KEV listing or public exploit code identified at time of analysis, though EPSS data unavailable.
Out-of-bounds read in ASR Kestrel's nr_fw power control module enables authenticated remote attackers to trigger buffer overflow conditions, potentially disclosing sensitive information and compromising system integrity with low-to-moderate impact across security boundaries. Exploitable over the network with low complexity by attackers holding low-privilege credentials. EPSS data unavailable; not currently listed in CISA KEV. Vendor advisory confirms patch released February 10, 2026.
Certificate name-constraints bypass in GnuTLS allows a remote attacker to craft a leaf certificate whose Subject Alternative Name differs only in letter casing from a constrained dNSName or rfc822Name, causing GnuTLS to accept a certificate that its excludedSubtrees/permittedSubtrees policy should reject. The flaw stems from case-sensitive comparison of name-constraint labels and enables unauthorized access, impersonation, or information disclosure across software (notably Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4) that relies on GnuTLS for X.509 validation. SSVC notes a public proof-of-concept exists, though EPSS exploitation probability is very low (0.03%, 9th percentile) and the issue is not in CISA KEV.
Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.
Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.
Command injection in Pallets Click's click.edit() function (versions ≤8.3.2) allows local attackers with high privileges to execute arbitrary OS commands via shell metacharacters. The vulnerability stems from unsafe use of shell=True in subprocess calls, fixed in version 8.3.3 by switching to shlex.split for command parsing. Attack complexity is high (AC:H) and requires user interaction (UI:R), limiting real-world exploitation despite CVSS 7.2 score. Public proof-of-concept exists (SSVC: exploitation=poc) but no evidence of active exploitation (not in CISA KEV). EPSS data not provided but expected low given local-only access vector and multiple exploitation constraints.
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.
Authenticated users with restricted permissions in Kirby CMS can access pages and files they should not be able to view, bypassing configured access controls in the Panel and REST API. This affects Kirby installations where administrators have explicitly disabled `pages.access`, `pages.list`, `files.access`, or `files.list` permissions for specific user roles through blueprints. The vulnerability allows information disclosure of content models that should be hidden, though write operations remain protected. Patched versions 4.9.0 and 5.4.0 are available from the vendor. No public exploit identified at time of analysis, with EPSS data unavailable for this recent disclosure.
Path traversal in ColorOS Assistant allows local attackers to manipulate file downloads and cause high availability impact via an unauthenticated download channel. The vulnerability (CWE-23) enables writing files to arbitrary paths when a user is socially engineered to trigger the malicious download. OPPO has published a security advisory. No active exploitation confirmed; EPSS data not available for this recent 2026 CVE.