SQL injection in MixPHP Framework 2.x through 2.2.17 allows unauthenticated remote attackers to read or modify database contents via a crafted data array passed to the data function in BuildHelper.php. The vulnerability has an automatable exploitation path per CISA SSVC but no public exploit code or active KEV listing identified at analysis time. CVSS 6.5 (medium) reflects network-accessible SQL injection with partial confidentiality and integrity impact but no availability impact.
Server-Side Request Forgery (SSRF) in Apache Neethi allows remote attackers to make arbitrary outbound requests to internal IP addresses and non-HTTP/HTTPS protocols when an application explicitly calls the PolicyReference API to retrieve remote policies. The vulnerability affects all versions before 3.2.2, which restricts URI schemes to HTTP/HTTPS and blocks link-local, multicast, and any-local addresses. No active exploitation has been confirmed at this time.
WhatsApp for Windows prior to v2.3000.1032164386.258709 permits attachment spoofing via maliciously formatted documents with embedded NUL bytes in filenames, causing the application to display files as benign types while executing them as executables upon opening. The vulnerability requires user interaction to open a crafted attachment delivered over the network, enabling an attacker to achieve code execution with the privileges of the WhatsApp process. No public exploit code or active exploitation has been confirmed at time of analysis.
Unauthenticated traffic relay vulnerability in Prosody mod_proxy65 module allows network attackers to bypass access control during SOCKS5 activation, resulting in integrity compromise and service disruption without requiring authentication. Affected versions are Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 when mod_proxy65 is enabled. CVSS 6.5 reflects medium severity with network-accessible attack surface, low complexity, and non-privileged unauthenticated access, though confirmed availability and integrity impact limits widespread severity.
Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.
Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.
Transport-state spoofing in Bandit 1.0.0 through 1.10.x allows unauthenticated remote attackers to forge HTTPS connections over plaintext HTTP by supplying a malicious URI scheme in HTTP/1.1 absolute-form request targets or HTTP/2 :scheme pseudo-headers. The vulnerable determine_scheme/2 function returns client-supplied scheme values verbatim, causing downstream Plug middlewares to make incorrect security decisions: Plug.SSL skips HTTP→HTTPS redirects, secure cookies are transmitted unencrypted, and CSRF/SameSite protections may be bypassed. CVSS 6.3 (network-accessible, low complexity). Vendor patch available (version 1.11.0+).
HTTP request smuggling in mtrudel bandit before version 1.11.0 allows unauthenticated attackers to bypass edge security controls when the application sits behind a proxy that interprets duplicate Content-Length headers differently. The vulnerability stems from Bandit accepting only the first Content-Length header while proxies may use the last value, causing request framing desynchronization that enables smuggling past WAF rules, path-based ACLs, rate limiting, and audit logging. CVSS 6.3 (AV:N/AC:L/AT:P) indicates network-accessible exploitation with some attack timing complexity; no public exploit code or active KEV listing identified at analysis time, but RFC 9112 non-compliance creates a known attack pattern.
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Path traversal in Dayoooun hwpx-mcp 0.2.0 allows authenticated remote attackers to manipulate the output_path argument in save_document, export_to_text, and export_to_html functions, enabling arbitrary file write or read operations outside intended directories. The vulnerability affects the MCP Interface component (mcp-server/src/index.ts) with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Management Function) component via manipulation of the amf_nudm_sdm_handle_provisioned function in the NUDM handler. The vulnerability has publicly available exploit code and affects the authentication and mobility management core of 5G networks, requiring valid credentials to trigger but resulting in service unavailability. Public disclosure has occurred without vendor remediation at the time of analysis.
Code injection vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0 allows authenticated remote attackers to execute arbitrary code via unsanitized plugin names in the Tailwind Config Generator. The _format_plugins function constructs require() statements without validation, enabling attackers with login credentials to inject malicious JavaScript into the Tailwind configuration. Publicly available exploit code exists and the vendor has released a patch via pull request, though adoption status is unconfirmed.
Unsafe pickle deserialization in mem0 up to version 1.0.11 allows authenticated remote attackers to execute arbitrary code via manipulation of the faiss.py vector store module. The vulnerability affects the pickle.load/pickle.dump functions used to serialize docstore data, enabling code execution with moderate impact (confidentiality, integrity, availability). Public exploit code is available, and vendor has released a patched version.
Reflected cross-site scripting (XSS) in GSVoIP web panel version 2.0.90 allows remote attackers to inject arbitrary JavaScript via the `msg` parameter in the `/painel/gateways.php/error` endpoint. The vulnerability requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, or malware distribution. No authentication is required, and public exploit code exists.
Denial of service in Open5GS AMF component up to version 2.7.7 allows authenticated remote attackers to trigger resource exhaustion via improper handling of PDU session context update messages in the amf_nsmf_pdusession_handle_update_sm_context function. The vulnerability has a low CVSS score (2.1) but publicly available exploit code exists; however, exploitation requires prior authentication to the 5G network, significantly limiting real-world attack surface.
Cross-site scripting (XSS) vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to version 2.5.0 allows remote attackers to inject malicious scripts via unescaped user input in the Slide Generator component's data.get() function. The vulnerability affects slide generation where user-supplied content (titles, subtitles, company names, feature descriptions) is embedded directly into HTML output without sanitization. Publicly available exploit code exists, and the vendor has released a patch via pull request, though the project has not actively responded to security notifications. CVSS score of 2.1 reflects low severity due to required user interaction, but the public availability of exploit code increases practical exploitation risk.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the BSF (Binding Support Function) component by manipulating the ipv6Prefix argument in the bsf_sess_find_by_ipv6prefix function. The vulnerability has a low CVSS score of 2.1 due to requiring authentication and causing only availability impact, but publicly available exploit code exists and the vendor has not yet responded to early disclosure.
Unrestricted file upload in MacCMS Pro up to version 2022.1.3 allows authenticated high-privilege administrators to upload arbitrary files via the plugin installation handler at /admin/addon/add.html, potentially enabling remote code execution. Publicly available exploit code exists, and the vendor has not responded to early disclosure despite contact.
SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.
Out-of-bounds write in AcademySoftwareFoundation OpenImageIO up to version 3.2.0.1-dev occurs in the DDS Image Handler (ddsinput.cpp) when processing specially crafted DDS image files. A local attacker with limited privileges can trigger the vulnerability by opening a malicious DDS file, potentially causing memory corruption and denial of service. Publicly available exploit code exists, though the CVSS score of 1.9 reflects low impact scope and limited privileges required.
Path traversal in Fujian Apex LiveBOS through the /feed/UploadImage.do endpoint allows remote attackers to manipulate the filename parameter and write files to arbitrary locations on the server. Versions up to 2.0 are affected. Public exploit code is available. Upgrading to version 2.1 resolves the vulnerability.
A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.
tcm_loop target reset handler fails to drain in-flight SCSI commands, violating SCSI error handling contract and causing LUN reference leaks that deadlock configfs LUN unlink operations. Local users with appropriate privileges can trigger denial of service by initiating reset sequences while SCSI commands are in flight, leaving the kernel in an unkillable D-state waiting for LUN reference counts to clear. This is a local denial of service affecting the SCSI target core's tcm_loop loopback driver across multiple kernel versions.
Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.
Denial of service in the Linux kernel AF_ALG crypto interface allows local authenticated attackers to trigger a NULL pointer dereference and kernel panic by sending sequential sendmsg() calls that cause scatter-gather list chain operations to fail to properly unmark SGL boundaries. The vulnerability occurs when AF_ALG allocates chained SGL structures without clearing end markers on previous entries, causing the crypto scatterwalk to encounter premature termination and dereference NULL pointers. CVSS 5.5 (AV:L/AC:L/PR:L) reflects local-only attack requirement with low complexity; EPSS 0.02% (7th percentile) indicates minimal real-world exploitation risk despite kernel panic severity.
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak __radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values. The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes - xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak. [1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
Information disclosure in the Linux kernel's traffic control (tc) scheduler allows local users with low privileges to read uninitialized kernel heap memory through the tc_chain_fill_node() function, which fails to zero-initialize the tcm_info field in netlink messages before transmission to userspace. The vulnerability affects multiple stable kernel series and has a vendor-released patch available across all affected versions.
Denial of service in the Linux kernel NFC PN533 UART driver allows local authenticated attackers to exhaust memory by sending malformed NFC frames without valid headers, causing unbounded socket buffer growth until kernel crash. Affects Linux 5.5 through 7.0 with patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0); EPSS exploitation probability is minimal at 0.02%, but local privilege is required.
Information disclosure in the Linux kernel netfilter ctnetlink module allows local authenticated users to read stale NAT configuration data from kernel memory via a crafted netlink message. When ctnetlink_alloc_expect() allocates connection tracking expectations without initializing NAT fields, uninitialized memory containing sensitive data from previous slab allocations is exposed to userspace during expectation dumps. This requires local access and low-privileged authentication (PR:L) but carries a high availability impact due to potential memory disclosure vectors.
Denial of service in Linux kernel netfilter nf_tables subsystem allows local privileged users to crash the system by issuing immediate NF_QUEUE verdicts, which are not properly validated and cause kernel panic when processed through the arp family or other code paths that lack queue support. The vulnerability affects multiple kernel versions and requires local access with limited privileges (CAP_NET_ADMIN or equivalent) to exploit.
Linux kernel Bluetooth MGMT subsystem fails to validate the advertised data length field in mesh send operations, allowing local authenticated attackers to trigger denial of service by reading beyond allocated buffer boundaries. The vulnerability affects the mesh_send() function which accepts a truncated MGMT_OP_MESH_SEND command that passes length checks but contains mismatched adv_data_len and actual payload, leading to out-of-bounds access during async mesh transmission. Patch versions include 6.6.134, 6.12.81, 6.1.168, 6.18.22, and 7.0.
Memory leak in the MACB (Cadence Gigabit Ethernet Controller) driver allows local authenticated attackers to cause denial of service through resource exhaustion by failing to unregister fixed-rate clocks allocated during device probe, resulting in memory and clock resource depletion. EPSS exploitation probability is minimal at 0.02%, indicating low real-world risk despite CVSS score of 5.5. Patch versions are available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Null pointer dereference in Linux kernel net/mlx5 LAG (Link Aggregation) driver allows local authenticated attackers to cause denial of service by accessing debugfs interfaces when LAG device context is invalid. The vulnerability exists in mlx5_ldev_add_debugfs() which creates debugfs entries without validating that a valid LAG context exists, exposing the members file and other interfaces that depend on a valid ldev pointer. EPSS exploitation probability is 0.02% (percentile 7%), indicating low real-world exploitation likelihood despite the vulnerability's availability for patching.
In the Linux kernel, the following vulnerability has been resolved: drm/ioc32: stop speculation on the drm_compat_ioctl path The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list.
Denial of service via divide-by-zero crash in the hwmon OCC (On-Chip Controller) power monitoring driver affects Linux kernels when the power sensor is queried before initial data samples are collected, typically during early boot. Local attackers with unprivileged user privileges can trigger a kernel panic by accessing the affected sysfs power attribute, causing system availability impact. CVSS 5.5 reflects local attack vector and low complexity; EPSS 0.02% indicates low real-world exploitation probability despite the straightforward trigger condition.
Denial of service in the Linux kernel's mpu3050 gyroscope driver allows local authenticated attackers to crash the system via incorrect IRQ handler cleanup during module unload. A mismatch between the registered IRQ handler (mpu3050->trig) and the handler passed to free_irq() (mpu3050) causes improper cleanup, leading to resource leaks and potential kernel panic when the device is removed or the driver is unloaded. No public exploit code identified; patch available across affected kernel series.
Resource leak in the Linux kernel MPU3050 gyro driver allows local authenticated users to cause denial of service through memory exhaustion by repeatedly triggering iio_trigger_register() failures that fail to release previously allocated interrupt handlers. The vulnerability affects multiple kernel versions and requires local access with unprivileged user privileges, resulting in potential system availability impact with low real-world exploitation likelihood (EPSS 0.02%).
Denial of service in Linux kernel USB dwc2 gadget driver allows local authenticated users to trigger a deadlock via improper spin lock handling in dwc2_hsotg_udc_stop(). The vulnerability stems from a locking protocol violation where dwc2_gadget_exit_clock_gating() expects a held lock but is called without one, causing spin_unlock on an unheld lock followed by a lock held indefinitely, resulting in system hang. No public exploit code identified at time of analysis.
Denial of service via NULL pointer dereference in the Linux kernel USB Cadence 3 (cdns3) gadget driver when ep_queue is called on disabled or unconfigured endpoints. A local authenticated attacker can trigger a kernel crash by invoking the vulnerable code path on systems with cdns3 USB gadget support enabled. No public exploit code has been identified, but the attack requires only local access and low privileges (CVSS 5.5, EPSS 0.02%).
Denial of service in Linux kernel bridge module via malformed IPv6 Neighbor Discovery options allows local authenticated attackers to crash the system by crafting packets with invalid ND option lengths that cause memory access violations in the br_nd_send() function. The vulnerability affects kernel versions 4.15 and later across multiple stable branches. EPSS exploitation probability is very low at 0.02%, reflecting the requirement for local authenticated access and low attack complexity.
Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.
Denial of service in Linux kernel VXLAN module allows local authenticated attackers to crash the system via malformed IPv6 neighbor discovery options in vxlan_na_create(). A crafted ND option with incorrect length values can cause out-of-bounds access or undersized payload reads, triggering a kernel panic. EPSS exploitation probability is low at 0.02%, but the vulnerability is confirmed patched across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12).
Memory leaks in the ftgmac100 Ethernet driver's ring allocation function allow local authenticated users to cause a denial of service through resource exhaustion on driver initialization failure. The vulnerability is triggered when ftgmac100_alloc_rings() fails during intermediate allocation stages, returning directly without freeing previously allocated resources (rx_skbs, tx_skbs, rxdes, txdes, rx_scratch). This affects Linux kernel versions prior to fixes released in stable branches 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and 7.0.
A NULL pointer dereference in the Linux kernel USB gadget UVC (USB Video Class) driver during power management transitions allows local authenticated attackers with low privileges to cause a kernel panic and denial of service. The vulnerability occurs when the PM subsystem freezes user space processes during suspend, causing wait_event_interruptible_timeout() to abort early in uvc_function_unbind(), which nullifies the gadget pointer. When tasks are restarted, the V4L2 release path attempts to access the already nullified pointer, triggering a kernel panic. Patches are available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
Memory leak in f2fs_rename() function allows local authenticated attackers to cause denial of service through repeated file rename operations. The vulnerability exists in the f2fs filesystem implementation when handling SELinux label initialization during whiteout file creation, due to a missing f2fs_free_filename() call introduced in commit 40b2d55e0452. Vendor patches are available for Linux 6.6.136, 6.12.84, 6.18.25, 7.0.2, and 7.1-rc1.
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix dir separator in SMB1 UNIX mounts When calling cifs_mount_get_tcon() with SMB1 UNIX mounts, @cifs_sb->mnt_cifs_flags needs to be read or updated only after calling reset_cifs_unix_caps(), otherwise it might end up with missing CIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits. This fixes the wrong dir separator used in paths caused by the missing CIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags.
In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char *)pndace + *size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c.
Use-after-free vulnerability in the ALSA caiaq USB audio driver allows local authenticated attackers to cause denial of service by triggering asynchronous card free callbacks after USB device disconnection. The vulnerability stems from missing reference counting on the parent USB device pointer, combined with an inappropriate usb_reset_device() call in the card teardown path. EPSS exploitation probability is minimal (0.02%), and no public exploit code or active exploitation has been identified.
Memory corruption and page reference leaks in the Linux kernel mshv (Microsoft Hyper-V) module occur when pin_user_pages_fast() returns a partial pin count, which the current code incorrectly treats as success. A local authenticated attacker with privileges can trigger this vulnerability to corrupt memory or cause denial of service on systems using the mshv module, particularly in Hyper-V guest environments.