Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.
DTrace process can be reliably crashed by unprivileged local attackers via a malicious ELF binary that triggers an integer divide-by-zero condition in the Pbuild_file_symtab() function, causing denial of service. CVSS 3.3 (low severity) reflects local-only attack vector and low privileges required, though the reliable crash mechanism and low exploitation complexity may elevate practical risk in multi-tenant or shared-system environments.
Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the AMF (Access and Mobility Function) service by manipulating the ueContextId parameter in the UE context transfer-update endpoint, resulting in service unavailability. Public exploit code is available but the vendor has not issued a patch or official response despite early notification.
Denial of service in Open5GS up to version 2.7.7 affects the AMF (Access and Mobility Function) component, specifically the ogs_id_get_value function in nudm-handler.c, allowing remote authenticated attackers to cause service unavailability. Publicly available exploit code exists, and the vulnerability has been reported to the project via GitHub issue #4405 without vendor acknowledgment or patch release at time of analysis.
Denial of service in Open5GS AMF SBI Endpoint (versions up to 2.7.7) allows authenticated remote attackers to crash the service by manipulating the changeItem.newValue argument in the /namf-callback/v1/{id}/sdmsubscription-notify endpoint. CVSS score of 2.1 reflects low severity despite network accessibility, primarily due to availability impact limitation and authentication requirement. Exploit code is publicly available, though the vendor has not yet responded to the early notification.
SQL injection in TimBroddin astro-mcp-server up to version 1.1.1 allows authenticated remote attackers to manipulate MCP Tool Query Construction parameters via crafted request.params.arguments, enabling arbitrary SQL query execution. Public exploit code exists and the vendor has not yet responded to early notification, leaving deployed instances at risk.
Permissive CORS policy in MeTube up to version 2026.04.09 allows remote attackers to bypass same-origin restrictions by exploiting wildcard origin acceptance (cors_allowed_origins='*') in the on_prepare function of app/main.py, potentially enabling cross-domain data theft or unauthorized API access. The vulnerability requires user interaction (UI:P) but grants information disclosure via cross-domain requests. Publicly available exploit code exists; upgrade to 2026.04.10 fixes the issue by restricting origins to a configurable allowlist.
Code injection in ExifTool versions up to 13.53 allows local attackers with limited privileges to execute arbitrary code via manipulation of the -ee argument in the Process_mrld function when processing JPEG/QuickTime/MOV/MP4 files. The vulnerability has a very low CVSS score of 1.9 due to local-only attack vector and low impact, but is tagged as RCE. Vendor-released patch available in version 13.54.