Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.
Remote unauthenticated command injection in Microsoft's Copilot Chat for Edge browser enables information disclosure via crafted network requests. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates attackers can exploit this remotely without authentication or user interaction, though impact is limited to confidentiality (C:H/I:N/A:N). Microsoft has released a patch per MSRC advisory. No active exploitation confirmed by CISA KEV at time of analysis, though the low attack complexity and lack of authentication requirements make this readily exploitable once technical details emerge.
Injection vulnerability in Microsoft 365 Copilot's Business Chat enables remote unauthenticated attackers to extract sensitive information through specially crafted inputs. Microsoft has released a patch addressing this CWE-74 injection flaw. With CVSS 7.5 (High), network-accessible attack vector, and no authentication required, this represents a significant exposure for organizations using Copilot Business Chat, though no active exploitation is confirmed at time of analysis.
Remote unauthenticated attackers can disclose sensitive information from Microsoft 365 Copilot's Business Chat through improper input neutralization (CVSS 7.5). The vulnerability allows network-based exploitation with low complexity and no user interaction required. Vendor-released patch available via Microsoft Security Response Center (MSRC-2026-26129). No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of authentication requirements (PR:N) increase realistic exploitation risk.
Denial-of-service in vm2 Node.js sandbox allows unauthenticated remote attackers to crash host processes via unbounded Buffer.alloc() calls. The vm2 library's timeout mechanism cannot interrupt synchronous C++ native calls, enabling attackers to bypass configured timeout limits and exhaust host heap memory with a single HTTP request. Version 3.11.0 patches this flaw by introducing bufferAllocLimit controls. Publicly available exploit code exists (GHSA-6785-pvv7-mvg7 includes working POC), and while EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the vendor-confirmed POC demonstrates reliable exploitation against default configurations.
Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.
Memory exhaustion in Netty's Lz4FrameDecoder allows remote unauthenticated attackers to cause denial of service by sending minimal malicious data that triggers disproportionate server-side memory allocation. A 22-byte crafted LZ4 frame forces the decoder to allocate up to 32MB of heap memory per request, enabling resource exhaustion attacks against Java applications using Netty's compression codec. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-mj4r-2hfc-f8p6). CVSS 7.5 indicates network-exploitable high-availability impact with no authentication or complexity barriers, though real-world risk depends on whether LZ4 decompression is exposed to untrusted network inputs.
Memory exhaustion in Netty HTTP/3 codec allows remote attackers to cause server crash or denial of service through malformed QPACK headers. The vulnerability affects io.netty:netty-codec-http3 versions up to 4.2.12.Final and enables unauthenticated attackers to force gigabyte-scale memory allocations with minimal wire data-a crafted HEADERS frame of just 10 bytes can trigger ~1 GiB allocation. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-2c5c-chwr-9hqw). CVSS 7.5 (High) reflects network-accessible attack requiring no privileges or user interaction.
Memory and CPU exhaustion in the Netty MQTT codec (io.netty:netty-codec-mqtt) lets remote unauthenticated attackers send oversized MQTT 5 header Properties that are decoded and buffered before the message size limit is enforced. Because MqttDecoder extends ReplayingDecoder, the enormous Properties section is repeatedly re-parsed and re-buffered until parsing completes, driving an application-availability denial of service. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%), but the flaw is automatable and trivial to trigger against any MQTT 5 broker or client built on Netty.
Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.
Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.
Remote unauthenticated attackers can access Google Secrets Manager credentials from unintended GCP projects via crafted requests to Spring Cloud Config servers using Google Secrets Manager as a backend. VMware confirmed this high-severity information disclosure vulnerability (CVSS 7.5) affecting all 3.1.x through 5.0.x versions. No CISA KEV listing or public exploit code identified at time of analysis, but the network-accessible attack vector with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N) indicates straightforward exploitation once attackers identify vulnerable Spring Cloud Config deployments with Google Secrets Manager integration.
The Go toolchain's module proxy validation can be bypassed by attackers controlling untrusted GOPROXY or GOSUMDB endpoints, allowing delivery of malicious toolchain versions that execute with developer privileges. When the go command downloads a different toolchain version (via GOTOOLCHAIN, go.mod, or go.work directives), a malicious proxy can serve altered toolchains by exploiting checksum database validation logic that incorrectly accepts empty responses. While EPSS indicates only 1% exploitation probability and CISA SSVC marks exploitation status as 'none', the total technical impact rating and network attack vector (AV:N) represent significant supply chain risk for organizations using non-default module proxies. Vendor patch available in Go 1.26.3 and 1.25.10.
Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.
OpenStack Cyborg allows any authenticated user to reprogram FPGA bitstreams and execute privileged operations across arbitrary compute nodes due to unconditional authorization bypass in multiple API endpoints. Versions before 16.0.1 use rule:allow as the default policy, permitting any valid Keystone token holder-even users with zero role assignments-to perform administrative actions including FPGA reconfiguration via agent RPC. EPSS data not available, but the authentication bypass combined with scope change (CVSS S:C) and hardware manipulation capabilities represents significant risk in multi-tenant OpenStack deployments.
Certificate validation in GnuTLS can be bypassed when a certificate chain contains Certificate Authorities with only excluded name constraints followed by CAs with permitted name constraints. Remote attackers can exploit this flaw (CVSS 7.4, AV:N/AC:H) to present invalid certificates that pass validation, enabling man-in-the-middle attacks or service impersonation against TLS-protected communications. The vulnerability affects Red Hat Enterprise Linux versions 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. No public exploit or active exploitation confirmed at time of analysis, though the technical nature suggests targeted attacks against high-value certificate infrastructure are feasible.
Session replay vulnerability in Katalyst Koi admin authentication allows attackers with previously captured session cookies to maintain administrative access after legitimate logout. The issue affects Koi versions prior to 4.20.0 and 5.0.0-5.5.x, stemming from inadequate session invalidation that violates Rails security best practices for CookieStore session replay prevention. While the CVSS score of 7.4 reflects network-based attack potential, the AC:H rating and prerequisite of cookie interception significantly reduce real-world exploitation probability. No evidence of active exploitation or public POC exists at time of analysis, and vendor-released patches are available for both affected version ranges.
Cross-site scripting (XSS) vulnerability in PHP 8.2.x (prior to 8.2.31) allows network-based attackers to inject malicious scripts that execute in victim browsers, compromising session tokens and potentially escalating to account takeover. Vendor-released patch (PHP 8.2.31) addresses this along with seven additional CVEs in a coordinated security release. CVSS 7.3 HIGH with user interaction required; exploitation status classified as POC-available per CVSS 4.0 vector (E:P), though public exploit code not independently verified at time of analysis.
Use-after-free memory corruption in Firefox's DOM Networking component enables remote attackers to achieve unauthorized information disclosure, data manipulation, and service disruption without authentication or user interaction. Affects Firefox mainline and both Extended Support Release (ESR) branches. Mozilla shipped patches in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. SSVC analysis indicates no confirmed exploitation but the vulnerability is fully automatable with partial technical impact across confidentiality, integrity, and availability. EPSS data not available but the network attack vector (AV:N) with no prerequisites (AC:L/PR:N/UI:N) presents significant exposure for unpatched installations.
Remote code execution in FacturaScripts ≤2025.71 allows authenticated administrators to upload malicious ZIP files containing path traversal sequences (Zip Slip attack) through the plugin installation mechanism. The vulnerable Plugins::add() function fails to sanitize file paths within ZIP archives, enabling attackers to write arbitrary PHP files outside the plugins directory and execute system commands. A public proof-of-concept exists demonstrating full system compromise. CVSS scores this at 7.2 (High) but requires high-privilege authentication (PR:H), significantly limiting real-world attack surface to scenarios involving compromised admin credentials or malicious insiders.
Undocumented persistent backdoor in Yarbo firmware v2.3.9 grants remote privileged access that survives factory reset and firmware updates. The backdoor requires high-privilege authentication (CVSS PR:H) but provides complete system control once accessed. No public exploit identified at time of analysis, though GitHub repository reference suggests technical disclosure exists. CVSS 7.2 reflects the high-privilege requirement, but persistence across resets and undocumented nature indicate significant supply chain or insider threat risk.
Cross-site scripting (XSS) in Postorius mail list management interface allows unauthenticated remote attackers to inject malicious scripts via crafted email subjects in held messages. Active exploitation confirmed in May 2026 per vendor disclosure. Affects all versions through 1.3.13. Public exploit code available via GitLab merge request #972. EPSS data not yet available for this recent CVE, but confirmed in-the-wild activity elevates priority significantly despite moderate CVSS 7.2 score.
Time-of-check-time-of-use (TOCTOU) race condition in Spring Cloud Config Server's Git repository cloning mechanism allows local privileged attackers with high-privilege system access to potentially read or modify configuration data intended for other applications. Exploitation requires timing manipulation of the basedir filesystem path between validation and use, enabling symlink attacks or directory substitution. CVSS 7.2 reflects high attack complexity (AC:H) and privileged local access (AV:L/PR:H) requirements, but scope change (S:C) indicates impact beyond the vulnerable component. EPSS data not available; no public exploit identified at time of analysis.
Matrix access token disclosure in the Cinny web client (versions before 4.10.3) lets a remote authenticated attacker who shares a room with a victim and can create room emotes (e.g., in a DM) exfiltrate the victim's bearer access token to an attacker-controlled server. The token is leaked when the victim opens the emoji or sticker picker in a room containing a malicious emote pack, because a crafted pack avatar URL is fetched with the user's Authorization header attached. No public exploit has been identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided; the vendor rates it CVSS 4.0 7.1 (confidentiality-only impact).
Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.
MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.
Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.
Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.
Path traversal in Open Notebook v1.8.3's file upload allows arbitrary file creation or modification within the Docker container filesystem. Attackers with local access can write files outside intended directories, enabling container escape scenarios, configuration tampering, or privilege escalation by overwriting critical system files. No public exploit identified at time of analysis, but the vulnerability affects default configurations where file upload is accessible.
Cross-site scripting in BentoPDF's Markdown to PDF Tool allows remote attackers to execute arbitrary JavaScript when users interact with malicious Markdown content. Affects all versions prior to 2.8.3. Vendor-released patch version 2.8.3 available with immediate upgrade recommended by maintainer. No public exploit identified at time of analysis, though vulnerability was responsibly disclosed by independent researcher. CVSS 7.0 with network attack vector but requires user interaction, reducing automation potential.
Cross-host HTTP redirects in Microsoft Kiota HTTP client libraries leak session cookies, proxy credentials, and custom authentication headers to attacker-controlled domains. When Kiota's RedirectHandler middleware follows 3xx redirects to different hosts (e.g., trusted.example.com → evil.attacker.com), it strips the Authorization header but forwards Cookie, Proxy-Authorization, and all custom headers unchanged. Publicly available exploit code exists with a complete proof-of-concept demonstrating cookie exfiltration to malicious redirect targets. This affects all Kiota language implementations (Java, .NET, Python, TypeScript, Go) and downstream consumers including Microsoft Graph SDK for Java. The vulnerability requires user interaction to trigger the initial API request, but once triggered, credential leakage is automatic on cross-origin redirects (CVSS:4.0 AV:N/AC:L/AT:P/PR:N/UI:P). Vendor-released patches are available across all affected package ecosystems.
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.
Uncontrolled resource consumption in ericmj decimal library (versions 0.1.0 before 3.0.0) allows remote denial of service via maliciously crafted decimal values with extremely large exponents. When applications parse user-supplied decimal input and subsequently perform arithmetic operations, string formatting, rounding, or comparison, the library allocates memory proportional to the exponent magnitude without bounds, exhausting available memory and crashing the BEAM virtual machine. A single malicious request is sufficient to trigger an out-of-memory crash.
Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.
Stored cross-site scripting in MISP before 2.5.37 allows authenticated users with template modification permissions to inject arbitrary JavaScript via unvalidated type and category fields in template element attributes. The vulnerability exploits insufficient input validation in the template element attribute handling logic, enabling attackers to store malicious payloads that execute in the browsers of other users viewing the affected templates. No public exploit code identified at time of analysis.
CRLF injection in Netty's RedisEncoder allows remote command injection and response poisoning by injecting carriage return and line feed characters into InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage objects. Attackers can inject arbitrary Redis commands (such as CONFIG SET, FLUSHALL, or authentication bypass) or forge fake responses when user-controlled input is placed into these message types without sanitization. The vulnerability affects Netty 4.2.12.Final and all prior versions with the codec-redis module; no active exploitation has been reported in CISA KEV, but publicly available proof-of-concept code demonstrates the vulnerability.
Medtronic MyCareLink Patient Monitor stores per-product credentials in a recoverable (non-hashed or weakly encrypted) format, allowing physical attackers with device access to extract these credentials and modify encrypted drive data without authentication. Affected models include the 24950 and 24952 monitors. The vulnerability requires physical access to the device (CVSS AV:P) but grants full confidentiality, integrity, and availability impact to stored patient data.
Medtronic MyCareLink Patient Monitor models 24950 and 24952 expose an unauthenticated UART login prompt via an internal serial interface, allowing attackers with physical access to potentially gain administrative control without authentication. The vulnerability achieves high confidentiality, integrity, and availability impact (CVSS 6.8) but requires direct physical access to internal hardware connections, limiting real-world exploitation to scenarios involving device tampering or insider threats.
Remote code execution in CODEASTRO Membership Management System v1.0 allows unauthenticated attackers to upload and execute arbitrary files via the /add_members.php endpoint due to improper file sanitization. The vulnerability enables confidentiality and integrity compromise with CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network-accessible exploitation with no authentication or user interaction required. Public exploit code is available on GitHub.
Path traversal and URL injection in i18next-http-backend prior to version 3.0.5 allows remote attackers to manipulate request URLs by injecting unsanitized language (lng) and namespace (ns) parameters, potentially leading to server-side request forgery (SSRF), path-based authorization bypass, or arbitrary file reads in SSR deployments. The vulnerability affects all applications using the library with user-controlled language selection via query parameters, cookies, localStorage, or request headers-the default configuration. Vendor-released patch: version 3.0.5.
HTTP request smuggling in Netty's chunk size parser allows remote unauthenticated attackers to inject arbitrary HTTP requests by exploiting integer overflow in the hexadecimal chunk size parsing logic. The HttpObjectDecoder.getChunkSize method accumulates the chunk size without proper overflow validation, enabling an attacker to craft a malicious chunk size header that wraps around to a valid size, causing Netty to misinterpret the request boundary and parse injected requests as separate legitimate requests. Publicly available proof-of-concept demonstrates successful parsing of an injected GET request within a chunked POST body, with CVSS score 6.5 (network-accessible, low complexity, no authentication required).
ShellHub Community v0.24.1 and earlier allows authenticated API Key holders to enumerate any tenant namespace and retrieve sensitive membership data (user IDs, emails, roles), settings, and device counts via GET /api/namespaces/:tenant due to a bypassed authorization check. The vulnerability exploits API Key authentication flows that fail to set the user ID header, causing the membership verification to be skipped entirely. Publicly available proof-of-concept code demonstrates validated exploitation against v0.24.1, with complete disclosure of cross-tenant namespace configuration including member lists suitable for targeted phishing campaigns.
Host object identity crosses the vm2 sandbox boundary when Promise resolution delivers objects to sandbox callbacks, allowing sandboxed code to mutate host objects and perform identity checks via WeakMap. The vulnerability stems from Promise.prototype.then wrapping that uses ensureThis() for conversion instead of stronger cross-realm proxying; when no prototype mapping exists, ensureThis() returns the original host object unmodified. This sandbox escape affects vm2 versions up to 3.10.5 and is fixed in 3.11.0.
Stored cross-site scripting (XSS) in WProyal Royal Elementor Addons before version 1.7.1053 allows authenticated users with limited privileges to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability requires user interaction (UI:R in CVSS) and is limited to users with login credentials (PR:L), but once stored, affects all visitors regardless of their privileges. An attacker with contributor or editor access can compromise website visitors, steal session cookies, or perform actions on their behalf.
FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.
HTTP request smuggling in Netty's HttpRequestDecoder allows remote unauthenticated attackers to inject arbitrary HTTP requests by sending malformed Transfer-Encoding headers (specifically 'Transfer-Encoding: chunked, identity'). When Netty is deployed behind a proxy that forwards such requests without rejection, an attacker can smuggle a second request inside the body of the first, bypassing security controls and accessing unintended resources. The vulnerability is confirmed by public proof-of-concept code demonstrating successful parsing of injected requests.
Forminator Forms plugin for WordPress versions up to 1.53.0 allows authenticated subscribers to configure scheduled exports without authorization checks, enabling attackers to exfiltrate all form submissions by redirecting them to attacker-controlled email addresses. The vulnerability exists in the listen_for_saving_export_schedule() function which lacks the capability verification present in the parallel listen_for_csv_export() function, creating a direct authorization bypass for authenticated low-privilege users to access sensitive data collection and delivery mechanisms.
Appointment Booking Calendar plugin for WordPress up to version 1.6.10.6 allows unauthenticated attackers to view, delete, and modify arbitrary appointments due to missing authorization checks in REST API endpoints. The plugin exposes a site-wide public nonce through an unauthenticated endpoint (/wp-json/ssa/v1/embed-inner), and the appointment deletion and modification endpoints (/wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk) accept requests with this public nonce even when standard WordPress nonce validation fails, bypassing authorization entirely. Attackers can enumerate and delete appointment records, disclose sensitive booking data, and disrupt services without any authentication.
VINCE versions 3.0.38 and earlier fail to properly verify sender address authenticity due to encoding confusion, allowing unauthenticated remote attackers to forge email From addresses and trigger automated actions such as ticket creation or updates. The vulnerability combines information disclosure with integrity impact, affecting the reliability of ticket management workflows that depend on sender validation.
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.