Authorization bypass in YITH WooCommerce Wishlist through version 4.12.0 allows unauthenticated remote attackers to modify wishlist data via user-controlled object references, exploiting improper access control validation. The vulnerability enables integrity attacks against wishlist functionality without requiring authentication or user interaction, affecting all WordPress installations using the vulnerable plugin.
Missing authorization in Royal Elementor Addons before version 1.7.1053 allows unauthenticated remote attackers to read sensitive information via incorrectly configured access control security levels. The vulnerability affects the WordPress plugin and exposes confidential data without requiring user authentication or interaction, impacting all installations below the patched version.
DNS rebinding vulnerability in Gotenberg allows unauthenticated remote attackers to bypass SSRF protections and access internal services via Chromium URL conversion routes. When a URL is submitted for PDF conversion, Gotenberg validates the resolved IP address against a deny-list but discards the pinned result. Chromium then performs independent DNS resolution multiple times, creating a race condition where an attacker controlling DNS can return a public IP during validation and a private IP during connection, allowing access to loopback services, cloud metadata endpoints, or internal networks. Exploitation succeeds approximately 10% per attempt with trivial automation.
Missing authorization in Forminator Forms for WordPress (versions up to 1.51.1) allows authenticated users with subscriber-level access or restricted Forminator roles to perform sensitive module-management actions including export, delete, clone, and bulk status changes by bypassing capability checks. The vulnerability exists because the `processRequest()` method validates only a nonce without verifying the `manage_forminator_modules` capability, and fires during the `admin_menu` hook before WordPress enforces page-level permission checks. This enables attackers to export complete form configurations including credentials and conditional logic, delete submissions, or manipulate published modules.
The Go toolchain's 'go bug' command creates temporary files with predictable names in the system temporary directory, allowing local attackers with temporary directory access to create symlinks that cause arbitrary file overwrite. Affects Go 1.26.0 through 1.26.2 and 1.25.0 through 1.25.9. While CVSS 5.3 and EPSS 0.01% suggest moderate local impact, the vulnerability enables information disclosure and integrity compromise of arbitrary files via symlink redirection, confirmed patched in Go 1.26.3 and 1.25.10.
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Allocation amplification in Zebra network deserializers allows unauthenticated remote peers to force excessive memory preallocation and parsing overhead across multiple message types (headers, blocks, transactions) by exploiting the use of generic transport/block-size ceilings instead of protocol-specific limits. An attacker can trigger 8.8x oversized header allocations, unbounded equihash solution parsing, and inflated Sapling spend vector allocations on inbound peer messages, causing denial of service through cumulative per-connection and multi-peer fan-in effects. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible, unauthenticated exploitation of default configurations; no public exploit identified at time of analysis, but vendor-released patch available in Zebra 4.4.0.
Stack overflow in ParquetSharp versions 18.1.0 through 23.0.0.0 allows remote unauthenticated attackers to cause denial of service by supplying a maliciously crafted Parquet file with a decimal column declaring an unreasonably large width, triggering unbounded stack allocation in the DecimalConverter.ReadDecimal method. This impacts network services that parse untrusted Parquet files. The vulnerability has been patched in version 23.0.0.1.
Privilege escalation in CISA's manage.get.gov 1.x allows organization administrators to assign domain manager privileges for domains outside their portfolio, including legacy domains not associated with any organization. The vulnerability enables cross-portfolio domain takeover scenarios where an authenticated admin can grant themselves or others unauthorized domain management access. Fixed in version 1.176.0 released April 30, 2026. No public exploit identified at time of analysis, EPSS risk assessment not available for this CVE.
Open redirect in Saltcorn's post-login destination parameter validation allows attackers to redirect authenticated users to attacker-controlled domains via backslash bypass. Versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5 are vulnerable because the is_relative_url() function only blocks ':/' and '//' but fails to account for WHATWG URL parsing, which normalizes backslashes to forward slashes in special schemes. An attacker can craft a malicious login URL with a dest parameter like /\evil.com/path that bypasses validation, passes through the Location header unencoded, and causes the victim's browser to navigate cross-origin after successful authentication. This requires user interaction (clicking a crafted link) but no special configuration and affects default installations.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. Active exploitation status is not confirmed, but a vendor-released patch is available.
Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.
Heap buffer overflow in rust-openssl's AES key-wrap-with-padding cipher functions allows attackers to write up to 7 bytes past allocated buffer boundaries when processing non-multiple-of-8 plaintext inputs, enabling attacker-controlled heap corruption. Affected versions 0.10.0 through 0.10.78 are vulnerable when CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, or symm::Crypter::update are used with EVP_aes_128/192/256_wrap_pad ciphers.
Istio versions prior to 1.28.6 and 1.29.2 allow authenticated attackers to perform Server-Side Request Forgery (SSRF) attacks via RequestAuthentication resources with malicious jwksUri values pointing to internal services, enabling istiod to fetch sensitive data from localhost or link-local IPs and distribute it to Envoy proxies through xDS configuration. The vulnerability requires an authenticated user to create or modify a RequestAuthentication resource, limiting the attack surface to cluster administrators or users with API access. A partial mitigation was released in earlier versions (1.29.1, 1.28.5, 1.27.8) but was incomplete; the complete fix is in versions 1.28.6 and 1.29.2.
Policy rollback vulnerability in gittuf versions up to 0.13.1 allows attackers with push access to the Reference State Log (RSL) to downgrade repository policies to previously signed versions, bypassing security controls. An attacker cannot roll back to policies that would be unsigned by the current root keys, but can selectively choose any valid prior policy state. Vendor-released patch: gittuf v0.14.0 introduces monotonically increasing version numbers to all policy metadata to prevent rollback attacks.
Local denial-of-service vulnerability in ZTE Cloud PC client uSmartview allows authenticated local attackers to trigger memory corruption and crash the application through a use of externally-controlled format string (CWE-134). CVSS 4.7 with local attack vector and high complexity indicates limited real-world exploitability; no public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in i18nextify versions prior to 4.0.8 allows remote attackers to execute arbitrary JavaScript by injecting malicious URL schemes (javascript:, data:, vbscript:, file:) into translated href and src attribute values. An attacker who can compromise the translation backend, CDN, or intercept unencrypted traffic can inject payloads that execute with the origin's privileges when users interact with the affected links or embedded content. The vulnerability requires user interaction (clicking a link or loading a page with a malicious src) but affects any website using i18nextify with untrusted translation sources.
Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where `call_tool()` and `call_tool_streaming()` reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (`localhost.evil.com` bypassing `startswith` checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).
Spring Cloud Config Server exposes sensitive information in plaintext logs when trace logging is enabled, allowing high-privilege local users to access configuration data including credentials and API keys. The vulnerability affects versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2. No public exploit identified at time of analysis; vendor-released patches are available for all affected version lines.
Cross-site scripting (XSS) via improper Markdown attribute sanitization in Weblate allows authenticated users to inject malicious HTML attributes through crafted Markdown in user comments and other user-provided content. The vulnerability affects Weblate versions prior to 5.17.1 and can be exploited by any authenticated user with the ability to submit Markdown content; however, the application's strict Content Security Policy (CSP) significantly mitigates actual exploitation risk. Vendor-released patch version 5.17.1 is available.
Weblate versions before 5.17.1 allow authenticated users to enumerate translations in projects they cannot access via the screenshots, tasks, and component link API endpoints. An attacker with valid credentials but no project access can probe these APIs to discover the existence and metadata of private translations, leading to information disclosure of project structure and language coverage that should remain hidden. The vulnerability requires authentication but has a low attack complexity, affecting confidentiality only without enabling further compromise.
Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.
Blind SSRF via CGNAT address bypass in Wallos prior to version 4.8.1 allows authenticated users to probe internal services on Carrier-Grade NAT networks (100.64.0.0/10) through logo/icon URL fetching in subscription and payment endpoints. The vulnerability stems from incomplete IP range validation that fails to block RFC 6598 CGNAT addresses, enabling reconnaissance of services in Tailscale, dual-stack carrier environments, and internal infrastructure. CVSS 4.3 reflects limited confidentiality impact with authentication requirement; actively fixed in 4.8.1.
Reflected cross-site scripting in FacturaScripts allows authenticated attackers to execute arbitrary JavaScript via manipulation of the fsNick cookie parameter. The application renders the cookie value directly into the HTML without sanitization, permitting script execution before session termination and logout redirection. CVSS score is 3.9 with low impact due to login requirement and single-action execution window.
Out-of-bounds read by one byte in Tor before version 0.4.9.7 when processing malformed BEGIN cells allows remote unauthenticated attackers to cause a denial of service through information disclosure. The vulnerability has a low CVSS impact score (3.7) due to high attack complexity and limited availability impact, though the exact exploitation mechanics require Tor relay configuration and a specially crafted cell.
Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.
Tor before version 0.4.9.7 can crash due to a double-close vulnerability in circuit handling when memory pressure conditions exist on the circuit queue, resulting in denial of service to affected clients. The vulnerability requires specific network conditions (high circuit queue load) to trigger but affects all Tor clients running vulnerable versions. A patch is available in Tor 0.4.9.7 and later.
Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.
Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.
Server-Side Request Forgery (SSRF) in nuxt-og-image 6.2.5 through 6.4.8 allows remote attackers to bypass the incomplete IPv6 denylist and redirect validation, reaching internal IP addresses and services through incomplete IPv6 prefix filtering and unauthenticated HTTP redirect following. The vulnerability affects the OG image rendering component used by Nuxt applications, enabling attackers to leak internal service responses by injecting crafted IPv6-mapped addresses or chaining external redirects to internal targets.
Free5GC Access and Mobility Function (AMF) versions up to 1.4.3 fail to enforce 3GPP TS 33.501 §6.9.5.1 concurrent security procedure rules, allowing NAS Security Mode Command (SMC) to execute simultaneously with N2 handover procedures. This causes security context mismatches between the UE and network when SMC activates a new KAMF while N2 HandoverRequest carries Next Hop (NH) and Next Hop Chaining Counter (NCC) derived from the old KAMF, resulting in different KgNB key derivation at the target gNB and UE and breaking access stratum (AS) security integrity. Source code analysis confirms missing cross-procedure validation in SecurityMode() and handleHandoverRequiredMain() functions; packet evidence demonstrates Rule 2 violation (SMC initiated during ongoing N2 handover).
Out-of-bounds read in Tor before version 0.4.9.7 occurs when END, TRUNCATE, or TRUNCATED cells lack a reason field in their payload, allowing remote unauthenticated attackers to trigger a denial of service condition. The vulnerability requires high attack complexity and results in availability impact only. CVSS score is 3.7 with no active exploitation (KEV) or public exploit code confirmed at time of analysis.
PHP 8.2.31 addresses a null pointer dereference vulnerability (CVE-2026-7262) that can cause denial of service through remote network access without authentication. The vulnerability has a low CVSS score of 2.9 due to attack complexity factors, but the vendor has released PHP 8.2.31 as an immediate security patch addressing this and seven related CVEs. All PHP 8.2 users should upgrade to mitigate the impact.
HTTP header injection via CRLF sequences in Netty's HttpProxyHandler allows remote attackers to inject arbitrary HTTP headers into CONNECT proxy requests by supplying malicious outbound headers, bypassing the incomplete fix for GHSA-84h7-rjj3-6jx4. The vulnerability affects Netty 4.1.x up to 4.1.132.Final and 4.2.x up to 4.2.12.Final; unauthenticated remote exploitation is possible when applications pass user-influenced headers to HttpProxyHandler without performing their own CRLF sanitization. CVSS 7.5 (high integrity impact); no public exploit code confirmed at time of analysis, but proof-of-concept source code is provided in the advisory.
Null pointer dereference in PHP 8.2.x causes denial of service through remote attacks requiring user interaction and persistent attack timing. CVE-2026-7259 is one of eight vulnerabilities patched in PHP 8.2.31, with a low CVSS score (2.1) reflecting the attack complexity and limited availability impact, though the null pointer dereference class (CWE-476) can escalate in severity depending on code context. No public exploit code or active exploitation has been identified at time of analysis.
SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the condition parameter in the /sys/dict/loadTreeData endpoint, leading to unauthorized data access with limited confidentiality impact. The vulnerability affects the JSON Object Handler component and has publicly available exploit code, though the low CVSS score (2.1) and required authentication significantly limit practical risk despite confirmed vendor awareness.
etcd RBAC authorization bypass allows authenticated users to read unauthorized data or attach leases via PrevKv or lease attachment features in transaction Put requests, circumventing role-based access control checks. Affects etcd 3.4.x through 3.6.x before patched versions 3.4.44, 3.5.30, and 3.6.11. While Kubernetes deployments are typically not affected because the API server handles its own authorization, etcd deployments with reliance on etcd's built-in RBAC-particularly those managed directly or used outside Kubernetes-face exposure to privilege escalation and unauthorized data access by already-authenticated users.