Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets.
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2.
Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.
Stored cross-site scripting in Linkwarden 2.14.0 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in victims' authenticated sessions by uploading malicious HTML archives. The vulnerability exists because the /api/v1/archives endpoint accepts unsanitized HTML files and serves them without Content-Security-Policy protections, enabling session hijacking and account takeover. No vendor-released patch identified at time of analysis (GHSA advisory notes no patches available). EPSS data not provided; no active exploitation (CISA KEV) or public POC identified at time of analysis.
Authentication downgrade in Linux kernel Bluetooth SMP allows adjacent network attackers to bypass MITM protection during pairing. When a Bluetooth responder requires BT_SECURITY_HIGH, the SMP implementation incorrectly builds pairing responses before enforcing local MITM requirements, allowing initiators to force weaker 'Just Confirm' authentication even when policy mandates stronger methods. EPSS score of 0.02% indicates low predicted exploitation probability, and no active exploitation or public POC has been identified. Patches available across all supported kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Namespace iteration ioctl permission bypass in Linux kernel allows local privileged users to enumerate namespaces of other privileged services, potentially leaking cross-service information. Affects kernel 6.12 through 6.19.x with patches available in 6.12.78, 6.18.20, 6.19.9, and mainline 7.0. The vulnerability has low EPSS (0.02%, 5th percentile) indicating minimal observed exploitation activity. Vendor patches deployed across stable kernel branches address the issue by enforcing stricter namespace visibility policies via the may_see_all_namespaces() helper.
Insufficient permission checks in Linux kernel nsfs (namespace filesystem) allow low-privileged local users to access other processes' namespaces, potentially escalating privileges across namespace boundaries and leaking sensitive information between isolated services. The vulnerability affects kernel versions before 6.19.9 and 7.0, with patches available in stable branches d2324a9317f0 and 1797ee11451f. EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified in CISA KEV or public sources. The CVSS 8.8 (High) rating reflects scope change (S:C) indicating privilege escalation across security boundaries - a critical concern for containerized environments where namespace isolation is foundational to multi-tenant security.
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.
Unauthenticated denial of service in absinthe-graphql versions 1.2.0 through 1.10.1 allows remote attackers to exhaust CPU resources via quadratic-complexity validation. Attackers submit GraphQL documents with tens of thousands of fragment definitions (~60,000 fragments in a 1 MB payload), triggering O(N²) comparisons during fragment-name uniqueness validation - approximately 3.6 billion comparisons per request. No authentication, schema knowledge, or special server configuration is required. Patch available in version 1.10.2 via GitHub commit 223600c (replaces nested loop with single-pass frequency map).
ex_webrtc library for Erlang/Elixir fails to validate DTLS peer certificate fingerprints when operating in client (active) role during WebRTC handshakes, breaking mutual authentication. Versions prior to 0.15.1 and 0.16.1 are affected. While not independently exploitable against standard browser peers over secure signaling, this flaw enables man-in-the-middle attacks when combined with insecure signaling channels (HTTP/plain WebSocket), compromised signaling servers, or non-compliant peer implementations. Vendor-released patches (0.15.1, 0.16.1) available with no workarounds. No public exploit identified at time of analysis, but the high CVSS score (8.7, AV:N/AC:L/PR:N/UI:N) reflects the network attack vector and low complexity when prerequisites are met.
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.
Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation. Vendor-released patch available in version 2.0.2 with commit 459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e implementing symlink boundary validation.
Authenticated attackers can read arbitrary JSON files from SmarterMail servers prior to build 9560 through a path traversal vulnerability in the /api/v1/report/summary/{type} endpoint. The vulnerability chains with weak encryption and hardcoded keys to decrypt stored passwords and two-factor authentication secrets for all system users, enabling complete account compromise. VulnCheck identified this vulnerability; vendor patch available in build 9560 or later. CVSS 8.7 reflects high confidentiality and integrity impact with low attack complexity, though requiring authenticated access (PR:L) moderates immediate risk for internet-exposed instances with strong authentication controls.
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions.
Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.
### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. ### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 ### Workarounds None.
Stored cross-site scripting (XSS) in Brave CMS 2.0 allows authenticated users with editor privileges to inject malicious JavaScript through the CKEditor rich-text interface, achieving persistent code execution in all visitors' browsers. The vulnerability stems from Laravel Blade's unescaped output directive {!! !!} rendering user-supplied content without sanitization. Patched via commit 6c56603 which implements HtmlSanitizer to allowlist safe HTML tags and strip dangerous attributes before database storage.
Path traversal via symlink exploitation in PraisonAI multi-agent teams system allows remote unauthenticated attackers to write arbitrary files outside intended directories during recipe operations (pull/publish/unpack). The _safe_extractall helper validates archive member names but fails to validate symlink targets (linkname attribute), enabling attackers to craft malicious tar bundles containing symlinks pointing outside extraction directories followed by files traversing through those symlinks. Affects versions prior to 4.6.37. EPSS data unavailable, no CISA KEV listing, and no public POC identified at time of analysis, suggesting limited observed exploitation despite network-accessible attack vector.
Remote code execution in Dolibarr ERP/CRM versions ≤22.0.2 allows authenticated administrators to execute arbitrary PHP code by injecting malicious payloads into the 'computed value' field of user extrafields, which are passed unsanitized to PHP's eval() function. No vendor patch exists at time of analysis (zero-day status), but exploitation requires high-privilege administrator access, limiting immediate risk to environments with compromised admin accounts or malicious insiders. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation despite public technical disclosure.
Object.prototype pollution in i18next-http-middleware prior to 3.9.3 allows remote unauthenticated attackers to inject arbitrary properties into all JavaScript objects via crafted HTTP requests, bypassing authorization checks, causing type-confusion denial of service, or enabling remote code execution when chained with vulnerable downstream code. The vulnerability is actively exploitable through two unprotected API endpoints (getResourcesHandler and missingKeyHandler) that accept user-controlled language and namespace parameters without validation. EPSS data not provided, not listed in CISA KEV, but publicly disclosed with detailed GitHub security advisory including technical exploitation details.
Server-side template injection in LiteLLM Proxy versions 1.80.5 through 1.83.6 allows authenticated users to execute arbitrary code via the POST /prompts/test endpoint. Any user with a valid proxy API key can submit malicious prompt templates that escape sandboxing and run commands in the proxy server process, exposing environment secrets like provider API keys and database credentials. This vulnerability affects deployments using LiteLLM as an AI gateway proxy server. No active exploitation confirmed (not in CISA KEV), but GitHub advisory and patch are publicly available, increasing exploit likelihood. CVSS 8.6 (High) with network attack vector and low complexity, though PR:L requirement limits exposure to authenticated attackers only.
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.
Local attackers with standard user accounts can escalate to NT AUTHORITY\SYSTEM privileges in Acer PredatorSense V3 versions 3.00.3136 through 3.00.3196. The gaming utility software exposes a misconfigured Windows Named Pipe allowing arbitrary code execution and file deletion with SYSTEM privileges. CVSS 8.5 (High) reflects severe local impact with low complexity exploitation. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the technical details provided enable development of proof-of-concept code.
Path traversal in electerm's IPC widget loader allows local code execution with full process privileges when an attacker achieves JavaScript execution in the renderer process. Affects all versions prior to 3.7.16. The vulnerability enables filesystem-wide arbitrary JavaScript file loading and execution through unsanitized path concatenation in runWidget function, bypassing Electron's process isolation. Vendor-released patch available in version 3.7.16. EPSS data not available; no confirmed active exploitation (not in CISA KEV).
Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.
Remote code execution in SEPPmail Secure Email Gateway versions before 15.0.4 allows unauthenticated attackers to execute arbitrary template expressions through a server-side template injection flaw in the GINA UI endpoint. The vulnerability requires no authentication and has low attack complexity, but depends on specific template plugin configurations (CVSS 4.0: 8.3 High with AT:P indicating present attack conditions). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available.
Improper packet data validation in Linux kernel NCI NFC subsystem breaks communication with NFC chips and creates potential for information disclosure. The vulnerability affects adjacent network attackers (AV:A) who can exploit variable-length packet handling without authentication (PR:N) to achieve high confidentiality impact, low integrity impact, and high availability impact. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite CVSS 8.3 severity. Vendor patches available across multiple kernel versions (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) with upstream fixes committed to stable branches.
Stack-based buffer overflow in nanoMODBUS v1.22.0 and earlier allows malicious Modbus TCP servers to execute arbitrary code on clients via oversized responses. When client applications call nmbs_read_holding_registers() or nmbs_read_input_registers(), the library fails to validate byte_count before writing server data to the caller's buffer, enabling up to 248 bytes of controlled overflow. No active exploitation confirmed (not in CISA KEV), but proof-of-concept code is publicly available and the vulnerability is automatable (SSVC) with network attack vector (CVSS AV:N/AC:L/PR:N). EPSS data not provided, but the combination of public POC, low complexity, and RCE potential warrants immediate attention for systems using nanoMODBUS as a client.
### Summary free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the `DELETE /upi/v1/upNodesLinks/{upNodeRef}` handler unconditionally dereferences `upNode.UPF` after the type-guarded async release, even though `AN`-typed nodes are constructed without a `UPF` object. As a result, a single unauthenticated `DELETE /upi/v1/upNodesLinks/gNB1` request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the `UpNodeDelete(upNodeRef)` line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. ### Details Validated against the SMF container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/smf:v4.2.1` - Runtime SMF commit: `8385c00a` - Docker validation date: 2026-03-22 local (container log timestamp `2026-03-21T23:43:17Z`) - SMF endpoint: `http://10.100.200.6:8000` Control comparison on the same SMF instance: - `GET /nsmf-oam/v1/` (no token) -> `401 Unauthorized` - `DELETE /upi/v1/upNodesLinks/gNB1` (no token) -> `500 Internal Server Error` (panic) The sibling `nsmf-oam` returning `401` proves OAuth middleware IS wired in for other SMF route groups; the UPI group specifically is mounted without it. Vulnerable handler logic (paths in `free5gc/smf`): ```go // NFs/smf/internal/sbi/api_upi.go:94..99 if upNode.Type == smf_context.UPNODE_UPF { go s.Processor().ReleaseAllResourcesOfUPF(upNode.UPF) } upi.UpNodeDelete(upNodeRef) upNode.UPF.CancelAssociation() // <-- panics for AN-typed nodes; nil UPF ``` The `Type == UPNODE_UPF` guard only protects the asynchronous `ReleaseAllResourcesOfUPF` call. After that, `UpNodeDelete(upNodeRef)` runs unconditionally (so the topology mutation lands first), and then `upNode.UPF.CancelAssociation()` is called unconditionally on a `*UPF` that is `nil` for `AN` nodes by construction. Code evidence: - UPI group mounted WITHOUT auth middleware: - `NFs/smf/internal/sbi/server.go:76` - `NFs/smf/internal/sbi/server.go:78` - Protected control comparison (other SMF groups DO use auth): - `NFs/smf/internal/sbi/server.go:99` - `NFs/smf/internal/sbi/server.go:105` - Delete handler (panic site): - `NFs/smf/internal/sbi/api_upi.go:94` - `NFs/smf/internal/sbi/api_upi.go:99` - AN nodes are constructed without a UPF object (root cause of the nil deref): - `NFs/smf/internal/context/user_plane_information.go:95` - `NFs/smf/internal/context/user_plane_information.go:97` ### PoC Reproduced end-to-end against the running SMF at `http://10.100.200.6:8000`. 1. Control: protected sibling OAM route returns `401`: ``` curl -i http://10.100.200.6:8000/nsmf-oam/v1/ ``` ``` HTTP/1.1 401 Unauthorized ``` 2. Trigger: unauthenticated DELETE on the default AN node `gNB1`: ``` curl -i -X DELETE http://10.100.200.6:8000/upi/v1/upNodesLinks/gNB1 ``` ``` HTTP/1.1 500 Internal Server Error ``` 3. SMF container logs (`docker logs --tail 120 smf`) show topology mutation landing BEFORE the panic, and the panic stack pointing at `api_upi.go:99`: ``` [INFO][SMF][Init] UPNode [gNB1] found. Deleting it. [INFO][SMF][Init] Delete UPLink [UPF] <=> [gNB1]. [ERRO][SMF][GIN] panic: runtime error: invalid memory address or nil pointer dereference github.com/free5gc/smf/internal/sbi.(*Server).DeleteUpNodeLink /go/src/free5gc/NFs/smf/internal/sbi/api_upi.go:99 +0x298 [INFO][SMF][GIN] | 500 | DELETE | /upi/v1/upNodesLinks/gNB1 ``` The lab state was manually restored after validation by re-creating the AN entry; that POST is restoration-only and is NOT a mitigation. ### Impact Three compounding defects on the same SMF SBI surface: 1. Missing inbound authentication (CWE-306) and authorization (CWE-862) on the `UPI` route group, so the trigger is reachable to any off-path network attacker who can reach SMF on the SBI -- no token, no session, no UE state needed. The same-instance `nsmf-oam` returning `401` proves the middleware is wired in elsewhere and only missing on UPI. 2. NULL pointer dereference (CWE-476) in `DeleteUpNodeLink`: the `Type == UPNODE_UPF` guard only covers the async release call, then `upNode.UPF.CancelAssociation()` runs unconditionally on AN-typed nodes that have a nil `UPF` field by construction. 3. Order of operations (CWE-755 / CWE-754): `UpNodeDelete(upNodeRef)` mutates the in-memory user-plane topology BEFORE the dereference panics, so the topology change lands even though the request returns 500. This makes the bug state-mutating, not just a plain panic. Any party that can reach SMF on the SBI can: - Delete arbitrary named entries (e.g. `gNB1`) from SMF's in-memory user-plane topology anonymously via a single `DELETE /upi/v1/upNodesLinks/{ref}` request, denying SMF's ability to consider that AN/UPF in subsequent UPF selection / PFCP path establishment for legitimate UE sessions. - Trigger a panic on the SMF goroutine for the deleted-AN case, even though Gin recovers the goroutine, leaving the topology in the mutated state above. - Repeat the trigger by name against any AN entry, sustaining the topology denial without ever authenticating. This is a strict superset of the impact in free5gc/free5gc#887 for this specific code path: same auth bypass, plus a concrete request-triggerable nil deref, plus state mutation that survives the panic. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/905 Upstream fix: https://github.com/free5gc/smf/pull/199
Unauthenticated remote attackers can crash Erlang VM nodes running Absinthe GraphQL 1.5.0 through 1.10.1 by exhausting the BEAM atom table through specially crafted GraphQL SDL documents. Attackers send SDL containing numerous unique directive, field, type, or argument names that are unsafely converted to atoms via String.to_atom/1, permanently consuming slots in the fixed-size atom table (default 1,048,576 entries) until the VM terminates with system_limit error. This affects any application exposing SDL parsing to untrusted input, such as schema upload endpoints, federation gateways ingesting remote SDL, or developer tools processing user-supplied documents. Vendor-released patch (version 1.10.2) is available per GitHub advisory GHSA-qf4g-9fqq-mmm7.
Path traversal in i18next-fs-backend allows remote unauthenticated attackers to read arbitrary files (including /etc/passwd) or overwrite application files when language/namespace parameters derive from user input. Applications exposing i18next language detection via query strings, cookies, or headers (common with i18next-http-middleware or i18next-browser-languagedetector) are vulnerable to immediate exploitation with zero authentication (CVSS AV:N/AC:L/PR:N/UI:N). GitHub security advisory confirms the vulnerability with proof-of-concept parameter `?lng=../../../../etc/passwd`. Fixed in version 2.6.4; vulnerable versions also support eval-based .js/.ts locale loading, creating a code execution chain when traversal targets executable files.
DMA memory corruption in Linux kernel mlx5e driver allows denial-of-service and potential data integrity violations when recovering from TX error completion queue entries. The vulnerability affects mlx5 Ethernet driver users from kernel 4.17 onwards, causing desynchronization between DMA FIFO producer/consumer counters during error recovery, leading to unmapping of stale DMA addresses and IOMMU warnings. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no public exploit identified at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Out-of-bounds read in Linux kernel netfilter x_tables module allows remote attackers to disclose kernel memory and potentially cause denial of service. The xt_tcpudp and xt_dccp option walkers fail to validate boundaries when processing the last byte of TCP/UDP/DCCP options, triggering a 1-byte buffer over-read. CVSS 8.2 with network attack vector and no authentication required indicates high exploitability, though EPSS score of 0.02% (7th percentile) suggests minimal observed exploitation attempts. Patches available across all active kernel stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public exploit code identified at time of analysis.
Log corruption in Linux kernel XFS filesystem leads to mount failures and potential data integrity loss when superblock lacks log stripe unit configuration. Systems with 4k physical sector disks are vulnerable to torn writes and CRC failures that prevent filesystem mounting. Vendor-released patches available across multiple stable kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% suggests low exploitation probability. No active exploitation confirmed (not in CISA KEV). CVSS 8.2 reflects network vector but description indicates local filesystem operation - attack vector discrepancy requires verification.
LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. Applications are exposed only when all of the following are true: 1. The application accepts untrusted structured input, such as JSON, from a user or network request. 2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain. 3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs. 4. The application uses an affected API path that later deserializes that run data. Known affected runtime surfaces include: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` Related unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores. Applications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Impact An attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as: ```json { "lc": 1, "type": "constructor", "id": ["langchain_core", "messages", "ai", "AIMessage"], "kwargs": {"content": "attacker-controlled content"} } ``` If this payload reaches a broad `load()` call, LangChain may instantiate the referenced class instead of treating the payload as inert user data. Realistic impacts include: - Persistent chat-history poisoning when revived `AIMessage`, `HumanMessage`, or `SystemMessage` objects are stored by `RunnableWithMessageHistory`. - Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context. - Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments. - Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization. - Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects. ## Remediation LangChain will deprecate the affected APIs as part of this fix: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` These are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the `stream` API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces. Separately, LangChain will update `load()` and `loads()` to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Guidance for `load()` and `loads()` `load()` and `loads()` should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to `load()` or `loads()`, and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data. `load()` and `loads()` are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow `allowed_objects` value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or `allowed_objects="all"`, which permits the full trusted LangChain serialization allowlist. ## Credits The original issue was first reported by @u-ktdi. Similar findings were reported by @dewankpant, @shrutilohani, @Moaaz-0x, @pucagit. A related `_is_lc_secret` marker bypass affecting `dumps()` -> `loads()` round-trips was reported by @yardenporat353 (and a similar report by @localhost-detect)
### Impact Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - `@babel/plugin-transform-modules-systemjs` - `@babel/preset-env` when using the [`modules: "systemjs"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs` No other plugins under the `@babel` namespace are impacted. **Users that only compile trusted code are not impacted.** ### Patches The vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`. Babel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly. ### Workarounds - Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4. - Do not use the `modules: "systemjs"` option, migrate the codebase to native ES Modules or any other module formats. ### Credits Babel thanks Daniel Cervera for reporting the vulnerability.
Remote code execution in OmniFaces CDNResourceHandler allows unauthenticated attackers to execute arbitrary code on servers via crafted EL injection in resource URLs. The vulnerability affects applications using wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*), where attackers can embed Expression Language expressions in resource request names that get evaluated server-side. Patched versions available across all maintained branches (1.14.2, 2.7.32, 3.14.16, 4.7.5, 5.2.3). EPSS data unavailable; not currently in CISA KEV, suggesting limited active exploitation at time of analysis.
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The `/api/v1/retrieval/process/web` endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Linux kernel's ksmbd server exposes SMB3 session, signing, encryption, and decryption keys in debug logs when KSMBD_DEBUG_AUTH is enabled. Authenticated network attackers with access to system logs can retrieve these cryptographic keys to compromise SMB3 session confidentiality and integrity. EPSS probability is very low (0.01%, 3rd percentile) and no active exploitation is documented. Vendor patches available across multiple stable kernel branches (6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.9, 7.0).
Authenticated CloudStack users can hijack volumes from other tenants' backups via the Backup plugin in versions 4.21.0.0 and 4.22.0.0. Attackers with low-privileged authenticated access can restore any user's backup volume and attach it to their own VMs, enabling complete data theft across tenant boundaries in multi-tenant environments. CVSS 8.1 reflects high confidentiality and integrity impact with low attack complexity. EPSS score of 0.01% indicates minimal observed exploitation activity, while SSVC assessment confirms non-automatable, partial technical impact with no known exploitation. Apache released patch version 4.22.0.1 addressing the access control flaw.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0.
In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.
ECDSA signature verification bypass in Oviva epa4all-client allows adjacent network attackers to impersonate trusted VAU endpoints without authentication. The SignedPublicKeysTrustValidatorImpl.isTrusted() method discards the boolean return value of Signature.verify() at line 45, accepting any structurally valid signature regardless of cryptographic validity. Vendor-released patch confirmed in version 1.2.1 (PR #34). No public exploit identified at time of analysis, but CVSS 8.1 with adjacent network vector (AV:A) and low complexity (AC:L) indicates straightforward exploitation once attacker is on the same network segment. EPSS data not available.
SQL injection in PraisonAI's multi-backend conversation storage system allows authenticated attackers to execute arbitrary SQL commands. The incomplete fix for CVE-2026-40315 validated input only in SQLiteConversationStore, leaving nine other database backends (MySQL, PostgreSQL, Turso, SingleStore, Supabase, SurrealDB, and their async variants) vulnerable to f-string SQL injection via unvalidated table_prefix and schema parameters. 52 injection points exist across the codebase. Exploitable in multi-tenant deployments or API-driven configurations where table_prefix is derived from external input. Patches released in praisonai 4.6.9 and praisonaiagents 1.6.9 address all affected backends. EPSS and KEV data unavailable; no public POC confirmed at time of analysis.