Reflected cross-site scripting in Mercury docuForm v11.11c allows authenticated attackers to execute arbitrary JavaScript in victim browsers via crafted payloads to dfm-menu_alerts.php. Attack requires low complexity and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R). Public proof-of-concept exists on GitHub (ZeroBreach-GmbH gist), but no CISA KEV listing indicates targeted or low-volume exploitation. EPSS data not available, but the authentication requirement and user interaction dependency reduce attack surface compared to stored XSS.
Reflected cross-site scripting in Mercury Managed Print Services docuForm v11.11c allows authenticated attackers with low privileges to execute arbitrary JavaScript in victim browsers via the acc-menu_pricess.php component. Public proof-of-concept exploit code exists on GitHub (ZeroBreach-GmbH). EPSS data not available, not listed in CISA KEV. Attack requires user interaction (phishing/social engineering to click malicious link), limiting automated exploitation but enabling credential theft and session hijacking for authenticated users.
Reflected cross-site scripting in Mercury docuForm (Managed Print Services) v11.11c enables authenticated attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability exists in dfm-menu_markeralerts.php due to unfiltered variable handling. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. No public exploit confirmed, but proof-of-concept code published by ZeroBreach GmbH demonstrates feasibility. EPSS data unavailable; not in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Remote denial-of-service and limited information disclosure in dnsmasq's extract_addresses() function allows attackers controlling or able to inject DNS responses to crash the daemon by sending a malformed DNS record whose declared rdlen pushes extract_name() past the record boundary, triggering a heap out-of-bounds read. The flaw affects dnsmasq 2.93 and downstream packages from Red Hat, SUSE, Ubuntu, and Pi-hole FTL. No public exploit identified at time of analysis, EPSS exploitation probability is 0.03% (9th percentile), and CISA SSVC rates exploitation as 'none' with only partial technical impact.
Heap buffer overflow in dnsmasq's extract_name() function allows remote attackers to write out-of-bounds on the heap, enabling DNS cache poisoning that redirects lookups to attacker-controlled IP addresses or causes denial of service. The flaw stems from a bigname namebuffer sized for wire-form domain names (MAXDNAME) instead of the larger escaped internal representation (MAXDNAME*2 + 1). EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis, but multiple major distributions (Red Hat, SUSE, Ubuntu) have shipped patches reflecting widespread downstream exposure.
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts.
Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds write in Apple's file parsing component across iOS, iPadOS, and macOS enables remote code execution or denial of service via maliciously crafted files with no user interaction required. Exploitation probability is extremely low (EPSS 0.02%, 6th percentile) with no public exploit identified at time of analysis, despite the critical CVSS 7.3 score and network-based attack vector. Vendor patches available for all affected platforms (iOS/iPadOS 18.7.9, 26.5; macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). The CVSS vector indicating AV:N/PR:N/UI:N suggests automatic exploitation without user interaction, which contradicts the description's 'parsing a file' language - verify whether this requires user action to open/download the file or if background processes parse untrusted files automatically.
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.
The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.
Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.
The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.
Out-of-bounds read in Apple operating systems allows malicious applications to crash the system or leak kernel memory across iOS/iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5. The vulnerability requires local application execution but no user interaction, enabling information disclosure and denial-of-service attacks. Despite high CVSS 7.3 scoring, the EPSS probability is very low (0.02%, 5th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available for all affected platforms.
A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. ### Impact - REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users - Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected - The web UI is NOT affected - it filters through bugnote_get_all_visible_bugnotes() first ### Patches - 029d9d203d9e4ae96b3e59d552fa7395cc1e5071 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security - Tang Cheuk Hei (@siunam321) This advisory's contents was largely copied from Tristan's well-written report.
Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.
Authenticated users in pgAdmin 4 before version 9.15 can read arbitrary server-side files or trigger server-side request forgery (SSRF) attacks via unvalidated LLM API configuration endpoints. The vulnerabilities exist in the chat and model-list endpoints where user-supplied api_key_file and api_url parameters are passed directly to LLM provider clients without sanitization, enabling attackers to exfiltrate sensitive files (database credentials, private keys) readable by the pgAdmin process or coerce internal requests to cloud metadata services and private infrastructure.
Insecure Direct Object Reference (IDOR) in Open WebUI allows authenticated users with read-only channel access to modify or delete any message in those channels, bypassing frontend ownership controls through direct API calls. The vulnerability affects the channels feature in Open WebUI versions ≤0.6.18, exploiting missing message ownership validation in backend FastAPI endpoints despite correct frontend access control implementation. Publicly available exploit code exists with detailed proof-of-concept demonstrating privilege escalation from read to write/delete permissions. Vendor-released patch available in version 0.6.19.
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Tahoe 26.5. Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds. An attacker on the same broadcast domain can send a crafted DHCP Offer or ACK packet without a proper 0xff end marker to cause the parser to read past valid packet data and potentially crash the system.
User equipment (UE) downlink traffic can be redirected to attacker-controlled radios in Ella Core (5G AMF software) versions prior to 1.10.0. A malicious radio with a valid NG Setup connection can forge PDUSessionResourceSetupResponse messages using arbitrary AMF-UE-NGAP-IDs, causing Ella Core to create GTP tunnels that misdirect victim UE downlink packets to the attacker's radio. This enables traffic interception and denial of service against targeted UEs. The vulnerability stems from missing validation that NGAP messages arrive on the correct SCTP association for the UE context. No public exploit identified at time of analysis, and EPSS data not available. Vendor-released patch: version 1.10.0.
Commit and tag signature confusion in go-git (the pure-Go implementation of Git) lets a crafted Git object carry a signature that validates while its effective metadata differs from what was actually signed. Because go-git parses ambiguous or malformed object headers differently from canonical Git, and because its signing/verification path operates over a reconstructed representation rather than the raw object bytes, an attacker with contributor access can create commits whose displayed author/committer/metadata diverges from the signed payload - undermining downstream trust decisions (the issue was originally surfaced through sigstore/gitsign). Affected releases are go-git v5 before 5.19.0 and v6 alpha builds 6.0.0-alpha.1 through 6.0.0-alpha.2. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided in the source data.
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without sufficient boundary validation to ensure it remains within the intended library directory. This vulnerability is fixed in 2.32.2.
Integer coercion error in bettercap's zerogod IPP service allows remote attackers to trigger information disclosure via malformed chunked HTTP requests. Versions up to 2.41.5 are affected. The vulnerability exists in the ippReadChunkedBody function where integer type conversions lack proper bounds validation, enabling attackers to cause memory access violations that leak sensitive data. Publicly available exploit code exists, and while CVSS 2.9 indicates low severity, the attack requires high complexity and has limited impact; however, the vulnerability is confirmed remotely exploitable without authentication.
WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, atendido/familiar_docfamiliar.php displays an overly descriptive error message, including database-related details. This verbosity leads to information disclosure, which could assist a potential attacker in mapping the backend infrastructure and expanding the attack surface. This vulnerability is fixed in 3.7.0.
pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesystem image with a crafted directory entry containing a direntlen value of 0 to cause an infinite loop during directory listing or path resolution, resulting in the boot process hanging indefinitely.
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or network boot to trigger heap out-of-bounds reads during boot-time filesystem parsing, potentially redirecting reads to arbitrary disk offsets.
Summarize versions through 0.14.1 create daemon configuration files with world-readable permissions, allowing local attackers with user-level access to read bearer tokens and API credentials from ~/.summarize/daemon.json. The vulnerability enables unauthorized daemon access or recovery of sensitive provider API keys through insecure file permissions on Unix-like systems.
Stored Cross-Site Scripting in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Processo de Aceitação page that executes when any user accesses the vulnerable endpoint, enabling session hijacking and account takeover. The vulnerability is confined to high-privilege authenticated access (PR:H) with no user interaction required on the victim side, though scope is changed (S:C) indicating cross-context impact. No public exploit code or active exploitation has been identified.
Stored cross-site scripting (XSS) in WeGIA versions prior to 3.7.3 allows authenticated high-privilege users to inject malicious JavaScript into the Etapas de um Processo page, which executes when other users access the page, enabling session hijacking and account takeover. The vulnerability requires high-privilege authentication (PR:H) but affects all users who subsequently visit the injected page, with no public exploit identified at time of analysis.
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, email change, org admin password reset, emergency access takeover). This allows an attacker holding a previously obtained refresh token to maintain session access even after the user has taken action to secure their account. This vulnerability is fixed in 1.35.5.
Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open(f"{user}.<ext>"), where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A username that contains path-separator sequences (.., /, \, or an absolute path) causes tookie-osint to write the scan output to an arbitrary path the invoking user has write permission for. This vulnerability is fixed in 4.1fix.
Improper privilege management in Dell ECS 3.8.1.0-3.8.1.7 and ObjectScale prior to 4.3.0.0 allows high-privileged local attackers to escalate privileges and gain full system access, affecting confidentiality, integrity, and availability. No public exploit code or active exploitation has been identified at the time of analysis.
Remote authenticated command injection in Tenda AC6 router firmware version 15.03.06.23 allows authenticated attackers to execute arbitrary OS commands via manipulation of the wl2g.public.country or wl5g.public.country parameters in the /goform/WifiApScan endpoint. The vulnerability affects the httpd component's formWifiApScan function and has publicly available exploit code, presenting moderate risk to affected deployments.
GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.
Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each-skipping the "share" permission check. A subsequent shares.update authorizes publication using an OR policy (can share collection OR can share document), so an attacker who holds share permission on one unrelated collection can publish a share that exposes an arbitrary document they cannot legitimately share, making it publicly accessible to unauthenticated users. This vulnerability is fixed in 1.7.0.
Streamlink versions 8.3.0 and earlier allow arbitrary local file read via unvalidated URI schemes in HLS and DASH parsers. A remote attacker hosting a malicious `.m3u8` or `.mpd` manifest can trick streamlink clients into reading local files (such as SSH keys, AWS credentials, or `/etc/passwd`) and writing their contents to the output stream. Requires user interaction (clicking/running streamlink against attacker-controlled playlist), but no authentication needed. CVSS 6.5 reflects the information disclosure risk; affected deployments with automated processing or cloud sync pose material exfiltration risk.
Information leakage in Apple operating systems allows remote attackers to extract sensitive data by crafting and hosting malicious websites that users visit. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Exploitation requires user interaction (UI:R) to visit a malicious website but does not require authentication, with an EPSS score of 0.03 percent indicating low real-world exploitation probability despite the information disclosure impact.
Memory corruption in Apple's WebKit web content processing engine causes an unexpected process crash (denial-of-service) across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS when a victim processes attacker-controlled web content. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H confirms network-reachable, unauthenticated exploitation limited to availability impact within the affected process - no code execution or data exfiltration is indicated. No public exploit code has been identified at time of analysis, and EPSS scoring at 0.03% (10th percentile) combined with SSVC Exploitation status of 'none' signal low current exploitation pressure.
Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they do not have access to by directly specifying item IDs in the GET /api/libraries/:id/download endpoint, bypassing library access controls. An attacker with valid credentials and access to any single library can exfiltrate complete file contents from restricted libraries, including those explicitly denied to them.
HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.
Improper authorization in Open WebUI versions up to 0.8.5 allows authenticated users to modify messages in standard channels by exploiting a read-permission check that should require write permission. The vulnerability affects the POST /api/v1/channels/{channel_id}/messages/{message_id}/update endpoint when access_control is set to None, enabling message tampering without ownership verification. Patch available in version 0.8.6.
Memory corruption in Apple operating systems allows remote attackers to trigger unexpected app termination or corrupt process memory by delivering a maliciously crafted media file to users, requiring user interaction to open the file. Affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. No public exploit identified at time of analysis; vendor-released patches are available across all affected platforms.
Out-of-bounds write in Apple operating systems allows network-based unauthenticated attackers to corrupt kernel memory or cause denial of service without user interaction. The vulnerability affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms, though the extremely low EPSS score (0.02%) suggests real-world exploitation risk is minimal despite the network attack vector.
KQL injection in kafka-sink-azure-kusto Kafka Connect plugin prior to 5.2.3 allows authenticated administrators with Kafka Connect configuration permissions to inject arbitrary KQL management commands by embedding metacharacters in the kusto.tables.topics.mapping configuration fields (db, table, mapping, format). An attacker with connector configuration privileges could enumerate or modify schemas, tamper with ingestion mappings, or alter streaming and retention policies on the target Azure Data Explorer database using the connector's service principal credentials. The vulnerability is fixed in version 5.2.3 and has not been observed in active exploitation at the time of this analysis.
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.