Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.
Policy bypass in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to circumvent access and data control policies via a race condition, potentially exposing restricted data with high confidentiality impact to the vulnerable system. Affected versions span all releases prior to 146.16.6.165, per EUVD-2026-30087 and vendor advisory. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, EPSS sits at 0.01% (3rd percentile), and SSVC assessment categorizes exploitation status as none - indicating this is a low-urgency but architecturally meaningful trust boundary weakness in an enterprise browser control product.
Improper enforcement of the LFENCE serialization property may allow an attacker to bypass speculation barriers and potentially disclose sensitive information, potentially resulting in loss of. Rated medium severity (CVSS 5.7). No vendor patch available.
Buffer overflow in NXP moal.ko Wi-Fi driver versions 5.1.7.10 with firmware v17.92.1.p149.43 through v17.92.1.p149.157 allows local privileged attackers to cause denial of service and potentially corrupt memory via the mod_para parameter in the woal_init_module_param function. The vulnerability requires high-privilege access and cannot be triggered remotely, but public exploit code exists and SSVC analysis indicates non-automatable exploitation with partial technical impact.
Stored Cross-Site Scripting in WPC Badge Management for WooCommerce plugin versions up to 3.1.6 allows authenticated attackers with Shop Manager-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcbm_best_seller shortcode. The injected scripts execute in the browsers of any user visiting the affected page, enabling credential theft, session hijacking, or defacement. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing.
Concurrent bitfield RMW (Read-Modify-Write) corruption in the Linux kernel MMC core subsystem allows a local authenticated user to trigger spurious WARN_ON panics or system instability on MMC-enabled devices. The root cause is that host->claimed and retune control flags shared a single bitfield word; under concurrent access from __mmc_claim_host() and mmc_mq_queue_rq(), non-atomic RMW operations allow one thread's write to silently overwrite bits modified by another, corrupting MMC host state. No public exploit has been identified at time of analysis, and EPSS sits at 0.02% (7th percentile), reflecting the narrow, race-window-dependent trigger and low attacker leverage on commodity systems.
CR8 write interception mismanagement in KVM's AMD SVM implementation crashes Windows guests on AMD hypervisors with AVIC enabled. When KVM emulates INIT→WFS sequences while AVIC is temporarily deactivated, the CR8 write intercept flag is not cleared upon AVIC reactivation, leaving it permanently enabled. In isolation this is a performance regression, but combined with the TPR synchronization flaw addressed by commit d02e48830e3f, the divergence between hardware-visible and guest-visible TPR values becomes fatal to Windows guests. No public exploit identified at time of analysis; EPSS is 0.02% (7th percentile) and no CISA KEV listing exists.
Null pointer dereference in the Linux kernel's AMD ASoC ACP3x audio driver (acp3x-rt5682-max9836) allows a local low-privileged user on affected hardware to crash the kernel. The flaw originates in acp3x_5682_init(), which failed to validate the return value of clk_get() before passing it to rt5682_clk_enable(), meaning an error pointer could be dereferenced directly. No public exploit identified at time of analysis and the EPSS score of 0.02% (7th percentile) reflects extremely low exploitation interest; this vulnerability is not listed in the CISA KEV catalog.
State management failure in the Linux kernel liveupdate subsystem allows a local low-privileged user to trigger a use-after-free or double-free condition by retrying a failed LIVEUPDATE_SESSION_RETRIEVE_FD ioctl, resulting in kernel crash or WARN and full availability loss. The luo_file struct's retrieve status is never recorded on failure, leaving the kernel's serialization state machine inconsistent; a retry re-enters retrieve logic against partially freed data structures such as kho folio mappings. No public exploit exists and EPSS is 0.02%, placing this firmly in low-priority territory absent active use of the liveupdate feature.
Interrupt storm vulnerability in the Linux kernel xHCI USB host controller driver allows a local user to cause a complete system availability loss by triggering a Host Controller Error (HCE) via UAS storage device hotplug events. Affected kernel versions prior to 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0 fail to invoke xhci_halt() when HCE is detected in xhci_irq(), leaving the interrupt uncleared and the controller running - resulting in a continuous interrupt storm. No public exploit has been identified and EPSS is 0.02% (5th percentile), consistent with the hardware-interaction-dependent trigger, but availability impact is high on affected hosts where USB ports are physically accessible.
Random system freeze vulnerability in the Linux kernel's libata-core subsystem affects any Linux host physically equipped with a Seagate ST1000DM010-2EP102 BarraCuda hard drive, where the kernel's default enablement of SATA Link Power Management (LPM) causes the drive to fail its wake sequence and hang the system irrecoverably. The ST1000DM010-2EP102 belongs to the same BarraCuda family as the ST2000DM008-2FR102, for which an LPM quirk already exists in libata - the fix extends that quirk to cover this model. No active exploitation has been identified (absent from CISA KEV), and EPSS at 0.02% reflects negligible adversarial interest, consistent with this being a hardware compatibility defect rather than a traditional security flaw.
Infinite fault loop in the Linux kernel's arm64 contiguous PTE (contpte) subsystem exposes systems using SMMU or CPU configurations without hardware dirty-bit management support to a local denial of service. The defect in `contpte_ptep_set_access_flags()` causes a gathered AF/dirty-bit view across contiguous sub-PTEs to produce false no-ops, leaving individual target sub-PTEs in a stale hardware state that triggers perpetual page faults on non-FEAT_HAFDBS-aware walkers such as SMMMUs without HTTU or CPUs with HA/HD disabled in CD.TCR. No confirmed active exploitation exists; EPSS is 0.02% at the 5th percentile, consistent with the hardware-specific, local-only attack surface.
A race condition in the Linux kernel's sched_ext BPF scheduler subsystem allows a local low-privileged user to permanently hang the system when sched_ext is actively loaded. Between scx_claim_exit() atomically marking error exit and the subsequent kick of the helper kthread, a preemption window exists where the BPF scheduler - now with error handling disabled - may fail to reschedule the calling task, leaving the helper work permanently unqueued. The result is bypass mode never activating, task dispatching halting, and a complete system wedge. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), but the availability impact is total for affected systems running a custom BPF scheduler.
NULL pointer dereference in the Linux kernel's RT1011 ASoC codec driver allows a local, low-privileged user to crash the kernel on systems equipped with Realtek RT1011 smart speaker amplifier hardware. The flaw in rt1011_recv_spk_mode_put() uses an incorrect helper to retrieve the DAPM (Dynamic Audio Power Management) context from a kcontrol object, yielding a NULL pointer that is subsequently dereferenced, triggering a kernel oops or panic. No public exploit is identified and EPSS of 0.02% (5th percentile) reflects negligible real-world exploitation probability, though vendor-confirmed patches are available in Linux 6.19.9 and 7.0.
Spurious WARN_ON assertions in the Linux kernel's nouveau/gsp ACPI probe routines trigger frequently during normal NVIDIA GPU initialization, creating an availability risk on affected systems. On kernels configured with panic_on_warn=1, each triggered WARN_ON escalates to a full kernel panic, while on default configurations it produces excessive kernel log noise that degrades observability. Affected kernel versions range from the introduction of commit 176fdcbddfd2 through stable branches fixed in 6.18.19, 6.19.9, and 7.0; no active exploitation is identified (EPSS 0.02%, not in CISA KEV).
Kernel availability disruption in the Linux lan78xx USB-to-Ethernet driver allows a local user with low privileges to trigger a kernel WARN in __netif_napi_del_locked() by disconnecting an affected USB Ethernet adapter. The root cause is a redundant netif_napi_del() call in the driver's disconnect path while NAPI processing is still active, conflicting with the teardown that unregister_netdev() performs automatically. No public exploit exists and EPSS is 0.02% (4th percentile), indicating very low real-world exploitation interest; this is primarily a stability and denial-of-service concern on embedded and desktop Linux systems using the SMSC/Microchip LAN78xx adapter family.
System hang via Machine Check Error (MCE) in the Linux kernel's Intel i915 DRM driver affects ICL (Ice Lake) generation GPU hardware when VRR timing registers are written before TRANS_DDI_FUNC_CTL is enabled, violating Intel BSpec 22243. Local low-privilege users on ICL systems - particularly those with external displays connected through USB-C docks experiencing link training failure - can trigger an unrecoverable system hang. No public exploit exists and EPSS is 0.02%, consistent with the hardware-specific, condition-dependent nature of the bug; no active exploitation is confirmed.
Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_MSP::loop, AP_MSP, AP_MSP.cpp. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.9.0 allows authenticated attackers to delete any user's published and scheduled social media post records due to missing ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. Attackers can supply arbitrary sequential post IDs to permanently soft-delete other users' B2S post records, disrupting content publishing workflows across multiuser WordPress installations. This vulnerability requires valid WordPress user authentication but no elevated privileges.
Nautobot's REST API fails to enforce user 'view' permissions when resolving GenericForeignKey references during object creation or update, allowing authenticated users to create cross-object associations to records they are explicitly denied access to view. Any Nautobot user holding write access to an affected model - including ImageAttachment, Cable, Note, ContactAssociation, and over a dozen others - can link those records to restricted objects (e.g., Devices) if they know the target's UUID through any side channel. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS of 0.02% (6th percentile) reflects low probability of automated exploitation, though the authorization bypass is straightforward once credentials and a target UUID are in hand.
Insufficient input validation in MISP's Collections model allows authenticated low-privileged users to inject malformed UUID values into Collection records, potentially causing data integrity issues or unexpected behavior in downstream code paths that assume RFC 4122-compliant UUIDs. Affected deployments are all MISP instances prior to version 2.5.37. No public exploit code exists and CISA's SSVC framework rates exploitation as none, making this a low-urgency integrity issue rather than an active threat, though integrity of Collection relationships and UUID-dependent logic is at risk until patched.
XML External Entity (XXE) injection in ERPNext's EDI Module allows authenticated low-privilege attackers to read arbitrary files from the server's local filesystem, including sensitive configuration files that may contain database credentials or API keys. Affected are all ERPNext installations on the v15 branch prior to 15.104.3 and on the v16 branch prior to 16.12.0 (cpe:2.3:a:frappe:erpnext:*). No public exploit identified at time of analysis, EPSS exploitation probability sits at 0.06% (18th percentile), and CISA SSVC assesses exploitation as none and the attack as non-automatable - collectively placing this at lower operational priority despite its network-accessible attack vector.
Unauthenticated attackers can retrieve any support ticket content from the ilGhera Support System for WooCommerce plugin (versions up to 1.3.0) by exploiting a missing capability check in the 'get_ticket_content_callback' function, exposing sensitive customer data and private communications without authentication. The vulnerability requires only a valid ticket ID and network access, with no active public exploitation confirmed at time of analysis, but the low attack complexity and unauthenticated nature make it practically exploitable against any WordPress site running the affected plugin.
Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the `get_course_id_by()` function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.
F5 BIG-IP iControl REST API allows authenticated attackers to enumerate local user account names through undisclosed requests, leading to information disclosure of administrative user identities. The vulnerability requires valid authentication credentials and network access to the iControl REST interface, affecting systems with BIG-IP versions that have not reached End of Technical Support. CVSS 4.3 (low) reflects the requirement for prior authentication and confidentiality-only impact, though the enumeration of administrative accounts could facilitate downstream attacks.
Brute-force lockout bypass in OPNsense prior to 26.1.7 allows unauthenticated remote attackers to indefinitely circumvent the authentication failure counter, enabling unlimited credential guessing against any network-accessible login endpoint. The flaw resides in the lockout_handler logic, which interprets attacker-controlled username strings containing the keywords 'Accepted' or 'Successful login' as success signals and resets the IP-based failure counter. A publicly available proof-of-concept exploit exists (SSVC exploitation: poc), the attack is classified as automatable with no prerequisites beyond network reach, and no active exploitation is confirmed in CISA KEV. EPSS is low at 0.03% (10th percentile), suggesting limited observed exploitation at time of analysis.
Unauthenticated attackers can manipulate product prices in WooCommerce carts via an unprotected AJAX action in the Cost Calculator Builder plugin for WordPress (versions up to 4.0.1) when used with Cost Calculator Builder PRO. The vulnerability stems from the ccb_woocommerce_payment AJAX endpoint being registered without authentication requirements (wp_ajax_nopriv) and failing to validate user input before passing it to checkout initialization, allowing price modification without authorization. This is an Insecure Direct Object Reference (IDOR) flaw with moderate CVSS score (5.3) that enables integrity violations but not confidentiality breaches or availability impact.
Denial of service in MongoDB Server v7.0 through v8.3 allows authenticated users with aggregation permissions to exhaust CPU resources via densely populated character masks in $trim, $ltrim, and $rtrim aggregation operators. An attacker can pin CPU utilization at 100% for extended periods by crafting malicious aggregation queries with large input strings and computationally expensive mask patterns. No public exploit code or active exploitation has been reported at time of analysis.
Heap out-of-bounds read in Crypt::Argon2 for Perl (versions 0.017 through 0.030) exposes applications to process crash or heap memory leakage when argon2_verify is called with an empty encoded hash string. The defect is a size_t integer underflow: the auto-detect variant of argon2_verify subtracts 1 from encoded_len without a zero-check, wrapping to SIZE_MAX and causing memchr to scan up to SIZE_MAX bytes of adjacent heap memory. No public exploit has been identified and no CISA KEV listing exists; EPSS is 0.03% (9th percentile), consistent with the SSVC assessment of exploitation status 'none'.
The Broadstreet WordPress plugin versions up to 1.53.1 exposes sensitive business information through an unauthenticated AJAX endpoint (get_sponsored_meta), allowing attackers to extract password-protected and private business details. Despite the CVSS vector indicating PR:N, the vulnerability requires subscriber-level or higher WordPress access, making authenticated users the primary attack vector. The exposure is limited to confidentiality impact with no integrity or availability compromise.
Cross-site request forgery (CSRF) in F5 BIG-IP Configuration utility dashboard allows unauthenticated remote attackers to perform unauthorized actions (integrity and availability impact) against authenticated users through malicious web pages, requiring user interaction to click a crafted link. Patch is available from F5. No public exploit code or active exploitation confirmed at time of analysis.
Authenticated attackers with Subscriber-level access can modify the API key stored in the Hostinger Reach WordPress plugin (versions up to 1.3.8) due to missing capability checks in the AJAX handler, but only when the plugin is not yet connected to a site and the database contains no existing API key. The vulnerability allows unauthorized data modification via the 'hostinger_reach_connection_notice_action' action with CVSS 5.3 (network-accessible, high integrity impact, but requiring low-privilege authentication and non-standard conditions).
Unauthenticated access to an exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform allows remote attackers to read sensitive operational data including application metrics and health status without any credentials. All versions of the platform prior to 26.03 are affected. The CVSS vector (PR:N/AC:L) confirms no authentication is required and exploitation is straightforward; however, EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' indicate no public exploit or active targeting observed at time of analysis.
Uncontrolled recursion in protobufjs versions prior to 7.5.8 and 8.2.0 allows remote attackers to exhaust the JavaScript call stack by providing crafted JSON descriptors with deeply nested namespace definitions to Root.fromJSON() or Namespace.addJSON(), causing a denial of service. The vulnerability requires only network access and no authentication, though exploitation depends on the application parsing untrusted protobuf JSON descriptors.
Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity.
Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker positioned as a man-in-the-middle to corrupt memory during Portal/Gateway message processing, potentially executing arbitrary code with SYSTEM privileges on affected endpoints. Affected platforms include Windows (including the UWP variant), macOS, and other non-iOS clients; iOS is explicitly excluded by the vendor. No public exploit identified at time of analysis - EPSS stands at 0.01% and SSVC confirms no current exploitation - however the SSVC technical impact rating of 'total' and potential for full SYSTEM-level compromise justify prioritized patching for endpoints connecting from untrusted networks.
Improper certificate validation in Palo Alto Networks Prisma SD-WAN ION allows an adjacent-network attacker positioned as a man-in-the-middle to impersonate the SD-WAN controller, achieving high confidentiality, integrity, and availability impact against the vulnerable device. Affected versions span three active release trains (6.3.x, 6.4.x, and 6.5.x), with fixed builds now available from Palo Alto Networks. No public exploit identified at time of analysis, and EPSS sits at 0.00%, but SSVC rates technical impact as total given the controller-impersonation capability.
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.
Disk exhaustion in AutoGPT Platform before version 0.6.32 enables denial of service through unbounded Docker container log accumulation under high user access volume. The platform writes execution activity to stdout/stderr without any rotation or size cap, and Docker captures these logs indefinitely to host disk - a CWE-770 resource allocation failure. No public exploit has been identified at time of analysis; SSVC confirms exploitation status of none, and EPSS is 0.01% (3rd percentile), indicating negligible observed exploitation probability.
Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.
Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
csync2 compiled with C99 or later creates insecure temporary directories vulnerable to time-of-check-time-of-use (TOCTOU) attacks, allowing local authenticated users with user interaction to cause denial of service through symlink or directory manipulation. The vulnerability affects OpenSUSE Tumbleweed and requires local access with low privileges and user interaction to exploit.
Incorrect Authorization in Palo Alto Networks Trust Protection Foundation allows adjacent-network unauthenticated attackers to bypass access controls and perform unauthorized actions against restricted resources. Affected version branches include 24.1.x, 24.3.x, 25.1.x, and 25.3.x, with fixed builds available from Palo Alto Networks. No public exploit identified at time of analysis, EPSS sits at the 1st percentile (0.01%), and SSVC rates exploitation as none - but the high availability impact component (VA:H in CVSS 4.0) on vulnerable systems makes patching a priority for organizations with exposed deployments.
Cross-site request forgery (CSRF) in ELECOM wireless LAN access points (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows remote attackers to trick authenticated users into performing unintended administrative operations by viewing a malicious webpage. The vulnerability exists despite CSRF token implementation due to inadequate token validation, enabling integrity compromise of access point configuration without user knowledge.
ELECOM wireless LAN access point models WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S fail to validate the language parameter in administrative pages, allowing remote attackers to break the admin interface for logged-in users via malicious web pages. The vulnerability requires user interaction (viewing a malicious page while authenticated to the access point) and results in denial of service of the administrative interface rather than data exposure or unauthorized access. No public exploit code has been identified at time of analysis.
Authenticated file read and delete in Palo Alto Networks WildFire WF-500 and WF-500-B on-premise sandboxing appliances exposes sensitive system information and permits arbitrary file deletion by low-privileged network users. The root cause is CWE-73 (External Control of File Name or Path), where user-supplied input is insufficiently validated before being used to construct file system paths. Exploitation is constrained to appliances running in the default non-FIPS configuration mode; organizations relying solely on the WildFire Public cloud service are not impacted. No public exploit has been identified at time of analysis, consistent with EPSS at 0.05% (16th percentile) and SSVC exploitation status of 'none'.
Server-Side Request Forgery (SSRF) in ERPNext allows an authenticated remote attacker to send a crafted request to a vulnerable endpoint, causing the ERPNext server to issue arbitrary outbound HTTP calls to attacker-controlled services. The CVSS Changed scope (S:C) indicates the impact extends beyond the application itself, enabling potential access to internal network resources, cloud metadata services, or other intranet endpoints not otherwise reachable by the attacker. Vendor-released patches exist in versions 15.106.0 and 16.16.0; no active exploitation has been confirmed (not listed in CISA KEV) and EPSS sits at a very low 0.02%.
Reflected cross-site scripting (XSS) in Garmin WDU v1 1.4.6 and v2 5.0 allows local network attackers to execute arbitrary JavaScript with full administrator-level access to the device. Exploitation requires the victim to visit a malicious URL and click an element on the rendered page, making this a moderate-risk vulnerability primarily affecting users on trusted networks who may be socially engineered.
Denial of service in Palo Alto Networks Prisma SD-WAN ION devices allows an unauthenticated attacker with adjacent network access to crash or disrupt the device by sending a specially crafted IPv6 packet. The vulnerability (CWE-606) exists across three active release branches of the ION software, with fixed versions available from Palo Alto Networks. No public exploit code exists and no active exploitation has been identified at time of analysis, with EPSS at 0.03% and SSVC confirming exploitation status as none.