SQL injection in CubeCart v6 prior to 6.7.0 allows an authenticated administrator to execute arbitrary SQL against the store database via the unsanitized ORDER BY clause on the admin transactions listing page. The admin.php orders-transactions endpoint passes attacker-controlled GET parameters directly into a raw SQL fragment, bypassing the platform's sqlSafe() function which only escapes quote characters - none of which are required for ORDER BY injection. An attacker with at minimum CC_PERM_READ permission on orders can leverage time-based blind SQL injection to extract admin password hashes, customer PII, and integrated payment-gateway credentials. No public exploit identified at time of analysis, though SSVC data indicates POC code exists; the EPSS score of 0.03% (9th percentile) reflects limited observed exploitation interest.
Unauthenticated information disclosure in Palo Alto Networks' Chronosphere Chronocollector exposes sensitive data to any attacker with adjacent network access to the collector service endpoint. All versions from 0.0.0 up to v0.116.0 are affected, with the fix released in v0.116.0. No public exploit code has been identified at time of analysis and CISA has not added this to the KEV catalog, but the CVSS 4.0 Value Density modifier of 'Concentrated' (V:C) suggests the data at risk may include high-value material such as credentials or configuration secrets.
Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.
Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to coerce the firewall into issuing outbound network requests to arbitrary destinations or to trigger a denial-of-service condition. Affected are PAN-OS 10.2, 11.1, 11.2, and 12.1 branch trains; Panorama, Cloud NGFW, and Prisma Access are explicitly confirmed unaffected. No public exploit code has been identified and SSVC assessment confirms no current exploitation, though a vendor-released patch is available across all impacted branches.
Stored Cross-Site Scripting in CubeCart v6.x (prior to 6.6.0) allows an authenticated administrator to inject persistent malicious JavaScript into product creation or modification fields, which then executes in the browsers of any user - customer or fellow administrator - who views the affected product pages. The attack requires high-privilege access (PR:H) and victim interaction (UI:R), limiting its realistic threat surface to compromised or malicious admin accounts. No public exploit identified at time of analysis via KEV, though SSVC data indicates proof-of-concept code exists; EPSS stands at 0.03% (8th percentile), reflecting low observed exploitation pressure.
MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. The vulnerability requires high-privilege administrative access and has a low CVSS score of 2.7, indicating limited real-world impact despite confirmed patch availability.
aria2c fails to properly validate Extended Key Usage (EKU) constraints in TLS server certificates, allowing attackers who possess a compromised certificate issued for a different purpose to impersonate legitimate servers. This undermines certificate-based authentication and enables man-in-the-middle attacks against aria2c downloads over HTTPS, potentially leading to delivery of malicious files or interception of sensitive data.
Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows authenticated administrators to inject malicious scripts that execute in other administrators' web browsers when they access the device management interface. Exploitation requires high-privilege administrative credentials and user interaction (victim must visit the admin panel), limiting real-world risk despite network-accessible attack surface.
Sensitive vault credential disclosure in Palo Alto Networks Trust Protection Foundation allows an authenticated, adjacent-network attacker with low privileges to read secrets from the server's underlying vault (indicated by the HashiCorp tag), then leverage those secrets to impersonate any user in the environment and arbitrarily modify platform configuration. Affected across four active release branches (24.1.x, 24.3.x, 25.1.x, 25.3.x), with fixed versions available from the vendor. No public exploit code exists and CISA has not listed this in KEV; EPSS exploitation probability is 0.01%, reflecting low current threat activity.
Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator to inject persistent JavaScript payloads that execute in the browsers of other users who view the affected pages. Affected deployments include PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. No active exploitation is confirmed - EPSS stands at 0.04% (13th percentile), SSVC exploitation status is 'none', and no public exploit code has been identified at time of analysis. Vendor-released patches are available for all affected branches.
Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.
Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.
Improper access control in Grafana OSS allows authenticated Editor-role users to delete any annotation instance-wide, regardless of whether they hold read or create permissions on that annotation. The flaw affects a broad version range from 8.5.0 through 13.0.1, exposing organizations to unauthorized data destruction by low-privileged internal users. No active exploitation has been identified at time of analysis (SSVC: none; EPSS: 0.03%, 8th percentile), and no public exploit code exists; real-world risk is constrained by the authentication prerequisite and partial integrity-only impact.
Broken access control in SiYuan's `/api/tag/getTag` endpoint (versions prior to 3.7.0) allows any authenticated low-privilege user - including publish-service `RoleReader` accounts and `RoleEditor` accounts on read-only workspaces - to mutate the global `Conf.Tag.Sort` configuration value and trigger a full rewrite of the workspace `conf.json` file. The handler silently executes a privileged write operation (`model.Conf.Save()`) when a `sort` argument is present, despite the endpoint being registered with only `model.CheckAuth` middleware, omitting the `model.CheckAdminRole` and `model.CheckReadonly` guards that sibling write endpoints correctly enforce. Publicly available exploit code exists per SSVC assessment, though no active exploitation has been confirmed (not in CISA KEV; EPSS 0.03%).
Broken access control in SiYuan's publish-service API allows authenticated RoleReader principals to enumerate workspace metadata from notebooks explicitly marked as private or publish-ignored. Four search endpoints - `/api/search/searchTag`, `/api/search/searchAsset`, `/api/search/searchWidget`, and `/api/search/searchTemplate` - pass the `CheckAuth` middleware that a publish-service RoleReader JWT satisfies, but never apply the `IsReadOnlyRoleContext` filtering logic that sibling endpoints in the same file correctly implement, returning unscoped global workspace results. A proof-of-concept exploit exists per SSVC assessment and is documented in the advisory; the vulnerability is not currently listed in CISA KEV.
Prisma Access Agent on Windows and macOS exposes sensitive configuration data and credentials to local low-privileged users through multiple information disclosure weaknesses. Palo Alto Networks has confirmed these vulnerabilities affect agent versions prior to 26.2.1; Linux, ChromeOS, Android, and iOS deployments are explicitly out of scope. No public exploit has been identified at time of analysis, and SSVC classifies exploitation status as none, making this a low-urgency but real credential-hygiene risk on affected desktop platforms.
Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.
RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.
Session impersonation in Arqit Symmetric Key Agreement Platform (SKA-Platform) prior to version 26.03 is enabled by improper idle timeout enforcement in the embedded Keycloak authentication interface, allowing browser sessions to persist beyond their intended expiry window. An attacker with physical access to an unattended device where a tenant user has an open, authenticated session can exploit the unexpired session to impersonate that user. No public exploit code exists and CISA has not listed this in KEV; EPSS is at the 0th percentile, consistent with SSVC's 'none' exploitation status and the severe physical-access prerequisite.
Astro versions prior to 6.1.10 fail to bind encrypted server island parameters to their intended component and purpose, allowing attackers to replay encrypted props as slots or vice versa. This cryptographic binding failure could lead to cross-site scripting (XSS) when applications use server islands with overlapping prop and slot names where an attacker controls prop values. The vulnerability requires very specific application architecture (shared key names, dynamically rendered pages, attacker-controlled props) making real-world exploitation unlikely, but the underlying encryption design flaw is significant.
Insufficient session expiration in Strapi versions prior to 5.33.3 allows an authenticated attacker who has previously obtained a valid refresh token to maintain persistent unauthorized access even after the account owner resets their password. Both the admin panel (@strapi/admin) and the API-facing users-permissions plugin (@strapi/plugin-users-permissions) are affected, covering all Strapi deployments up to and including 5.33.2. Because the refresh-token invalidation logic was gated on a caller-supplied deviceId parameter, a password reset without that parameter left all prior refresh sessions alive - meaning credential rotation failed to evict an attacker for up to 30 days by default. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none.
Information disclosure in Zoom Workplace for iOS before version 7.0.0 allows an authenticated user with physical access to the device to read limited confidential data by exploiting a failed protection mechanism. The vulnerability is constrained by both physical proximity and high privilege requirements, yielding a CVSS score of 1.8 - among the lowest possible. No active exploitation has been identified, and Zoom has released a fix in version 7.0.0 per their security bulletin ZSB-26006.
Content injection in Palo Alto Networks Broker VM 30.0 (versions prior to 30.0.24) allows an authenticated administrator with local access to inject arbitrary content into certain administrative fields within the appliance. The vulnerability carries a CVSS 4.0 score of 1.1, reflecting its highly constrained exploitation prerequisites: local access, low-privilege authentication, and limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation, making this a low-urgency finding for most organizations.