Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. GitHub security advisory confirms the vulnerability, with patch version 1.0.8.3 available. No public exploit code identified at time of analysis, and EPSS data not available for this recently assigned CVE.
Stored cross-site scripting in phpMyFAQ versions prior to 4.1.2 allows authenticated users with FAQ_ADD permission to inject malicious JavaScript into FAQ questions and answers that execute in all visitors' browsers. The vulnerability exploits an encode-decode cycle where FILTER_SANITIZE_SPECIAL_CHARS encoding is immediately reversed by html_entity_decode(), bypassing Filter::removeAttributes() which only strips HTML attributes but not tags like <script>. Twig templates render this content with the |raw filter, executing stored payloads. CVSS 5.4 indicates network-accessible attack requiring low-privilege authentication and user interaction, with changed scope enabling cross-user impact. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Authenticated users with FAQ_EDIT permission in phpMyFAQ can bypass SVG sanitization and execute arbitrary JavaScript in victims' browsers by exploiting recursive entity decoding limits. By nesting ampersand encoding five levels deep around numeric HTML entities in SVG href attributes (e.g., &amp;amp;amp;amp;#106; for 'j'), attackers reconstruct javascript: URLs that the decodeAllEntities() method fails to detect but browsers fully decode. The malicious SVG uploads persist on the server and execute JavaScript when other users click the embedded links. Fixed in version 4.1.2. EPSS and KEV data not available; VulnCheck reported this issue with vendor-confirmed details and proof-of-concept in GitHub security advisory GHSA-whqh-9pq5-c7r3.
Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via `new Function()` and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. Vendor-released patch available via commit 72a83fc replaces Function-based evaluation with sandboxed JSLite execution.
CSRF vulnerability in Turborepo's self-hosted authentication flow allows credential injection attacks when users authenticate the CLI against self-hosted remote cache endpoints. An attacker-controlled web page can send a malicious token to the localhost callback server during the login process. If the malicious callback arrives before the legitimate OAuth response, the CLI completes authentication with attacker-supplied credentials, leading to high integrity impact on subsequent build operations. This affects users of self-hosted Turborepo deployments only - Vercel's hosted device authorization flows are not vulnerable. Fixed in version 2.9.14.
Time-based blind SQL injection in NEX-Forms Ultimate Forms Plugin for WordPress through version 9.1.12 allows authenticated administrators to extract sensitive database information by injecting arbitrary SQL queries via the insufficiently escaped 'table' parameter. The vulnerability requires administrator-level access and is not actively exploited in public records, but poses significant risk to multi-admin WordPress installations where admin accounts may be compromised or untrusted.
Stored cross-site scripting (XSS) in Fujitsu's Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 allows authenticated users to execute arbitrary scripts in administrators' browsers by uploading files with malicious content. When administrators view file information on the administration page, the injected script executes with user-level privileges. No public exploit code or active exploitation has been identified at the time of analysis.
Out-of-bounds read in power management firmware affects AMD Ryzen AI, Ryzen 7000/8000 series mobile processors, Ryzen 8000 desktop processors, embedded processors, and Radeon graphics products. A local attacker with low privileges can read sensitive firmware data, potentially disclosing confidential information and causing availability degradation. CVSS 4.8 (low severity) reflects limited privilege requirements and contained impact, though the vulnerability affects a broad processor family.
Improper cleanup of shared GPU firmware registers in AMD Instinct and Radeon Pro accelerators allows admin-privileged attackers within guest virtual machines to access registers allocated to other guest VMs, potentially compromising confidentiality, integrity, or availability across isolated workloads. The vulnerability requires local admin privileges within a guest VM and affects multiple GPU product lines used in data center and HPC environments.
Out-of-bounds read in AMD Secure Processor TEE SOC Driver allows high-privileged local attackers to trigger memory exposure or denial of service via malformed SR-IOV commands on Radeon RX 6000/7000, Pro W6000/W7000, and Instinct MI-series GPUs. Insufficient parameter sanitization in the DRV_SOC_CMD_ID_LOAD_GFX_IP_FW command handler permits crafted input to bypass bounds checks, exposing SOC Driver memory or causing exceptions. Attack requires high privilege level (PR:H) and local access (AV:L), limiting real-world exploitation to compromised administrative contexts or supply-chain scenarios.
Improper input validation in the AMD OverDrive (AOD) System Management Mode (SMM) module could allow a privileged attacker to perform an out-of-bounds read, potentially resulting in loss of. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
Stored cross-site scripting (XSS) in Weblate allows authenticated contributors to inject HTML and CSS into the live search preview feature, which executes in the browsers of all authenticated users who perform matching searches. The vulnerability stems from improper output escaping of unit source and context fields in the search preview interface. Vendor-released patch available in version 2026.5, confirmed via GitHub advisory GHSA-6wxc-8mgq-w26m and commit 8b0adf1d0b43. CVSS score of 4.6 (Medium) reflects the requirement for low-privilege authentication and user interaction, limiting exploitation scope compared to unauthenticated XSS.
Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.
The Notify Odoo WordPress plugin up to version 1.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the _updateSettings function that allows unauthenticated attackers to modify critical plugin configuration-including the Notify Odoo URL, notification settings, tracking image configuration, and allowed IP addresses-by tricking site administrators into clicking a malicious link. The vulnerability requires user interaction (administrator action) but poses a direct integrity risk by enabling attackers to redirect plugin functionality to attacker-controlled servers or disable legitimate notification and tracking features.
Insufficient randomness in DPA countermeasures within the SYMCRYPTO engine on Silicon Labs SixG301xxx devices enables physical attackers to extract cryptographic keys through side-channel analysis. The predictable countermeasure patterns eventually repeat, undermining differential power analysis (DPA) protections for Key Storage Unit (KSU) keys. While exploitation requires physical access and sophisticated equipment (CVSS 4.0 AV:P/AC:H), successful attacks achieve high confidentiality impact by recovering symmetric cryptographic keys. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS data is not available for this recently disclosed vulnerability.