Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Uninitialized kernel memory within AMD's Platform Management Framework (PMF) can be read by local authenticated attackers, resulting in information disclosure or availability impact. This affects AMD Ryzen processors across multiple generations (6000, 7035, 7040, 8040 series and Z1/Embedded 8000) where PMF is present. The vulnerability requires local access and authenticated user privileges but does not require user interaction, making it exploitable by any local user with login credentials.
Improper input validation in the AMD Platform Management Framework (PMF) driver allows local authenticated attackers to read out-of-bounds memory, resulting in information disclosure or denial of service. The vulnerability affects multiple Ryzen processor families (7035, 7040, 8040, 6000 series, and Embedded 8000) and requires local access with limited privileges to exploit.
Buffer overflow in the AMD Secure Processor (ASP) PCI driver affects dozens of AMD Ryzen, EPYC, and Threadripper processor families across desktop, mobile, and embedded variants. Local attackers with user-level privileges can trigger improper input validation in the driver to cause a crash or denial of service, with potential for integrity impact. The vulnerability requires local access and authenticated user privileges; no active exploitation in the wild has been confirmed, and vendor-released patches are available.
Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.
DDR5 memory modules in multiple AMD Ryzen processor families contain an insecure default PMIC (Power Management Integrated Circuit) interface configuration that allows local users with standard privileges to cause permanent denial of service or corrupt memory module integrity via unprotected firmware access. The vulnerability affects Ryzen 4000, 7000, 7020, 7030, 7035, 7040, 7045 series processors and Threadripper Pro 3000 WX-series, requiring local system access but no special privileges or user interaction. No public exploit code or active exploitation has been confirmed at time of analysis.
Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Buffer overflow in AMD Sensor Fusion Hub Driver allows local authenticated attackers to write out of bounds, causing denial of service or system crash. The vulnerability affects multiple Ryzen processor families (4000, 5000, 7000, 7020, 7030, 7035, 7040 series and Ryzen AI 300 series) with Radeon integrated graphics across Windows mobile and desktop platforms. No active exploitation has been confirmed at time of analysis.
Improper validation in Power Management Firmware (PMFW) may allow an attacker with privileges to pass malformed workload arguments when exporting table data from SMU to DRAM potentially resulting in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.
Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.
Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.
XML External Entity (XXE) injection in Oinone Pamirs 7.0.0 allows remote unauthenticated attackers to disclose local files or perform Server-Side Request Forgery (SSRF) attacks via malicious XML input to unsafe XStream parsing entry points (PamirsXmlUtils.fromXML, ViewXmlUtils.fromXML). The vulnerability has network attack vector with low complexity (CVSS:3.1 AV:N/AC:L/PR:N) and is automatable per SSVC framework, though no active exploitation or public POC has been confirmed at time of analysis. EPSS data not available; CISA KEV status: not listed.
Remote attackers can execute arbitrary code on Oinone Pamirs 7.0.0 servers by sending malicious script expressions to the ScriptRunner.run() method, which evaluates untrusted input without sandboxing. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication against default configurations. No public exploit identified at time of analysis, but SSVC marks this as automatable with partial technical impact. EPSS data unavailable. The vulnerability enables both information disclosure (C:L) and integrity compromise (I:L) according to CVSS, creating a pathway for initial access and potential privilege escalation.
Time-of-check-time-of-use DNS rebinding in AVideo <= 29.0 allows remote unauthenticated attackers to bypass Server-Side Request Forgery (SSRF) protections and exfiltrate sensitive data from internal networks. The partial fix for CVE-2026-43884 in commit 603e7bf addressed only two call sites but left six or more locations discarding the DNS-pinning mechanism via CURLOPT_RESOLVE, enabling attackers to race DNS resolution between validation and HTTP request execution. No vendor-released patch identified at time of analysis. EPSS data not available for this CVE.
Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
Weak session ID generation in Apache::Session::Generate::SHA256 for Perl allows session prediction and hijacking. All versions before 1.3.19 derive session identifiers from low-entropy sources (time, PID, rand, stringified hash ref), enabling remote unauthenticated attackers to predict valid session IDs and gain unauthorized access. EPSS score is low (0.02%, 5th percentile) and no public exploit identified at time of analysis, but CVSS 6.5 with network vector (AV:N/AC:L/PR:N) indicates exploitability against internet-facing systems. Vendor-released patch 1.3.19 replaces predictable hash with Crypt::URandom cryptographically secure source. Similar scope to CVE-2025-40931 for MD5 variant.
Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.
File overwrite and information disclosure in Crypt::DSA through version 1.19 for Perl expose systems where user-controlled input reaches the library's key handling routines. The root cause is use of Perl's 2-argument open() form in lib/Crypt/DSA/Key.pm, which interprets leading or trailing special characters in filenames as I/O mode specifiers, enabling reads from or writes to arbitrary files. CVSS rates this AV:N/AC:L/PR:N/UI:N (Medium, 6.5), though actual exposure depends on application-level code paths; EPSS is 0.01% and this CVE is not in CISA KEV, indicating no public exploit identified at time of analysis.
Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.
Authenticated remote code execution in ORSEE 3.1.0 allows low-privileged users to execute arbitrary PHP code on the server by submitting participant profile field values prefixed with 'func:', which are passed unsanitized into eval() calls within tagsets/participant.php and tagsets/options.php. Only version 3.1.0 is confirmed affected; ORSEE is a niche academic tool used in economic research labs, limiting broad attack surface but making unpatched deployments attractive targets for insider threat or compromised-credential scenarios. No public exploit identified at time of analysis beyond a published proof-of-concept writeup on Medium, and EPSS sits at 0.06% (18th percentile), reflecting the narrow deployment footprint.
A permission control vulnerability in the projection module of Huawei HarmonyOS and EMUI allows local attackers with physical access to bypass authorization checks and disclose sensitive information. The flaw affects confidentiality through improper permission enforcement in a physical-access attack vector requiring user interaction. No active exploitation has been confirmed, and patch availability has not been independently verified from the provided reference.
Open redirect in SimpleSAMLphp casserver module allows remote attackers to redirect authenticated users to arbitrary external domains after logout. Versions prior to 6.3.1 and 7.0.0-rc1 through 7.0.0-rc2 are affected. The logout endpoint accepts an unchecked 'url' query parameter without validating it against configured service URLs, enabling phishing attacks that leverage the trusted SimpleSAML domain. Public exploit code exists (POC: YES). EPSS data not available, but exploitation requires only user interaction (no authentication), making this readily exploitable in phishing campaigns targeting SSO users.
Stored Cross-Site Scripting in Vvveb CMS comment submission allows unauthenticated attackers to inject malicious JavaScript through the author field on public post pages. The payload persists in the database and executes in two distinct contexts when administrators or other users view the comments, enabling session hijacking, credential theft, or administrative action manipulation. No public exploit code has been identified at time of analysis, though exploitation requires only user interaction (victim viewing the malicious comment). EPSS data not available; CVSS 6.1 reflects moderate severity with cross-site scope change.
A permission control vulnerability in HarmonyOS's manufacturability design module allows local attackers without privileges to read, modify, and degrade system availability through improper access controls. The vulnerability affects HarmonyOS across multiple versions and has a CVSS score of 5.9 (medium severity), with confirmed impacts on confidentiality, integrity, and availability despite the description emphasizing availability impact alone.
HarmonyOS manufacturability design module contains a permission control vulnerability (CWE-840) that allows local attackers without privileges to read sensitive information and modify system state on affected devices. The vulnerability has a CVSS score of 5.9 with local attack vector and low complexity, affecting confidentiality, integrity, and availability. Patch status and active exploitation status are not confirmed from available vendor advisory data.
A permission control vulnerability in HarmonyOS Contacts allows local attackers without special privileges to access sensitive contact information and affect availability of the contacts application. The vulnerability exists across HarmonyOS versions and can be exploited without user interaction, resulting in information disclosure and potential service disruption.
A permission control vulnerability in Huawei HarmonyOS and EMUI allows remote attackers to disclose sensitive information and potentially degrade system availability through unauthenticated network access combined with user interaction. The vulnerability stems from insufficient permission validation in the calls application, enabling attackers to read confidential data (CWE-200: Information Exposure) across system boundaries when users are socially engineered into triggering the malicious action.
Out-of-bounds read in AMD Platform Management Framework (PMF) allows authenticated local attackers to read arbitrary memory locations, potentially disclosing sensitive information or causing availability loss on affected Ryzen processors. The vulnerability requires local access and low privileges but can be triggered without user interaction. AMD released a security bulletin (AMD-SB-4015) describing the issue; active exploitation status not confirmed at time of analysis.
Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.
Permission control vulnerability in Huawei HarmonyOS smart sensing service allows remote attackers to bypass access controls and disclose sensitive information with moderate complexity. The vulnerability affects service confidentiality and integrity across HarmonyOS versions, with CVSS 5.6 (AV:N/AC:H/PR:N/UI:N) indicating network-accessible exploitation requiring non-trivial conditions. No active exploitation in CISA KEV or public exploit code identified at time of analysis.
Use-after-free vulnerability in Huawei HarmonyOS web components allows remote attackers to disclose sensitive information and cause limited integrity and availability impact. The vulnerability requires high attack complexity but can be triggered without authentication or user interaction over the network, affecting confidentiality, integrity, and availability with low severity (CVSS 5.6). No active exploitation has been publicly confirmed.
Information disclosure in Huawei HarmonyOS security control module allows local attackers with user interaction to read sensitive data. The vulnerability stems from improper permission control in the security module, enabling unauthorized access to confidential information without requiring elevated privileges. CVSS 5.5 indicates moderate severity with local attack vector; no KEV status or public exploit confirmed at time of analysis.
Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.
System Management Mode (SMM) handler in AMD Ryzen mobile, desktop, embedded, Threadripper, and EPYC processors allows privileged local attackers to execute arbitrary code in SMM by triggering a callout to attacker-controlled code in untrusted non-SMM memory. The vulnerability requires high complexity conditions, active user interaction, physical proximity or direct system access, and high privilege level; successful exploitation compromises system confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Local privilege escalation in WWW::Mechanize::Cached for Perl (versions before 2.00) allows authenticated local attackers to inject malicious cached HTTP responses and achieve arbitrary code execution. The module creates world-writable cache directories under /tmp/FileCache with 0777 permissions, enabling any local user to replace cached responses that are deserialized via Storable::thaw. EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation is confirmed at time of analysis. Vendor-released patch available in version 2.00 with upstream fix confirmed via GitHub commit b821647.
Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. No public exploit identified at time of analysis. While CVSS 5.3 indicates moderate severity, the unauthenticated attack vector (PR:N) and low complexity (AC:L) make this readily exploitable against any site visitor, though user interaction (UI:P) is required to submit the malicious form.
Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).
Broken access control in Mathesar 0.2.0 through 0.9.x allows authenticated users to read, modify, or delete saved explorations (database query definitions) in databases where they lack collaborator privileges. Exploitation requires only a valid user account and knowledge of an exploration ID - easily guessed or enumerated. Fixed in version 0.10.0. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
Improper privilege validation in AMD Secure Processor (ASP) allows authenticated local attackers to write data to restricted memory regions, compromising data integrity and potentially affecting system availability. The vulnerability affects AMD MI-25, MI250, MI210 accelerators and AMD Radeon Pro V520/V620 GPUs. No public exploit code has been identified, but the low attack complexity and authenticated network access vector indicate moderate real-world risk in data center and AI/ML environments where these devices are deployed.
{tagId} endpoint. The vulnerability affects versions before 4.1.2 and stems from missing authorization checks that allow any logged-in user, including regular frontend users, to permanently delete arbitrary tags using only a valid session cookie. While CVSS rates this 5.4 (Medium), the permanent data loss and FAQ organization disruption represent material operational impact. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists per VulnCheck advisory and GitHub security advisory GHSA-7cx3-2qx2-3g6w, lowering exploitation barriers for authenticated attackers.
Authorization bypass in phpMyFAQ versions before 4.1.2 allows authenticated frontend users to access admin-only API endpoints and retrieve sensitive backend configuration data. The vulnerability stems from admin-api routes checking only login status (isLoggedIn) without verifying administrative privileges, enabling any valid user account to query dashboard versions, LDAP configuration details, Elasticsearch statistics, and health-check data. While this is an information disclosure issue rather than direct write access, it exposes internal infrastructure details useful for reconnaissance. The low CVSS score (4.3) reflects limited confidentiality impact, but defenders should prioritize remediation in environments where backend configuration exposure aids broader attack campaigns. Vendor patch available in version 4.1.2.
Improper access control between JTAG and AXI interfaces in AMD Ryzen 7040, 8000, 8040 mobile, and Embedded 8000 series processors allows attackers with physical access to read or modify cross-chip debug (XCD) registers, potentially compromising data integrity and confidentiality. The vulnerability requires physical proximity and specialized hardware capability but can bypass authentication mechanisms protecting debug interfaces. No public exploit code or active exploitation has been identified at the time of analysis.
Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers to corrupt memory via specially crafted multi-frame GIF files. The vulnerability stems from missing boundary validation in the skip-image code path, which writes image data beyond allocated buffer boundaries when processing malformed GIF frames. With EPSS score at 0.02% (5th percentile) and no evidence of active exploitation, this represents a low-probability supply chain risk for Perl applications processing untrusted GIF files. Patch released in version 1.003.
Insufficient authorization in phpMyFAQ 4.1.1 and earlier allows any authenticated user to enumerate sensitive system configuration metadata through 12 admin API endpoints. The ConfigurationTabController improperly uses userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT), enabling low-privilege users to query /admin/api/configuration endpoints and discover the permission model, active template, cache backend, mail provider, translation settings, and other deployment details that should require administrative access. This information disclosure violates least privilege principles and aids reconnaissance for subsequent attacks. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in version 4.1.2.