Denial-of-service in Samsung's Escargot JavaScript engine (commit 590345cc) stems from multiple unhandled exceptional conditions - including a null error-value dereference during nested eval/throw/finally sequences, integer underflow in TypedArray.copyWithin after runtime buffer resize, an unhandled out-of-memory condition in the garbage collector, and an invalid fast-mode array assertion during spread operations. Exploitation requires local access and user interaction (AV:L/UI:R per CVSS), crashing or aborting the Escargot runtime process. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available as GitHub PR #1565 but no tagged release version has been confirmed.
Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.
Denial-of-service via invalid pointer dereference in Samsung Open Source Escargot JavaScript engine affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3, allowing a locally-present attacker to crash the runtime through crafted JavaScript. The root cause (CWE-763) involves unconditional dereference of a potentially invalid or null error pointer in the resultOrErrorToString path, triggerable via nested eval/throw/finally patterns that induce GC allocation during exception handling. No public exploit code exists and no CISA KEV listing is present at time of analysis.
Uncontrolled recursion in Samsung's Escargot JavaScript engine crashes the runtime when processing oversized serialized data payloads, resulting in a high-severity availability impact. The vulnerability is confirmed at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 of the Escargot engine, which is deployed in Samsung TV and appliance platforms. An attacker who can cause a local user to open or execute a crafted JavaScript payload can trigger a stack overflow, denying service to the affected application or device; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Cross-site scripting in the Drupal Colorbox Inline contributed module (versions 0.0.0 through before 2.1.1) allows an authenticated low-privileged attacker to inject malicious script into web page output, which executes in a victim's browser when they interact with the affected content. The changed-scope CVSS vector (S:C) confirms the classic XSS pattern where attacker-controlled content runs in a different security context than the origin. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) confirms this is not a currently targeted vulnerability.
Path traversal in go-git allows crafted repository payloads to write files outside the intended checkout directory, including into the repository's .git directory and parent paths. The vulnerability stems from go-git failing to implement path validation checks that upstream Git adopted years ago, creating a drift-induced security gap across all supported platforms - with additional platform-specific attack vectors affecting Windows and macOS users distinctly. CVSS scores this at 5.4 medium with no public exploit identified at time of analysis and no CISA KEV listing, but the real-world risk is elevated in automated pipelines or developer tooling that processes untrusted repositories without human review.
Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Command injection in Panabit PAP-XM320 firmware up to and including V7.7 enables authenticated remote attackers with management interface access to execute arbitrary shell commands on the underlying OS. The web management interface passes user-controlled input to the backend helper /usr/sbin/pappiw, which processes arguments via eval - a classic CWE-78 pattern that causes attacker-supplied shell metacharacters to be interpreted as commands. No public exploit has been confirmed at time of analysis and this CVE is not listed in the CISA KEV catalog, though a researcher disclosure page is referenced.
Reflected XSS in Nuxt's `navigateTo()` function allows remote attackers to inject and execute arbitrary JavaScript in the application's origin during server-side rendering. Applications passing user-controlled input to `navigateTo(url, { external: true })` - the common post-login `?next=` or `?redirect=` redirect pattern - are affected across nuxt versions 3.4.3-3.21.5 and 4.0.0-alpha.1-4.4.5. A full proof-of-concept is published in the GitHub Security Advisory GHSA-fx6j-w5w5-h468; no public exploit identified at time of analysis beyond that PoC, and this CVE does not appear in CISA KEV.
Broken access control on the /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the full content of messages from rooms they have no membership in - including private groups, direct messages, and channels - by supplying only a valid message ID. The vulnerability stems from the complete absence of a room-level authorization check (canAccessRoomIdAsync is never invoked) before the message fetch via Messages.findOneById(). No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact (C:H in CVSS) means successful exploitation exposes sensitive private communications organization-wide.
Discourse's AI summarization feature exposes removed or restricted content to anonymous and unprivileged users through stale cached summaries. Affected are all Discourse instances running versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 with AI summarization enabled. An unauthenticated attacker can read cached summaries that persist after the underlying content has been moderated or deleted, bypassing content removal controls. No public exploit code exists and no KEV listing has been issued at time of analysis.
In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue.
Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges.
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
Angular template injection in the Reports functionality of Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated user with report privileges to execute arbitrary Angular template expressions in a victim's browser context. Exploitation requires either the attacker to possess report creation privileges directly, or to socially engineer a victim into importing a crafted malicious report template. Successful exploitation enables modification of application data or disruption of application availability; however, full XSS exploitation and direct information disclosure are explicitly constrained by the product's existing input validation and Content Security Policy configuration. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stored HTML injection in Nozomi Networks Guardian and CMC Smart Polling functionality allows authenticated users with limited privileges to embed malicious HTML into remote strategies via the sync mechanism. When a victim views the affected remote strategy in the Smart Polling UI, the injected HTML renders in their browser, enabling phishing campaigns and open redirect attacks. No public exploit has been identified at time of analysis; full JavaScript XSS is explicitly mitigated by the product's existing Content Security Policy, bounding the practical impact to social engineering vectors rather than direct session compromise.
Permanent denial of service in Ledger Nano X, Flex, and Stax hardware cryptocurrency wallets allows a physically present attacker to irreversibly brick the device by supplying a crafted reset_handler address during MCU firmware flashing. The firmware update process accepts attacker-controlled pointer values without bounds checking or range validation, causing the MCU to dereference an invalid instruction pointer at boot and enter an unrecoverable hardware fault state. No public exploit code is identified at time of analysis and the device is not listed in the CISA KEV catalog; the CVSS 4.0 score of 5.1 (Medium) reflects the mandatory physical access requirement, which substantially constrains the attacker population but does not diminish the severity of permanent device loss for affected users.
Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.
Unauthorized PII disclosure in Red Hat Build of Keycloak allows a low-privilege administrator holding only the 'view-clients' role to enumerate user identities and authorization grants across the entire realm by invoking the 'evaluate-scopes' Admin API endpoint with an arbitrary userId parameter. The vulnerability is an Insecure Direct Object Reference (CWE-639) in the Admin API layer, exploitable remotely over the network without requiring additional user interaction. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and clear abuse path make targeted insider or compromised-credential scenarios a realistic concern.
Stored HTML injection in Nozomi Networks Guardian and CMC's Schedule Restore Archive feature permits authenticated administrators to embed arbitrary HTML tags within restore schedule configurations. When any user views the poisoned schedule entry, the injected markup renders in their browser, enabling phishing lures and potential open redirect attacks against operators. Full JavaScript execution is blocked by the platform's existing Content Security Policy and server-side validation, and no public exploit has been identified at time of analysis; however, in OT/ICS environments where operator trust is high, even HTML-level injection can support targeted social engineering.
Stored HTML injection in Nozomi Networks Guardian and CMC (versions prior to 26.1.0) allows an authenticated administrator to create a user account whose username contains raw HTML tags that are rendered unescaped in a victim's browser. The injection triggers specifically during group deletion workflows - when any user attempts to delete a group containing the malicious account, the stored payload renders. Full XSS exploitation is blocked by the platform's Content Security Policy, but the attack surface remains viable for phishing and open redirect abuse. No public exploit code exists and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the high privilege prerequisite and required user interaction, which substantially constrain real-world risk.
Stored HTML injection in Nozomi Networks Guardian and CMC (Central Management Console) Credentials Manager allows authenticated administrators to plant malicious HTML inside identity definitions. When a separate user attempts to delete the poisoned identity, the injected HTML renders in their browser, enabling phishing lures and open redirect attacks against that user. Full script execution (XSS) and direct information disclosure are constrained by existing input validation and Content Security Policy headers, limiting the achievable impact to social engineering vectors. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Stored XSS in CtrlPanel's admin role management interface (versions 1.1.1 and prior) allows a privileged admin to inject persistent malicious HTML into role name or color fields, which executes in the browser of every admin who subsequently loads the /admin/roles page. The attack enables session hijacking, credential harvesting via fake login prompts or keyloggers, and lateral privilege escalation by performing admin actions on behalf of victim admins - with the payload re-executing on every page load until the offending role record is manually deleted. No active exploitation is confirmed (not in CISA KEV), but a proof-of-concept payload is documented in the vendor advisory. Fixed in version 1.2.0.
Improper error handling in the TP-Link Archer AX72 (SG) v1.0 web management interface allows an authenticated administrative user to extract diagnostic command syntax by submitting invalid input to the network diagnostic feature. The disclosure is narrow - limited to command-line usage information for the underlying diagnostic utility - and does not expose credentials, configuration data, or sensitive system state. A vendor-released patch is available, no public exploit code has been identified, and the vulnerability carries no CISA KEV designation.
Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
Broken access control in Keycloak's Account Resources user lookup endpoint exposes full PII profiles of all realm users to any authenticated user who owns at least one User-Managed Access (UMA) resource. By sending crafted requests with arbitrary usernames or email values to this endpoint, the attacker receives complete profile objects for unrelated realm members - bypassing the intended per-user data isolation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and minimal privilege requirement (any UMA resource owner) make it a meaningful insider-threat and tenant-isolation risk in shared Keycloak deployments.
Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.
Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.
Missing Redis cache invalidation in Budibase's public API role unassignment endpoint allows users with revoked admin, builder, or app-level privileges to retain full access for up to 1 hour (the hardcoded Redis TTL of 3600 seconds). Affected deployments are Budibase versions prior to 3.38.2 running an enterprise license, where the `POST /api/public/v1/roles/unassign` endpoint writes revocations to CouchDB but never calls `cache.user.invalidateUser()`, leaving the authentication middleware to serve stale permissions from Redis. Publicly available exploit code exists within the GHSA-6vp2-6r7m-2jvx advisory; no confirmed active exploitation (not listed in CISA KEV at time of analysis).
Authorization bypass in Caddy's remote admin `/config` API (versions 2.4.0-2.11.2) allows a certificate-authenticated remote admin client restricted to a specific array-indexed config path (e.g., `/routes/0`) to read and modify sibling array elements (e.g., `routes[1]`) by requesting the path with a leading-zero index variant (`/routes/01`). The root cause is a semantic mismatch between two internal layers: the authorization layer performs string prefix matching (`strings.HasPrefix`), while the config traversal layer parses index components numerically via `strconv.Atoi()`, so `"01"` passes authorization as a prefix of `"0"` but resolves to integer index 1 during traversal. No public exploit is in CISA KEV, but a complete proof-of-concept with captured curl requests and server responses is publicly documented in the vendor GitHub advisory GHSA-x5w9-xh9r-mvfc.
Forceful browsing in the Drupal Node View Permissions module exposes restricted node content to unauthenticated network attackers under high-complexity conditions. Affected are all installations running versions 0.0.0-1.7.0 (branch 1.x) and 2.0.0-2.0.1 (branch 2.x) of the module. The vulnerability is classified as information disclosure only - no integrity or availability impact - and carries a CVSS 3.7 (Low) score; no public exploit code exists and no confirmed active exploitation has been reported (not in CISA KEV), with EPSS placing exploitation probability at 0.01%.
Local denial-of-service in OpenHarmony v6.0 and prior versions exploits an improper input validation flaw (CWE-20), allowing a low-privileged local attacker to partially disrupt availability without requiring user interaction. The CVSS score of 3.3 (Low) reflects constrained impact: availability impact is rated Low (A:L), with no confidentiality or integrity loss. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the lower tier of operational urgency.
Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.
NULL pointer dereference in OpenHarmony v6.0 and prior enables a local low-privileged attacker to crash the system or an affected process, causing a denial-of-service condition. The vulnerability is confined to local exploitation with no confidentiality or integrity impact, as reflected in the CVSS:3.1 score of 3.3 (Low). No public exploit code has been identified at time of analysis, and no active exploitation has been reported.
Signal handler race condition in OpenHarmony v6.0 and prior enables a local, low-privileged attacker to cause a denial-of-service condition. The vulnerability (CWE-364) produces only low availability impact per the CVSS vector, with no confidentiality or integrity loss confirmed. No public exploit code or CISA KEV listing exists at time of analysis, placing this in a low-urgency tier despite the low attack complexity.
Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.
Resource Location Spoofing in the Drupal 'Translate Drupal with GTranslate' module (versions 0.0.0 through before 3.0.5) allows a high-privileged authenticated attacker to modify data the module treats as immutable, enabling redirection of translation resource locations. Exploitation requires network access but demands administrator-level privileges, yielding only low integrity impact with no confidentiality or availability consequences. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating negligible exploitation interest at this time.
Cache poisoning via the `/__nuxt_island/*` endpoint in Nuxt allows an attacker to prime a shared CDN or reverse-proxy cache with attacker-controlled rendered HTML, causing subsequent users requesting the same island path to receive the poisoned response. Affected are `nuxt` 3.1.0-3.21.5 and 4.0.0-alpha.1-4.4.5, as well as `@nuxt/nitro-server` 3.20.0-3.21.5 and 4.2.0-4.4.5. When any island component passes a prop into an unsafe HTML sink (`v-html`, `innerHTML`), the cache poisoning escalates to stored XSS persisting in the application's origin until cache expiry, exposing non-HttpOnly cookies, in-origin requests, and DOM state. No public exploit identified at time of analysis.
Shell command injection in go-git's SSH transport allows attackers who control repository path values to execute arbitrary shell commands on SSH servers that evaluate exec commands through a login shell. go-git wraps repository paths in single quotes without escaping embedded single-quote characters, diverging from canonical Git's sq_quote_buf behavior. When a go-git client connects to an SSH server whose exec command passes through /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND, an attacker-influenced path containing a single quote can break out of the quoted region and append arbitrary shell tokens. No public exploit identified at time of analysis.
Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.
Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.
Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.
Information disclosure in FileBrowser Quantum (gtsteffaniak/filebrowser) allows unauthenticated users to view sensitive share information including source paths through the anonymous user account. The flaw stems from default user settings being applied to the anonymous user, exposing source and path data that should remain restricted. No public exploit identified at time of analysis, but a patched version (v1.4.1) has been released by the upstream maintainer.
Heap corruption in rust-openssl versions 0.10.50 through 0.10.79 allows attacker-controllable out-of-bounds writes of up to 7 bytes via the `CipherCtxRef::cipher_update_inplace` method when used with AES key-wrap-with-padding ciphers (EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad). The buffer sizing logic fails to account for AES-KWP's padding expansion when input length is not a multiple of 8, and because this occurs through FFI into native OpenSSL, Rust's memory safety guarantees do not prevent the corruption. This is a missed case from a prior fix for GHSA-xv59-967r-8726 in the same method; no public exploit has been identified at time of analysis.