Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
Unauthenticated path traversal in AVideo's `view/img/image404Raw.php` allows any remote attacker to read arbitrary image files accessible to the PHP process, bypassing all application-layer ACLs that normally gate private user photos, admin thumbnails, and encrypted-video poster frames. The vulnerability affects all versions through the current master branch (commit 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485) and all releases up to and including 29.0 (pkg:composer/wwbn_avideo). No vendor-released patch is currently available, and a working proof-of-concept is publicly disclosed in GHSA-w4qq-74h6-58wq, making this immediately actionable by any unauthenticated attacker with HTTP access to the deployment.
Mass assignment in the TYPO3 'Frontend User Registration' extension allows unauthenticated remote attackers to assign arbitrary frontend user groups to accounts created or modified via the public registration and profile-edit flows. Because the extension neither restricts which user properties may be submitted nor enforces server-side access control on the group assignment field, an attacker registers or edits an account while injecting a privileged frontend user group identifier, immediately gaining access to content and functionality that would otherwise require elevated membership. No public exploit is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.
Technitium DNS Server performs amplified outbound DNS traffic when processing domains with missing RRSIG records or mismatched DNSKEY records - an attacker who controls any domain can exploit this behavior to force the resolver into generating excessive network queries against third-party infrastructure. All versions prior to 15.0 are affected per the vendor CPE listing (cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:*). The CVSS Changed Scope (S:C) confirms that impact extends beyond the vulnerable server itself, affecting downstream network resources and other systems. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.
Token replay exploitation in Red Hat Build of Keycloak's WebAuthn flow allows an unauthenticated remote attacker who intercepts an ExecuteActionsActionToken email link to enroll their own hardware-backed WebAuthn authenticator to a victim's account. Successful exploitation bypasses authentication entirely and grants the attacker persistent, credential-backed access to the compromised account. No public exploit code has been identified at time of analysis, and CISA KEV confirmation is absent, but the High confidentiality and integrity impact from CVSS underscores the severity if the attack preconditions are met.
Keycloak's Authorization Services Protection API is vulnerable to an Insecure Direct Object Reference (IDOR) flaw that allows authenticated low-privileged clients to perform unauthorized GET, PUT, and DELETE operations on resources owned by a different Resource Server within the same realm. By supplying a resource UUID belonging to a peer Resource Server - which a client can obtain through enumeration or disclosure - the attacker bypasses Keycloak's authorization enforcement entirely. The CVSS score of 6.8 (High) reflects confirmed confidentiality and integrity impact, though High complexity (AC:H) indicates the attacker must first acquire valid cross-server UUIDs. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Remote code execution in CtrlPanel versions 1.1.1 and prior allows authenticated administrators to execute arbitrary PHP code by supplying a fully qualified class name to the admin settings update endpoint, which instantiates or invokes static methods on that class without allowlist validation. Any class resolvable by the Composer autoloader - including third-party dependencies - can be targeted, enabling gadget-chain exploitation through PHP magic methods such as __construct, __toString, or __wakeup. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the fix is confirmed in version 1.2.0, released April 2026.
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Denial of service in HAX CMS NodeJS (npm/@haxtheweb/haxcms-nodejs) allows any authenticated user to crash the entire Node.js server process with a single crafted HTTP POST to the createSite endpoint. The crash stems from a null pointer dereference (CWE-476) in HAXCMSFile.save(), where tmpFile.originalname is undefined, causing an unhandled TypeError that terminates the process immediately. Because HAX CMS permits open account self-registration, an attacker can create their own account and trigger the crash without needing to compromise existing credentials, making the effective barrier to exploitation very low despite the PR:L CVSS designation. No public exploit identified at time of analysis beyond the PoC included in the GitHub security advisory.
Unauthenticated semi-blind Server-Side Request Forgery in Coder's Azure instance identity endpoint allows any remote attacker to force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts, enabling internal network reconnaissance, cloud metadata service probing (e.g., 169.254.169.254), and error-based information disclosure of network topology. The vulnerability exists across all supported Coder release lines prior to v2.29.13/v2.30.8/v2.31.12/v2.32.2/v2.33.3/v2.24.5 (ESR), and has been patched in GitHub PR #25274. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Infinite CPU loop denial-of-service in libheif 1.21.2 and below allows a remote unauthenticated attacker to permanently exhaust a victim application's CPU by delivering a crafted 800-byte HEIF sequence file. The vulnerability triggers during file parsing in Box_stts::get_sample_duration() before any image decoding occurs, meaning any application that opens user-supplied HEIF files is exposed at the moment of file open. No KEV listing and no public exploit have been identified at time of analysis, but the low attack complexity and high availability impact make this a meaningful risk for deployments that process untrusted HEIF content. Vendor-released patch version 1.22.0 resolves the issue.
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Heap memory disclosure in strukturag libheif versions 1.21.2 and prior exposes up to 12,288+ bytes of uninitialized heap content - potentially containing auth tokens, database results, or other users' image data - when decoding crafted HEIF or AVIF grid images under the library's default settings. The decode path silently suppresses tile failures while returning heif_error_Ok, so calling applications receive heap garbage as valid pixel values with no error indication. Server-side image pipelines that ingest user-uploaded HEIF/AVIF and re-encode the output (e.g., as PNG or JPEG thumbnails for CDNs or social platforms) are at highest cross-user exposure risk; no public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and network-accessible vector make this a realistic threat in multi-tenant or multi-service Keycloak deployments where client isolation is a security boundary.
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
CtrlPanel versions 1.1.1 and prior expose administrative DataTable endpoints without enforcing admin-level authorization, allowing any authenticated low-privileged user to retrieve sensitive records that should be restricted to administrators. The flaw stems from a gap between route-prefix-level middleware and per-endpoint permission enforcement: routes under /admin/ appear protected but datatable() methods lack role verification, making the protection illusory. Exploitation yields access to user PII, payment and transaction records, active coupon codes, role/permission structure, server ownership mappings, and support ticket contents - a significant confidentiality breach. No public exploit or CISA KEV listing is identified at time of analysis; a vendor-released patch is available in version 1.2.0.
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Firefox for iOS Reader mode exposed an unauthenticated local HTTP server on the device, enabling a co-installed malicious application to request arbitrary URLs through that server and receive responses rendered with the authenticated user's session cookies. Affected versions are all Firefox for iOS releases prior to 151.0, confirmed by Mozilla Security Advisory MFSA2026-49. No public exploit code has been identified and CISA SSVC rates exploitation as none at time of analysis, but successful exploitation would allow silent exfiltration of authenticated web content from the victim's active browsing session.
Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151.
Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.
Information disclosure in Argo CD v3.x exposes plaintext Kubernetes Secret values to authenticated users who can view application diffs via the ServerSideDiff feature. This is an incomplete fix for a prior vulnerability (GHSA-3v3m-wc6v-x4x3): the original patch masked top-level Secret data in ServerSideDiff responses but failed to sanitize Secret content embedded in the `kubectl.kubernetes.io/last-applied-configuration` annotation on `predictedLive` objects, leaving raw `data`, `stringData`, and sensitive annotation values readable in UI and CLI diff output. A publicly available proof-of-concept exists; no KEV listing is present at time of analysis, but the Changed Scope (S:C) in the CVSS vector indicates that exposed secrets may belong to workloads beyond the Argo CD application boundary, amplifying real-world impact in multi-tenant environments.
Improper permission control on the ZTE MU5250 web management interface allows an adjacent-network attacker with low-level credentials to modify device configuration beyond their authorized scope, resulting in high availability impact and low integrity impact. Affected firmware is confirmed as BD_FLYMODEMMU5250V1.0.0B27, self-disclosed by ZTE via their security bulletin. No public exploit code or CISA KEV listing exists at time of analysis, and exploitation is constrained to adjacent network access with some level of authenticated access per the CVSS vector.
Denial of service in OpenMcdf versions up to and including 3.1.3 allows an attacker to permanently hang any thread that processes a crafted Compound File Binary (CFB) file by exploiting an unguarded infinite loop in the BST name-lookup path of DirectoryTree.TryGetDirectoryEntry. The flaw is distinct from - and unaddressed by - the Brent's-algorithm cycle detection added to DirectoryTreeEnumerator in commit 24f445a: while EnumerateEntries() now safely throws a FileFormatException on cyclic input, any subsequent call to OpenStorage(), TryOpenStorage(), OpenStream(), or TryOpenStream() enters the unprotected while-loop and spins at 100% CPU indefinitely. Publicly available proof-of-concept CFB files (5,632 and 7,936 bytes) demonstrate the hang via two distinct API paths; no public exploit identified at time of analysis that escalates beyond DoS, and the vulnerability is not listed in the CISA KEV catalog.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Cross-site scripting in the Drupal Obfuscate contributed module (versions 0.0.0 through before 2.0.2) allows remote unauthenticated attackers to inject malicious scripts into pages rendered for other users, with impact scoped across security boundaries (S:C). The vulnerability stems from improper neutralization of input during web page generation, enabling session hijacking or UI redress attacks against users who view attacker-controlled content processed by the module. No public exploit has been identified at time of analysis, and EPSS at 0.03% (8th percentile) reflects low current exploitation probability.
Cross-site scripting in Drupal core 11.3.0 through 11.3.6 enables unauthenticated remote attackers to inject malicious scripts into web pages rendered by the application, which execute in victims' browsers upon user interaction. The CVSS Changed scope (S:C) indicator confirms the exploit crosses trust boundaries - attacker-controlled input rendered in the victim's browser context can compromise session tokens or trigger unauthorized actions. With EPSS at 0.03% (8th percentile) and no CISA KEV listing, widespread exploitation is not currently observed; a vendor patch is available in 11.3.7.
Cross-site scripting in Drupal Core exposes a broad range of Drupal installations - spanning major versions 8 through 11 - to client-side script injection exploitable by unauthenticated remote attackers who can induce user interaction. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in the context of a victim's browser session, enabling session hijacking, credential theft, or malicious redirects against authenticated users including administrators. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (8th percentile) signals low near-term exploitation probability, though the breadth of affected versions across three major release lines increases the aggregate attack surface.
Reflected or stored cross-site scripting in Drupal's Orejime cookie consent module (versions 0.0.0 through 2.0.15) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser upon page load or link interaction. The changed scope (S:C) in the CVSS vector indicates the injected script executes in a security context beyond the originating page - consistent with a consent banner or cookie-preference widget that renders across site sections. No public exploit code has been identified at time of analysis, and EPSS is 0.03% (8th percentile), placing this in the low-exploitation-probability tier despite being network-accessible with no authentication required.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Cross-site scripting in Template::Plugin::HTML versions through 3.102 for Perl allows remote unauthenticated attackers to inject JavaScript event handlers into rendered HTML pages when victim users view pages containing attacker-controlled template variables. The html_filter function and HTML.escape method omitted escaping of single-quote characters, meaning variables filtered with `| html` inside single-quoted HTML attributes (e.g., `title='[% var | html %]'`) remained injectable. No public exploit has been identified at time of analysis and EPSS is 0.01% (1st percentile), indicating no observed widespread exploitation, though the attack primitive is straightforward for any attacker aware of the single-quote gap.
Domain allowlist bypass in Apify MCP Server's fetch-apify-docs tool (npm/@apify/actors-mcp-server < 0.9.21) enables prompt injection against LLM agents by allowing attacker-controlled URLs to pass a flawed string prefix check. The tool validates requested URLs with String.startsWith() rather than parsing the URL hostname, so crafted URLs like https://docs.apify.com.evil.com/ satisfy the check while resolving to an attacker-controlled server. Publicly available exploit code (PoC) exists per the GitHub advisory GHSA-jwp7-wg77-3w9v; no CISA KEV listing at time of analysis, though the prompt injection vector can escalate to Apify account compromise via injected token redirection.
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Memory exhaustion and endless loop in Setasign FPDI (composer package setasign/fpdi) allow remote attackers to crash PHP server-side scripts by uploading a small, specially crafted PDF file. All versions prior to 2.6.7 are affected, and any web application that exposes FPDI-based PDF processing to user-supplied input is vulnerable. Repeated submissions can sustain service unavailability; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Path traversal in the TYPO3 'Faceted Search' extension's file indexer exposes arbitrary server filesystem content to high-privileged backend users. Because the indexer does not normalize or canonicalize the configured directory path before use, a backend user holding the specific permission to edit indexer configurations can supply path traversal sequences to redirect indexing at sensitive locations outside the intended document root. The CVSS 4.0 score of 5.9 (Medium) reflects high confidentiality impact (VC:H) constrained by the requirement for high privileges (PR:H). No public exploit or CISA KEV listing exists at time of analysis.
XML External Entity (XXE) injection in the OOXML file indexer of the TYPO3 'Faceted Search' extension (EXT:faceted_search) allows a high-privileged authenticated attacker to cause the server to disclose local file contents or perform outbound HTTP requests (SSRF), with retrieved data written to the search index. Exploitation requires placing a crafted XLSX or PPTX document into a directory processed by the indexer. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Sensitive internal TYPO3 database content can be exfiltrated into the public search index via the Faceted Search extension's misconfigured additional_tables parameter. Backend users holding permission to edit indexer configurations can reference arbitrary internal database tables and fields - including those storing backend credentials, frontend user records, or other protected data - causing the search indexer to copy that data into the search index where it may be surfaced in search results or via API responses. No public exploit has been identified at time of analysis, and exploitation is constrained by the requirement for high-privilege backend access (PR:H per CVSS 4.0), placing this firmly in insider-threat and privilege-misuse risk scenarios.
Source code disclosure in Nuxt's webpack and rspack dev server middleware enables a malicious website on the same local network to exfiltrate full application source code when developers run `nuxt dev --host`. The previous fix for GHSA-4gf7-ff8x-hq99 relied exclusively on Sec-Fetch-Mode and Sec-Fetch-Site headers, which browsers only send from potentially trustworthy origins (HTTPS or localhost) per the W3C Fetch Metadata specification - requests originating from plain HTTP pages on LAN omit these headers entirely, bypassing the same-origin check. A working proof-of-concept is embedded in the vendor advisory; no public exploit identified at time of analysis in CISA KEV.
Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.
Full process crash in Mailpit before v1.30.0 is achievable by a remote unauthenticated attacker via a race condition in the /proxy endpoint's CSS rewriter cache, causing Go's unrecoverable fatal runtime panic and terminating the SMTP, POP3, and HTTP listeners simultaneously. The root cause is an unsynchronized read of a package-level assets map[string]MessageAssets cache that is written concurrently by a cleanup goroutine and re-entrant CSS-rewriting handlers - Go's runtime detects the collision and calls throw(), which bypasses http.Server's handler-panic recovery. Publicly available exploit code exists in the GHSA advisory; no CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence.
Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.