Skip to main content
CVE-2025-31985 LOW Monitor

Missing X-Content-Type-Options response header in HCL BigFix Service Management (SM) leaves browsers without MIME-type sniffing protection, creating conditions where malicious or ambiguously typed content served through the application could be misinterpreted and executed by a victim's browser. The CVSS score of 3.7 (Low) reflects genuine constraints: high attack complexity, required low-privilege authentication, and mandatory user interaction all limit realistic exploitability. No public exploit code exists and this vulnerability is not confirmed actively exploited (CISA KEV), consistent with its classification as a security misconfiguration rather than a critical flaw.

Information Disclosure Bigfix Service Management
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-47068 LOW POC PATCH GHSA Monitor

Cross-session PubSub topic injection in phoenix_storybook (versions 0.4.0 through before 1.1.0) allows a remote unauthenticated attacker to redirect a victim's playground control messages to an attacker-controlled LiveView iframe process. The vulnerability exists because ComponentIframeLive reads the PubSub coordination topic verbatim from a URL query parameter with no session-binding validation, enabling an attacker who loads a crafted iframe URL to hijack variation state changes, theme switches, and extra-assign payloads intended for a victim's active playground session. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 score of 2.3 reflects genuinely low severity given the prerequisites required.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47099 LOW PATCH Monitor

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

XSS Telejson
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-45232 LOW PATCH Monitor

Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.

Buffer Overflow Rsync
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy