Sandbox escape in Twig 3.24.0 through 3.25.x lets an attacker with write access to a sandboxed template read arbitrary public properties and invoke any public getter on objects exposed to the template, bypassing the SandboxExtension's SecurityPolicy allowlists. The flaw exists because the object-destructuring compiler hardcodes the $sandboxed flag to false when emitting CoreExtension::getAttribute() calls, so policy checks never run for destructuring expressions whenever the {% do %} tag is permitted. No public exploit identified at time of analysis, but the issue was responsibly disclosed with vendor-confirmed root cause and an upstream patch.
Out-of-bounds read in Netatalk versions 1.3 through 4.4.2 allows adjacent network attackers to trigger denial of service and potentially disclose memory contents via malformed ASP (AppleTalk Session Protocol) session IDs. The flaw, classified as CWE-125, was fixed in version 4.4.3, and no public exploit identified at time of analysis. CVSS 7.1 reflects an adjacent-network attack vector with no privileges required and a high availability impact.
SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with backend database queries through the ajax/statistics.php endpoint by injecting payloads into the tick_id and f_tick_id POST parameters. The CVSS 4.0 score of 7.1 reflects high confidentiality impact with lower integrity impact, and while no public exploit is identified at time of analysis, this flaw is one of 19 SQL injection issues bundled into a single critical security release that the vendor urges all users to install immediately.
SQL injection in Open ISES Tickets before 3.44.2 lets authenticated users tamper with the incidents summary report query via the tick_id POST parameter in ajax/reports.php, enabling arbitrary read, modification, or destruction of database contents. The v3.44.2 release notes confirm the fix was part of a broader security overhaul addressing 19 SQL injection flaws and 69 XSS issues. No public exploit identified at time of analysis, and SSVC classifies exploitation status as 'none' with partial technical impact.
SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized `id` GET parameter in `ajax/mobile_main.php`. The flaw permits arbitrary read, modification, or destruction of database contents, and is part of a broader batch of 19 SQL injection fixes shipped in v3.44.2. No public exploit identified at time of analysis, but the vendor explicitly classifies v3.44.2 as a 'Critical Security Update' urging immediate upgrade.
SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate backend database queries via the message.php endpoint, enabling unauthorized read, modification, or destruction of database contents. The flaw stems from unsanitized concatenation of the frm_ticket_id and frm_resp_id POST parameters into SELECT and UPDATE statements. No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory and the vendor's 3.44.2 release bundles fixes for 19 SQL injection issues across the codebase.
SQL injection in Open ISES Tickets before 3.44.2 allows authenticated attackers to manipulate database queries via unsanitized POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) in db_loader.php, enabling read, modification, or destruction of database contents. The vendor confirms this is one of 19 SQL injection flaws patched in v3.44.2, reported by VulnCheck. No public exploit identified at time of analysis, and the vulnerability requires low-privilege authentication (PR:L per CVSS 4.0 vector).
SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate ORDER BY clauses via the sort and dir GET parameters in portal/ajax/list_requests.php, enabling unauthorized read, modification, or destruction of database contents. The CVSS 4.0 score of 7.1 reflects network-reachable exploitation with low privileges and no user interaction required. No public exploit identified at time of analysis, but the vendor's own release notes describe this as part of a critical security update patching 19 SQL injection flaws across 11 files.
SQL injection in Open ISES Tickets prior to 3.44.2 allows authenticated attackers to manipulate database queries via the unsanitized 'offset' GET parameter in ajax/sit_incidents.php, which is concatenated directly into a LIMIT clause. Successful exploitation enables reading, modifying, or destroying database contents. No public exploit identified at time of analysis, though the underlying flaw is one of 19 SQL injection issues patched in the same release, indicating broad code-level weakness.
SQL injection in Open ISES Tickets versions prior to 3.44.2 allows authenticated attackers to manipulate database queries through the unsanitized offset parameter in ajax/fullsit_incidents.php. The flaw enables reading, modifying, or destroying database contents and is part of a broader v3.44.2 security release that patched 19 SQL injection issues. No public exploit identified at time of analysis, but the vendor classifies the update as critical and urges immediate upgrade.
SQL injection in Open ISES Tickets prior to 3.44.2 lets authenticated users tamper with database contents by abusing unsanitized POST parameters (tablename, indexname, sortby) in tables.php that are concatenated directly into SELECT, UPDATE, and DELETE identifier positions. The flaw is one of 19 SQLi issues fixed in the v3.44.2 release; no public exploit identified at time of analysis, but the vendor labels the release a Critical Security Update and urges immediate upgrade.
Authentication bypass in Digital Operations Services Inc. WifiBurada (all versions through 21052026) allows authenticated remote attackers to access private personal information and credentials belonging to other users due to insufficient credential protection. The flaw, reported by TR-CERT and tracked as EUVD-2025-209910, carries a CVSS 7.1 score with high confidentiality impact; no public exploit identified at time of analysis and the vendor has not responded to disclosure attempts.
A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).
The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.
Unauthenticated file usage disclosure in Concrete CMS 9.5.0 and below exposes internal page structure to any network-accessible visitor without credentials. The usage controller endpoint `/ccm/system/dialogs/file/usage/{fID}` lacks a permission check, returning page IDs, URL handles, and full URLs for every page referencing a given file - including pages explicitly restricted by CMS access controls. No public exploit identified at time of analysis, but the CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N vector confirms trivial, unauthenticated network exploitation with no complexity barrier.
Server-Side Request Forgery (SSRF) and local file read in KnpLabs Snappy (composer package knplabs/knp-snappy <= 1.6.0) allows remote attackers to exfiltrate sensitive server files by injecting a file:// URI into the xsl-style-sheet PDF generation option. When applications pass unsanitized user input directly to the Snappy library's generate() method, wkhtmltopdf processes attacker-controlled URIs including file:// scheme paths, enabling reads of files such as /etc/passwd. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the attack pattern is straightforward and exploitability is high in vulnerable deployments where PHP runs as root outside a container.
Arbitrary command execution in Fission's builder component (pkg:go/github.com/fission/fission <= 1.22.0) allows any principal with create or update privileges on Environment CRDs to redirect the builder pod to execute any binary reachable via $PATH inside the builder image. The vulnerable call site at pkg/builder/builder.go:254 passes the unsanitized Environment.spec.builder.command value directly to exec.Command after a strings.Fields split, enabling attackers to specify paths such as /bin/sh -c '...' as the build command. No public exploit has been identified at time of analysis, but the patch is confirmed released in v1.23.0 and the exploit primitive requires only a single Kubernetes API write to trigger.
Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.
Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.
Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS records by exploiting insufficient validation of DNS names received during AXFR (zone transfer) processing. The CVSS changed-scope indicator (S:C) reflects that the high-integrity impact extends beyond the vulnerable server itself to all downstream systems consuming the corrupted zone data, enabling a form of DNS record poisoning. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) constrains exploitation to adversaries with specific network positioning or control over a zone transfer source.
IPv6 transition-form SSRF in Pydantic AI bypasses the cloud-metadata blocklist introduced as a fix for CVE-2026-25580, exposing cloud IAM short-term credentials on dual-stack and translated networks. The bypass affects pydantic-ai and pydantic-ai-slim deployments that explicitly opt FileUrl-family types into force_download='allow-local' on URLs reachable by untrusted input - a materially narrower attack surface than its parent CVE, reflected in the AC:H rating versus the parent's AC:L. CVSS 6.8 (High) with Changed scope captures that a successful attack escapes the application boundary to reach cloud metadata services; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Shell injection in Netatalk 3.1.0 through 4.4.2 allows a high-privileged local attacker to execute arbitrary OS commands by embedding shell metacharacters in a configured volume path value. The flaw (CWE-78) arises because volume path strings are passed to a shell interpreter without sanitization, meaning any actor with write access to Netatalk's volume configuration can achieve full command execution under the Netatalk process context. No public exploit code has been identified at time of analysis, and the vendor has released a fix in version 4.4.3.
Predictable afpd session token generation in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to forecast or brute-force valid session identifiers within the Apple Filing Protocol daemon. Per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, the scored impact is limited to high availability disruption, though the reporter tag 'Information Disclosure' suggests potential session-hijacking consequences that may not be fully captured in the CVSS scoring - a discrepancy analysts should verify against the vendor advisory. No public exploit code or CISA KEV listing exists at time of analysis.
Disk exhaustion denial of service in NocoDB's v1/v2 attachment upload-by-URL API allows authenticated users with Editor-level privileges or higher to direct the server to fetch arbitrarily large remote files, consuming all available disk space. The root cause is missing enforcement of the NC_ATTACHMENT_FIELD_SIZE configuration limit in attachments.service.ts for the v1/v2 code paths, despite the v3 equivalent already implementing the constraint correctly. Cascading failures follow disk exhaustion: database writes block, log rotation fails, and the application itself may crash - making this a high-availability-impact issue for any NocoDB deployment with untrusted authenticated users.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).
Broken access control in the HAPPY WordPress helpdesk and support ticket plugin (versions through 1.0.10) by VillaTheme permits unauthenticated remote attackers to invoke restricted plugin functionality without any authorization check. The vulnerability stems from missing authorization gates on plugin endpoints, classified under CWE-862, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stack buffer overflow in Netatalk's desktop.c affects all versions from 1.3 through 4.2.2, allowing a network-reachable low-privilege authenticated attacker to crash the AFP service or potentially execute arbitrary code on the server. The vulnerability is rooted in improper bounds checking within AFP desktop database handling code and carries a CVSS score of 6.0 (Medium) with high availability impact as the most reliably achievable outcome. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the required high attack complexity materially limits real-world exploitation risk.
Stored Cross-Site Scripting in Avada (Fusion) Builder for WordPress (all versions through 3.15.2) allows authenticated attackers with Subscriber-level access to persist malicious JavaScript via unsanitized shortcode parameters. The injected scripts execute in the browser of any user - typically an administrator - who views a page rendering dynamic user data such as biographical information sourced through the plugin's Dynamic Data feature. With CVSS Scope set to Changed (S:C), successful exploitation crosses the victim's security boundary, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code or CISA KEV listing has been identified at time of analysis.
Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.
Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.
Unauthenticated information disclosure in Concrete CMS 9.5.0 and below allows any network-accessible attacker to enumerate internal site structure data - including page IDs, version numbers, and URL paths - by sending GET requests to the /ccm/system/dialogs/file/usage/{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).
Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.
Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.
Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
KVM read-only execution isolation bypass in klever-go allows a low-privileged smart contract actor to commit irreversible contract deletion side effects through the `ExecuteReadOnlyWithTypedArguments` hook, violating the expected non-mutating guarantee of read-only calls. Affected are all deployments of klever-go prior to v1.7.17 where smart contract workflows invoke callees through read-only execution paths. A confirmed proof-of-concept was included with the original disclosure, demonstrating that `DeletedAccounts` in VM output transitions from zero entries to one after a read-only nested call - no public exploit is separately circulating and CISA KEV listing is not confirmed at time of analysis.
Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.
Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components
Reflected XSS in NocoDB's Page Leaving Warning component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a `javascript:` URI in the `ncRedirectUrl` or `ncBackUrl` query parameters. All NocoDB npm releases up to and including version 0.301.3 are affected, and no vendor-released patch has been identified at time of analysis. No active exploitation has been confirmed (not in CISA KEV), but the GitHub Security Advisory provides sufficient technical specificity - including the exact vulnerable file and parameter names - to enable independent POC development.
Open redirect vulnerability in Umbraco CMS Surface Controllers allows unauthenticated remote attackers to redirect authenticated victims to arbitrary external URLs following form submissions. The affected controllers - UmbLoginStatusController, UmbProfileController, and UmbRegisterController - accepted user-controlled RedirectUrl query parameters without validating that the destination was a local URL, enabling phishing and credential harvesting attacks. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS score of 5.4 reflects low-complexity network exploitation requiring only victim interaction.
SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.
Sandbox policy bypass in Twig's deprecated `{% sandbox %}{% include %}` tag path allows template authors to access every filter, function, and tag registered in the environment, regardless of the configured SecurityPolicy. This is an incomplete fix for CVE-2024-45411 (GHSA-6j75-5wfj-gh66): the prior fix added an explicit `checkSecurity()` re-invocation in `CoreExtension::include()` but did not update the compiled output of the `{% sandbox %}{% include %}` syntax, leaving it without the same guard. Twig versions prior to 3.26.0 using this deprecated tag in applications that allow user-controlled template authorship are affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.