Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (Apple Filing Protocol) file server widely deployed on Linux/Unix systems serving macOS clients. Exploitation is constrained to local, highly-privileged attackers under high-complexity conditions, yielding only limited confidentiality, integrity, and availability impact (CVSS 3.4). No active exploitation is confirmed (not listed in CISA KEV), and no public exploit identified at time of analysis.
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping away runtime buffer overflow detection that the compiler would otherwise embed into unsafe C standard library calls. Remote unauthenticated attackers can, under high-complexity conditions, trigger memory errors that the absent protection would have safely caught and terminated, instead manifesting as minor availability impact (CVSS A:L). No public exploit code exists and CISA has not added this to the KEV catalog; the CVSS score of 3.7 (Low) reflects the limited impact ceiling and high attack complexity.
Incorrect errno calculation in Netatalk 2.1.0 through 4.4.2 allows remote unauthenticated attackers to cause minor service disruption by triggering simultaneous error conditions that produce invalid composite error codes via bitwise OR misuse. The flaw (CWE-682, Incorrect Calculation) diverts execution into incorrect error-handling paths within the AFP file-sharing service, affecting availability at a low level (A:L) with no confidentiality or integrity impact. No public exploit or active exploitation has been identified at time of analysis; the CVSS score of 3.7 (Low) and high attack complexity (AC:H) reflect a limited real-world threat.
Missing break statement in Netatalk's DSI OpenSession handler allows DSIOPT_ATTNQUANT case to fall through into DSIOPT_SERVQUANT processing, affecting versions 1.5.0 through 4.4.2. An unauthenticated remote attacker can send a crafted DSI session options packet to trigger unintended session option handling, resulting in minor service disruption. No public exploit identified at time of analysis, and the High attack complexity rating (AC:H) constrains real-world exploitation to adversaries capable of precise DSI packet construction.
TOCTOU race condition in Netatalk's ad_flush function across versions 3.0.0 through 4.4.2 exposes root-privileged file operations to remote manipulation, enabling limited data modification under constrained timing conditions. Unauthenticated network attackers (PR:N, AV:N per CVSS) must win a precise race window, making this high-complexity and low-impact - CVSS scores it 3.7 (Low) with integrity-only consequences and no confidentiality or availability impact. No public exploit code exists and the vulnerability is not confirmed actively exploited in CISA KEV at time of analysis.
Unbounded realloc during charset conversion in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to trigger excessive memory allocation, resulting in limited availability impact. The flaw is classified under CWE-770 (resource allocation without limits) and carries a low CVSS score of 3.1, reflecting constrained exploitability due to high attack complexity and required authentication. No public exploit code or active exploitation has been identified at time of analysis; a fix was released in version 4.5.0.
Format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows authenticated network attackers to cause low-severity availability disruption, with a secondary reporter-assessed potential for memory content disclosure. The root cause is CWE-134 (Use of Externally-Controlled Format String), a class known to enable stack and heap memory leakage via injected format specifiers - a risk flagged by securin's 'Information Disclosure' tag that is not fully reflected in the CVSS vector (C:N). No public exploit identified at time of analysis; vendor-released patch is available in version 4.5.0.
Information disclosure in Netatalk 3.0.0 through 4.4.2 stems from a dead bounds check (CWE-561) in the Spotlight RPC unmarshaller - code intended to enforce input boundaries is logically unreachable, leaving RPC input processing without effective size validation. Remote attackers who hold at least low-level credentials can submit crafted Spotlight RPC requests to extract limited confidential information from the service. No public exploit has been identified at time of analysis, and the CVSS 3.1 score correctly reflects the constrained real-world impact: high attack complexity, authentication required, and confidentiality-only impact with no integrity or availability consequence.
Incorrect hexadecimal-to-integer conversion in Netatalk 2.0.0 through 4.4.2 stems from a macro that fails to handle uppercase hex digits (A-F) correctly, producing wrong integer values during AFP protocol processing. An authenticated remote attacker with low privileges can exploit the flaw under high-complexity conditions to cause minor integrity corruption - for example, corrupted filename or attribute encoding. No public exploit code exists and the vulnerability is not listed in CISA KEV, making real-world exploitation unlikely in most environments. Fixed in Netatalk 4.5.0.
OS command injection in Netatalk 2.2.1 through 4.4.2 arises from a code path that invokes system() after a failed chdir() call, classified under CWE-78. Exploitation requires local access with high privileges and high attack complexity, and yields only low-integrity and low-availability impact with no confidentiality exposure, reflected in the CVSS score of 2.5. No public exploit code and no CISA KEV listing have been identified at time of analysis; a vendor-released fix is available in version 4.5.0.
NocoDB's API token revocation is ineffective for up to three days due to a stale authentication cache, meaning deleted tokens continue to grant full API access during the cache TTL window. Operators who revoke a compromised or leaked token - expecting immediate cessation of access - receive no such guarantee; the deleted token remains accepted by the auth middleware until its cache entry ages out. This vulnerability (CWE-613: Insufficient Session Expiration) affects all NocoDB instances running npm package version 0.301.3 and earlier. No vendor-released patch has been identified at time of analysis. No public exploit and no CISA KEV listing have been identified.
Unauthorized file deletion is possible in Concrete CMS 9.5.0 and below due to an inverted CSRF token validation logic in the DeleteFile controller, where the protection mechanism operates in reverse - rejecting legitimate requests and approving forged ones. A remote unauthenticated attacker (PR:N per CVSS v4.0) can craft a cross-site request forgery attack that deletes files on behalf of any victim authenticated with conversation message editing privileges. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; the vendor-assigned CVSS v4.0 score of 2.3 reflects the constrained real-world impact given the required victim privilege level and mandatory user interaction.
Improper cache key generation in SpiceDB's dispatch layer allows authorization bypass when caveat structures use nested lists. Affected versions (v1.15.0 through v1.51.x) generate colliding cache keys due to non-deterministic serialization of nested list structures in caveat contexts, causing the system to erroneously serve a cached positive authorization result in place of a correct negative one. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog, but exploitation is structurally straightforward for any party with the ability to send crafted CheckBulkPermission or LookupResources requests to a misconfigured deployment.
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-site request forgery in Concrete CMS 9.x before 9.5.0 permits a remote unauthenticated attacker to trigger unauthorized event duplication on behalf of an authenticated user by luring that user to an attacker-controlled page. The vulnerable endpoint is `concrete/controllers/dialog/event/duplicate`, which lacks CSRF token validation. The vendor-assigned CVSS v4.0 score of 2.3 reflects genuinely low impact - limited to a low-integrity effect on the vulnerable system - and no public exploit code or CISA KEV listing has been identified at the time of analysis.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to trigger unauthorized reordering of Express Object associations by tricking an authenticated user into visiting a crafted page. The vulnerability targets the endpoint concrete/controllers/dialog/express/association/reorder, with impact limited to low-severity integrity modification of the vulnerable system only. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the combination of required user interaction, specific prerequisite conditions (AT:P), and limited data impact.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to forge state-changing requests against the file manager's addFavoriteFolder endpoint on behalf of an authenticated victim. Exploitation results in low-integrity impact - specifically unauthorized modification of a victim's favorite folder state - without any confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the passive user interaction requirement and constrained impact scope.
Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.
CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger unauthorized file rescanning via the rescanMultiple() function in the backend file controller, provided a logged-in user can be lured to interact with an attacker-crafted page. The integrity impact is limited to the vulnerable component, with no confidentiality or availability consequence. No public exploit or active exploitation has been identified; the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the low real-world impact and the prerequisite of user interaction and specific attack conditions.
Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.
OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.
Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.
Attachment size limit bypass in NocoDB (npm, versions up to and including 0.301.3) allows authenticated users with upload permission to store files exceeding the operator-configured `NC_ATTACHMENT_FIELD_SIZE` quota via the upload-by-URL pathway. The attachments service failed to validate file size against either the remote server's `Content-Length` HTTP header or the decoded byte length of `data:` URI payloads before fetching, and the local storage plugin did not set `maxContentLength` on the axios download, enabling unconstrained resource consumption. No public exploit has been identified at time of analysis, and no vendor-released patched version is confirmed available.
Server-side request forgery in Concrete CMS 9.5.0 and earlier allows authenticated high-privileged page editors to direct the application server to fetch attacker-controlled URLs via the RSS Displayer block, with redirect-following behavior bypassing input validation to reach internal network resources. The CVSS v4.0 score of 2.1 (PR:H, AT:P) reflects that exploitation is constrained to users already holding page editor privileges and requires the RSS Displayer block to be in active use. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a low real-world priority tier absent insider-threat or post-compromise scenarios.
Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.
OAuth token scope enforcement is entirely absent at the ACL middleware layer in NocoDB (npm/nocodb ≤ 0.301.3), causing tokens issued with restricted scopes - such as MCP-only - to silently inherit the underlying authenticated user's full role across all routes. The per-base resource restriction (`granted_resources.base_id`) is additionally bypassed on org-level endpoints where `req.context.base_id` is never populated, rendering base-scoped token restrictions meaningless against workspace-level API calls. No public exploit has been identified at time of analysis, and no patched release has been confirmed despite a fix being described in the advisory.