Directory traversal in Trend Micro Apex One on-premise server (versions before 14.0.0.17079) enables a highly privileged local attacker to manipulate a key server table and inject malicious code that propagates to all managed endpoint agents, effectively weaponizing the EDR platform's own distribution infrastructure. The attack requires an adversary who has already obtained administrative credentials to the Apex One server through a separate compromise vector. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector signals that a successful exploit extends impact beyond the server itself to the entire managed agent fleet.
Stored cross-site scripting in the Simple Hierarchical Select (SHS) module for Drupal 7 (versions 7.x-1.0 through 7.x-1.10) enables authenticated attackers with taxonomy term editing privileges to inject malicious scripts via unsanitized term names. Two distinct code paths are confirmed vulnerable: field formatter output rendered by shs_field_formatter_view and term-tree child data generated by shs_term_get_children, both of which fail to apply proper output escaping before HTML rendering. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the network-accessible attack vector combined with Drupal 7's end-of-life status substantially elevates residual risk for unpatched deployments.
The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.
{fID}` lacks a permission check, returning page IDs, URL handles, and full URLs for every page referencing a given file - including pages explicitly restricted by CMS access controls. No public exploit identified at time of analysis, but the CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N vector confirms trivial, unauthenticated network exploitation with no complexity barrier.
Server-Side Request Forgery (SSRF) and local file read in KnpLabs Snappy (composer package knplabs/knp-snappy <= 1.6.0) allows remote attackers to exfiltrate sensitive server files by injecting a file:// URI into the xsl-style-sheet PDF generation option. When applications pass unsanitized user input directly to the Snappy library's generate() method, wkhtmltopdf processes attacker-controlled URIs including file:// scheme paths, enabling reads of files such as /etc/passwd. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV, but the attack pattern is straightforward and exploitability is high in vulnerable deployments where PHP runs as root outside a container.
Arbitrary command execution in Fission's builder component (pkg:go/github.com/fission/fission <= 1.22.0) allows any principal with create or update privileges on Environment CRDs to redirect the builder pod to execute any binary reachable via $PATH inside the builder image. The vulnerable call site at pkg/builder/builder.go:254 passes the unsanitized Environment.spec.builder.command value directly to exec.Command after a strings.Fields split, enabling attackers to specify paths such as /bin/sh -c '...' as the build command. No public exploit has been identified at time of analysis, but the patch is confirmed released in v1.23.0 and the exploit primitive requires only a single Kubernetes API write to trigger.
Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in tables.php, affecting all versions before 3.44.2. Any party with read access to the repository - effectively the entire internet - can extract the key and authenticate to Google Maps Platform as the application owner, generating API usage billed against the victim's Google Cloud project. No public exploit has been identified at time of analysis, but the SSVC framework rates this as automatable with partial technical impact, and the v3.44.2 release notes confirm the key is one of five hardcoded secrets removed in a batch of 88 security fixes.
Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the public GitHub repository to extract a valid API credential from settings.inc.php and issue arbitrary Google Maps Platform requests billed against the victim organization's Google Cloud project. All versions from the initial release up to (but not including) 3.44.2 are affected per CPE cpe:2.3:a:open_ises:tickets:*:*:*:*:*:*:*:*. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but exploitation requires only the ability to read a publicly hosted source file - effectively zero technical barrier for any motivated actor.
Open ISES Tickets before v3.44.2 exposes a hardcoded WhitePages reverse-phone API key committed directly into the public source file wp1.php, making it trivially accessible to any actor who can read the repository. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) reflects that no authentication or special conditions are required - extraction is as simple as reading a publicly hosted source file. Impact is bounded to third-party API abuse: an attacker can use the stolen key to make WhitePages lookups billed to or rate-capped against the legitimate owner's account. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV, though the passive nature of the exposure means any observer of the repository may already possess the key.
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS records by exploiting insufficient validation of DNS names received during AXFR (zone transfer) processing. The CVSS changed-scope indicator (S:C) reflects that the high-integrity impact extends beyond the vulnerable server itself to all downstream systems consuming the corrupted zone data, enabling a form of DNS record poisoning. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) constrains exploitation to adversaries with specific network positioning or control over a zone transfer source.
IPv6 transition-form SSRF in Pydantic AI bypasses the cloud-metadata blocklist introduced as a fix for CVE-2026-25580, exposing cloud IAM short-term credentials on dual-stack and translated networks. The bypass affects pydantic-ai and pydantic-ai-slim deployments that explicitly opt FileUrl-family types into force_download='allow-local' on URLs reachable by untrusted input - a materially narrower attack surface than its parent CVE, reflected in the AC:H rating versus the parent's AC:L. CVSS 6.8 (High) with Changed scope captures that a successful attack escapes the application boundary to reach cloud metadata services; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Shell injection in Netatalk 3.1.0 through 4.4.2 allows a high-privileged local attacker to execute arbitrary OS commands by embedding shell metacharacters in a configured volume path value. The flaw (CWE-78) arises because volume path strings are passed to a shell interpreter without sanitization, meaning any actor with write access to Netatalk's volume configuration can achieve full command execution under the Netatalk process context. No public exploit code has been identified at time of analysis, and the vendor has released a fix in version 4.4.3.
Predictable afpd session token generation in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to forecast or brute-force valid session identifiers within the Apple Filing Protocol daemon. Per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, the scored impact is limited to high availability disruption, though the reporter tag 'Information Disclosure' suggests potential session-hijacking consequences that may not be fully captured in the CVSS scoring - a discrepancy analysts should verify against the vendor advisory. No public exploit code or CISA KEV listing exists at time of analysis.
Disk exhaustion denial of service in NocoDB's v1/v2 attachment upload-by-URL API allows authenticated users with Editor-level privileges or higher to direct the server to fetch arbitrarily large remote files, consuming all available disk space. The root cause is missing enforcement of the NC_ATTACHMENT_FIELD_SIZE configuration limit in attachments.service.ts for the v1/v2 code paths, despite the v3 equivalent already implementing the constraint correctly. Cascading failures follow disk exhaustion: database writes block, log rotation fails, and the application itself may crash - making this a high-availability-impact issue for any NocoDB deployment with untrusted authenticated users.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Missing post-response authorization filtering in MLflow's self-hosted server exposes all registered model version metadata to any authenticated user, regardless of their per-model permission level. Both the REST API endpoint `SearchModelVersions` and the GraphQL query `mlflowSearchModelVersions` were absent from the authorization middleware chains in versions up to 3.9.0, allowing a low-privilege authenticated user to enumerate model names, version descriptions, source artifact URIs, tags, and other metadata across all registered models in multi-tenant deployments. No public exploit identified at time of analysis; the vendor-released patch is confirmed in version 3.10.0.
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).
Broken access control in the HAPPY WordPress helpdesk and support ticket plugin (versions through 1.0.10) by VillaTheme permits unauthenticated remote attackers to invoke restricted plugin functionality without any authorization check. The vulnerability stems from missing authorization gates on plugin endpoints, classified under CWE-862, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stack buffer overflow in Netatalk's desktop.c affects all versions from 1.3 through 4.2.2, allowing a network-reachable low-privilege authenticated attacker to crash the AFP service or potentially execute arbitrary code on the server. The vulnerability is rooted in improper bounds checking within AFP desktop database handling code and carries a CVSS score of 6.0 (Medium) with high availability impact as the most reliably achievable outcome. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the required high attack complexity materially limits real-world exploitation risk.
Stored Cross-Site Scripting in Avada (Fusion) Builder for WordPress (all versions through 3.15.2) allows authenticated attackers with Subscriber-level access to persist malicious JavaScript via unsanitized shortcode parameters. The injected scripts execute in the browser of any user - typically an administrator - who views a page rendering dynamic user data such as biographical information sourced through the plugin's Dynamic Data feature. With CVSS Scope set to Changed (S:C), successful exploitation crosses the victim's security boundary, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code or CISA KEV listing has been identified at time of analysis.
Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.
Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.
{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).
Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.
Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.
Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
KVM read-only execution isolation bypass in klever-go allows a low-privileged smart contract actor to commit irreversible contract deletion side effects through the `ExecuteReadOnlyWithTypedArguments` hook, violating the expected non-mutating guarantee of read-only calls. Affected are all deployments of klever-go prior to v1.7.17 where smart contract workflows invoke callees through read-only execution paths. A confirmed proof-of-concept was included with the original disclosure, demonstrating that `DeletedAccounts` in VM output transitions from zero entries to one after a read-only nested call - no public exploit is separately circulating and CISA KEV listing is not confirmed at time of analysis.
Brute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2 through before 1.13) is enabled by the complete absence of rate limiting or lockout controls on authentication attempts (CWE-307), allowing a network-accessible attacker to systematically enumerate user credentials. Successful exploitation results in high confidentiality impact - consistent with the 'Information Disclosure' tag and C:H CVSS metric - meaning account contents and potentially sensitive utility-related user data can be exposed. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch is available and upgrade to version 1.13 is the indicated remediation.
Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components
Reflected XSS in NocoDB's Page Leaving Warning component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a `javascript:` URI in the `ncRedirectUrl` or `ncBackUrl` query parameters. All NocoDB npm releases up to and including version 0.301.3 are affected, and no vendor-released patch has been identified at time of analysis. No active exploitation has been confirmed (not in CISA KEV), but the GitHub Security Advisory provides sufficient technical specificity - including the exact vulnerable file and parameter names - to enable independent POC development.
Open redirect vulnerability in Umbraco CMS Surface Controllers allows unauthenticated remote attackers to redirect authenticated victims to arbitrary external URLs following form submissions. The affected controllers - UmbLoginStatusController, UmbProfileController, and UmbRegisterController - accepted user-controlled RedirectUrl query parameters without validating that the destination was a local URL, enabling phishing and credential harvesting attacks. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS score of 5.4 reflects low-complexity network exploitation requiring only victim interaction.
SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.
{% sandbox %}{% include %}` tag path allows template authors to access every filter, function, and tag registered in the environment, regardless of the configured SecurityPolicy. This is an incomplete fix for CVE-2024-45411 (GHSA-6j75-5wfj-gh66): the prior fix added an explicit `checkSecurity()` re-invocation in `CoreExtension::include()` but did not update the compiled output of the `{% sandbox %}{% include %}` syntax, leaving it without the same guard. Twig versions prior to 3.26.0 using this deprecated tag in applications that allow user-controlled template authorship are affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Timing side-channel exposure in Netatalk's DES-ECB authentication allows a remote unauthenticated attacker to conduct a cryptographic timing oracle attack against the AFP server, potentially recovering authentication secrets or credentials through statistical analysis of server response latency. Affected versions span 1.5.0 through 4.4.2 - a broad range covering multiple major releases - and the issue is rooted in non-constant-time operations during DES-ECB auth processing (CWE-208). No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; Netatalk 4.5.0 resolves the issue per the vendor advisory.
Sensitive information disclosure in Honeywell Control Network Module (CNM) versions 100.1 through 110.2 allows unauthenticated remote attackers to access protected data by probing system file paths that inadvertently receive sensitive writes. The root cause is CWE-538, where the module incorrectly routes sensitive information into directories accessible outside the intended trust boundary. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, its presence in an industrial control system network component elevates the operational consequence of any successful confidentiality breach.
Concurrency and locking defects in the GSS-TSIG implementation of PowerDNS Authoritative expose the nameserver to a denial-of-service condition exploitable remotely without authentication. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms the impact is limited to availability - crashing or destabilizing the authoritative DNS service - under high-complexity race condition circumstances. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Cryptographic verification bypass in the nimiq-primitives Rust crate allows remote unauthenticated attackers to forge MacroBlock headers and have them accepted as proven without any hash or signature check. The flaw exists in `BlockInclusionProof::is_block_proven` within core-rs-albatross <= 0.2.0 of nimiq-primitives: when the interlink hop list is empty - a condition that arises legitimately at a specific epoch boundary - the function previously returned true unconditionally rather than verifying the election head actually references the target block. No public exploit identified at time of analysis; vendor-released patch is available as core-rs-albatross v1.4.0.
Improper authorization in NocoDB (npm/nocodb ≤ 0.301.3) allows unauthenticated network attackers holding only a shared-base UUID to enumerate base members and inject arbitrary email addresses as permanent authenticated base members. The invited account redeems the invite through the normal signup flow, obtains a persistent JWT scoped to the target base, and retains that access even after the base owner revokes the shared link - effectively converting ephemeral anonymous share access into durable authenticated membership. No public exploit code has been identified and there is no CISA KEV listing at time of analysis, but the absence of a released patch and the trivial exploitation prerequisites materially elevate operational risk beyond what the CVSS 5.8 score alone implies.
Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions 1.6.2 through before 1.13 permits session hijacking by failing to invalidate session tokens after logout or inactivity. An authenticated attacker who obtains a valid session token can reuse it to access the victim's account data, resulting in high-confidence exposure (C:H) with no integrity or availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact against an energy sector mobile application warrants prompt patching given the sensitivity of the target environment.
Null pointer dereference in the Linux kernel's RED qdisc (sch_red) allows a local user with low privileges to trigger a kernel panic and system crash when a specific nested qdisc hierarchy is configured. The flaw occurs in net/sched/sch_red.c when RED calls its child qdisc's dequeue() directly after a peek() has already cached the packet in QFQ's gso_skb buffer, causing QFQ's dequeue path to dereference a null pointer. No public exploit has been identified at time of analysis, and EPSS is 0.02% (7th percentile), reflecting very low real-world exploitation probability.
FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.
NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.
Path traversal in Mobile Verification Toolkit (MVT) pip/mvt versions through 2026.4.28 allows an adversary who delivers a crafted iOS backup to trigger arbitrary file writes or reads on the analyst's filesystem by embedding directory traversal sequences in fileID values within the backup's Manifest.db SQLite database. The decrypt-backup command can write attacker-controlled content to arbitrary writable paths - enabling shell profile modification or SSH key injection for code execution - while check-backup can read arbitrary host files into MVT's JSON and CSV forensic output. No public exploit has been identified at time of analysis; vendor-released patch v2026.5.12 is available.
Unbounded formatter memoization in twig/intl-extra versions prior to 3.26.0 enables memory exhaustion denial of service on persistent PHP worker runtimes. The IntlExtension caches every unique combination of template filter arguments (locale, pattern, grouping_used, attrs, etc.) as ICU formatter objects with no eviction policy; because ICU allocates its backing buffers outside the Zend memory manager, this growth entirely bypasses PHP's memory_limit directive. On long-running runtimes such as RoadRunner, Swoole, FrankenPHP worker mode, and ReactPHP - where a single Twig\Environment persists across requests - the cache accumulates indefinitely across all requests, making targeted or incidental denial of service achievable without any authentication. No public exploit has been identified at time of analysis and no CISA KEV listing exists.