Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.
Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.
Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.
Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7