Authentication bypass in Symfony's Security-Http CAS2 integration (Cas2Handler) lets an attacker impersonate a victim by spoofing the HTTP Host header. Affected versions 7.1.0-7.4.11 and 8.0.0-8.0.11 derive the CAS 'service' parameter from the client-controlled Host header when framework.trusted_hosts is unset (the default), so an attacker who controls another application registered with the same CAS server can replay a victim's service ticket against the Symfony app and log in as that victim. There is no public exploit identified at time of analysis, and EPSS is very low (0.06%), but the fix (7.4.12 / 8.0.12) is vendor-released.
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted identity for hostnames outside its permitted DNS subtree. By chaining a nameConstraints enforcement gap with a legacy CommonName fallback in pkix_verify_hostname/3, an attacker holding a DNS-restricted intermediate (e.g. permitted;DNS:allowed.example.com) can issue a SAN-less leaf whose CN is an out-of-scope host (e.g. victim.example.com) and have a stock ssl:connect client with verify_peer accept it. It affects OTP 19.3 through the fixed releases (public_key 1.4 onward) and is rated CVSS 4.0 7.6; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who can supply file or zip-file credentials to a job write files to attacker-chosen paths on the node filesystem, escalating to remote code execution when Jenkins is configured to let a low-privileged user configure such credentials for a job running on the built-in node. The flaw stems from missing file-name sanitization on the file and zip credential types. Rated CVSS 7.5 with high attack complexity (AC:H); no public exploit identified at time of analysis and the issue is not in CISA KEV.
Denial of service in liquidjs (npm) versions before 10.26.0 arises from a quadratic-backtracking (ReDoS) regular expression in the default-registered strip_html filter, reachable from any template via {{ x | strip_html }}. A remote, unauthenticated attacker who submits a string containing many unbalanced <script, <style, or <!-- opener tokens (for example a single ~350 KB body) forces O(N^2) V8 regex backtracking that blocks the single-threaded Node.js event loop for roughly 10 seconds, stalling every other request on the worker. A proof-of-concept with measured scaling is published in the GitHub Security Advisory (GHSA-r7g9-xpmj-5fcq); the issue is not listed in CISA KEV and no EPSS score was provided.
Local File Inclusion in the Query Shortcode plugin for WordPress (all versions through 0.2.1) lets authenticated users with contributor-level access or higher coerce the shortcode handler into including and executing arbitrary .php files already present on the server. Because included files are run by the PHP interpreter, this can leak sensitive data, bypass access controls, and escalate to full remote code execution where an attacker can also place a .php file (e.g. via an upload feature). EPSS rates near-term exploitation probability very low (0.07%, 21st percentile) and there is no public exploit identified at time of analysis.
Remote denial of service in IBM Aspera High-Speed Transfer Endpoint and High-Speed Transfer Server (versions 3.7.4 through 4.4.7 Fix Pack 1) allows an unauthenticated network attacker to crash the asperahttpd service via a NULL pointer dereference. Exploitation requires no credentials and no user interaction, yielding a complete loss of availability for the affected transfer service. There is no public exploit identified at time of analysis, and the issue has no confidentiality or integrity impact.
Directory traversal in IBM InfoSphere Optim Test Data Fabrication (versions 1.0.0 through 1.0.2.7) lets a remote, unauthenticated attacker read arbitrary files from the host by sending a crafted URL containing '../' sequences. The flaw is purely an information-disclosure issue - confidentiality is impacted with no integrity or availability effect - and CVSS rates it 7.5 (High). There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation status as none, though it flags the issue as automatable.
{{ x | date: f }}` can generate multi-megabyte output or trigger an out-of-memory crash of the host Node.js process. Publicly available exploit code (a verified PoC) exists; there is no CISA KEV listing and no EPSS score in the provided data.
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.
Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP request whose URL path begins with /status or /sysinfo. The server tries to load WOSHttpStatusModule.dll to service those paths and calls WOSBin_LoadHttpModule, but that DLL ships missing from the installation, so the resolved function pointer is NULL and the code invokes a function at address 0, terminating the process (CWE-476). The flaw was discovered and reported by Tenable (TRA-2026-45); no public exploit identified at time of analysis and it is not on the CISA KEV list, with availability-only impact (CVSS 7.5).
Unauthenticated information disclosure in Automad CMS (Composer package automad/automad) versions 2.0.0-alpha.1 through 2.0.0-beta.27 lets any remote attacker retrieve the bcrypt password hash of every administrator account through a single POST request to the setup endpoint. The /_api/user-collection/create-first-user endpoint stays publicly reachable after initial configuration and returns fully serialized user records, and in 2.0.0-beta.27 it additionally leaks TOTP two-factor secrets. There is no public exploit identified at time of analysis, but exploitation is trivial (network, no authentication, no user interaction) and the issue was fixed in 2.0.0-beta.28.
Information disclosure via path traversal in Gladinet Triofox lets remote unauthenticated attackers read arbitrary files on the server by sending crafted requests whose URL path begins with /woshome, which are handled by the WOSDefaultHttpModule.dll component. The CVSS 7.5 scoring (confidentiality-only impact) reflects unrestricted file read without code execution or service disruption. No public exploit has been identified at time of analysis, and the issue was reported by Tenable rather than appearing in CISA KEV.
Authentication bypass in the WordPress plugin 'Backup and Staging by WP Time Capsule' (all versions through 1.22.25) lets remote, unauthenticated attackers abuse an alternate password-recovery channel to gain unauthorized account access without valid credentials. The flaw, reported by Patchstack and tracked as EUVD-2026-32208, carries a CVSS 7.5 (confidentiality-only impact) but currently has no public exploit identified at time of analysis and a very low EPSS exploitation probability of 0.04% (13th percentile). Successful exploitation exposes sensitive access to the affected site, and the plugin's backup/staging role makes any resulting account takeover especially damaging.
Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).
Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submitting a small well-formed SLD document via the WMS SLD_BODY= parameter. The flaw is a NULL pointer dereference reached when an SLD <Rule> carries <ElseFilter/> but defines no symbolizer, causing the styling code to index a class array at position -1. No public exploit has been identified at time of analysis, and the issue is fixed in version 8.6.3.
Information disclosure in the BP Better Messages WordPress plugin (versions up to and including 2.14.16) allows remote unauthenticated attackers to read private messaging data belonging to other users by manipulating a user-controlled object identifier (IDOR). The CVSS 3.1 base score is 7.5 with confidentiality-only impact (C:H/I:N/A:N), and there is no public exploit identified at time of analysis. EPSS is very low at 0.03% (10th percentile), indicating no observed widespread exploitation activity.
Missing authorization in Budibase's webhook schema-building endpoint allows unauthenticated remote attackers to alter the body schema of a known webhook and, in turn, mutate the output schema of its associated automation trigger in any instance prior to 3.39.0. The CVSS 7.5 score is driven entirely by an integrity impact (I:H) with no confidentiality or availability effect, reflecting that an attacker can tamper with automation logic but not directly read data or crash the service. There is no public exploit identified at time of analysis, the issue is not listed in CISA KEV, and no EPSS score was provided in the source data.
Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticated attackers to retrieve user credentials directly from the edge server over the network. The flaw stems from an exposed dangerous method/function (CWE-749) reachable without authentication, yielding a high-confidentiality impact with no integrity or availability effect. No public exploit has been identified at time of analysis, and EPSS scores it at the bottom 7th percentile, indicating low near-term exploitation likelihood despite the network-reachable vector.
Denial of service in the Linux kernel netfilter nf_conncount subsystem allows remote attackers to trigger erroneous connection limit enforcement by establishing more than 8 new tracked connections per jiffy, causing the garbage collector to fall behind and the connection list to wrongly hit its cap. The flaw affects systems using nft_connlimit, xt_connlimit, or OVS connection limit features, with availability impact only (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/A:H). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the issue is reproducible with common HTTP load tools such as slowhttptest.
Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.
Remote denial-of-service in the Linux kernel rxrpc subsystem (rxkad authentication) allows unauthenticated network attackers to crash vulnerable hosts by sending packets with misaligned crypto length fields. The flaw stems from improper handling of decryption errors and a remotely-triggerable WARN_ON_ONCE() in the rxkad packet processing path. EPSS scoring is very low (0.02%) and no public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) rating reflects the unauthenticated remote availability impact.
Denial of service in the Linux kernel Ceph client allows local users with access to a Ceph-mounted filesystem to trigger d_hash list corruption and RCU stalls by inducing path lookups against reused cached negative dentries. The flaw stems from fs/ceph/dir.c calling d_add(dentry, NULL) on already-hashed negative dentries, creating self-loops in the hlist_bl bucket that cause __d_lookup() to spin indefinitely. EPSS is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the bug has been reproduced organically in production (RCU stall on a Dell PowerEdge R7615 running 6.18.17).
Denial of service in the Linux kernel ks8851 Ethernet driver allows a deadlock condition when handling concurrent IRQ and TX softirq processing on systems using the Micrel KS8851 MAC/PHY chip. The flaw manifests when the IRQ handler executes netdev_alloc_skb_ip_align() with bottom-halves enabled, triggering pending softirq processing that re-enters the driver's xmit path and attempts to re-acquire an already-held spinlock. EPSS scores this at 0.02% (5th percentile) and no public exploit identified at time of analysis, consistent with a local hardware-dependent stability bug rather than a remotely weaponizable vulnerability.
Denial-of-service in the Linux kernel's SMC (Shared Memory Communications) networking subsystem allows remote attackers to crash the kernel by sending a CLC decline message during the early stage of an SMC handshake before the connection is associated with a link group. The flaw, tracked as EUVD-2026-32408, stems from smc_clc_wait_msg() accessing link-group sync state that does not yet exist at that point in the handshake. No public exploit identified at time of analysis and EPSS probability is very low (0.02%, 5th percentile), but the network attack vector and high availability impact warrant patching on systems that use SMC.
Denial of service in the Linux kernel's libceph subsystem allows remote attackers to crash the kernel via a malformed CEPH_MSG_AUTH_REPLY message containing zero values for both protocol and result fields. The flaw resides in ceph_handle_auth_reply() where a missing validation causes ac->ops to be set to NULL before being dereferenced. No public exploit identified at time of analysis, and EPSS is extremely low (0.02%), but the network attack vector with no authentication and high availability impact warrants prompt patching on Ceph-enabled systems.
Denial of service in the Linux kernel's netfilter nfnetlink_queue subsystem allows remote attackers to cause packet drops affecting availability when nfqueue is used without the NFQA_CFG_F_GSO capability flag. The flaw is a regression where the shared-unconfirmed conntrack check was performed after skb_gso_segment(), causing GSO UDP packets associated with unconfirmed nf_conn entries to be dropped instead of queued. EPSS is very low (0.02%) with no public exploit identified at time of analysis and no CISA KEV listing, indicating low real-world urgency despite the CVSS 7.5 availability score.
Race condition in the Intel VT-d IOMMU driver of the Linux kernel allows a window where hardware can fetch a 'torn' context entry while the Present bit is still set, leading to unpredictable IOMMU behavior or spurious DMA faults on affected systems. The flaw stems from non-atomic teardown of 128-bit context entries via multiple 64-bit writes and is addressed by aligning with the VT-d specification's ownership handshake (Section 6.5.3.3); no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%.
Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.
Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.
Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH while the module's deny_remote protection wrongly classifies the connection as a local terminal session. The root cause is an incomplete check of the utmpx ut_addr_v6 field that misreads IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) as having no remote address, which is the normal way Debian and Ubuntu record incoming IPv4 SSH connections when sshd listens on the IPv6 wildcard. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the operation needed to trigger it is trivial once the operator possesses a registered token.
Stack-based buffer overflow in the UTT HiPER 1250GW router (firmware up to 3.2.7-210907-180535) lets a network-adjacent authenticated user corrupt memory by supplying an oversized 'Profile' argument to the /goform/formGroupConfig endpoint of the Web Management Interface. The CVSS 4.0 score is 7.4, and publicly available exploit code exists, though the EPSS probability is very low (0.04%, 13th percentile) and it is not on the CISA KEV list. Successful exploitation can crash the device or potentially achieve arbitrary code execution on the router's management plane.
Stack-based buffer overflow in the web management interface of the UTT HiPER 1250GW router (firmware through 3.2.7-210907-180535) lets a remote, low-privileged attacker corrupt memory by submitting an oversized Profile value to the /goform/formConfigFastDirectionW handler, which passes it to an unbounded strcpy. The CVSS 4.0 vector rates confidentiality, integrity, and availability impact as High, consistent with potential code execution or device crash. Publicly available exploit code exists per the VulDB submission, though EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified as actively exploited.
Stack-based buffer overflow in the UTT HiPER 1200GW router's Web Management Interface lets an authenticated, network-adjacent attacker corrupt memory by submitting oversized values to the PPTP client configuration handler (/goform/formPptpClientConfig), affecting firmware up to 2.5.3-170306. A successful overflow can crash the device or potentially achieve code execution on the embedded gateway, with high confidentiality, integrity, and availability impact on the device itself. Publicly available exploit code exists (CVSS 4.0 base 7.4), but the EPSS score is very low at 0.04% (13th percentile) and the issue is not listed in CISA KEV.
Stack buffer overflow in the UTT HiPER 1200GW router (firmware up to 2.5.3-170306) lets a remote, low-privileged user crash the device or potentially execute arbitrary code by submitting oversized sysAdmUser or sysAdmPass values to the /goform/setSysAdm endpoint of the Web Management Interface. The flaw stems from an unbounded strcpy call, and publicly available exploit code exists, though EPSS rates near-term mass exploitation as very low (0.04%). No CISA KEV listing or vendor patch has been identified.
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.
Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.
Unauthenticated remote command injection in the Netis AC1200 Router (model NC21, firmware V4.0.1.4296) allows any LAN-resident attacker to execute arbitrary OS commands as the router's runtime user via a single HTTP POST to /cgi-bin/skk_set.cgi. The password and new_pwd_confirm parameters are concatenated into a shell invocation without sanitization, and exploitation requires no credentials. No public exploit is identified at time of analysis, though the disclosure repository documents the technique (base64-encoded backtick payloads), and EPSS scoring (0.21%) suggests limited broad exploitation pressure despite the trivial attack complexity.
OS command injection in sipeed picoclaw v0.1.2 and earlier allows remote attackers to bypass an incomplete denylist-based sanitizer in the ExecTool component and execute arbitrary shell commands on the host. The guardCommand() function in pkg/tools/shell.go relies on only eight regex denylist patterns, which is insufficient to block the wide range of shell metacharacters and command-chaining techniques available to an attacker. No public exploit identified at time of analysis, though a third-party gist documenting the issue is referenced from NVD.
Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.
Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. EPSS probability is very low at 0.06% and SSVC reports no observed exploitation, but the issue is rated automatable with partial technical impact.
Authentication bypass in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions up to and including 1.6.0) lets remote, unauthenticated attackers reach protected functionality through an alternate code path that fails to enforce the plugin's normal authentication checks (CWE-288). Exploitation requires no privileges, no user interaction, and low attack complexity, but CVSS scopes the impact as limited (low confidentiality, integrity, and availability). There is no public exploit identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), indicating no current evidence of widespread exploitation.
Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.
Sensitive data exposure in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions through 1.6.0) allows remote unauthenticated attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. The CVSS 3.1 base score is 7.3 with a network/no-auth vector but only Low impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.04% (11th percentile), indicating low likelihood of opportunistic mass exploitation despite the easy attack path.
Broken access control in the WCFM Membership (wc-multivendor-membership) WordPress plugin by WC Lovers, affecting all versions up to and including 2.11.10, lets remote attackers reach functionality that should be authorization-gated. Because the vulnerable path is exposed over the network with no privileges or user interaction required (CVSS 7.3), unauthenticated actors can exploit incorrectly enforced access-control levels, though the impact to confidentiality, integrity, and availability is rated Low for each. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low at 0.04% (11th percentile).
Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.
Unauthenticated configuration disclosure in the Netis AC1200 Router NC21 (firmware V4.0.1.4296) allows any LAN-connected attacker to retrieve the device's full configuration via a single HTTP GET to /cgi-bin/skk_get.cgi. The dump exposes administrator credentials, WiFi and PPPoE passwords, DDNS credentials, and a map of connected clients, enabling immediate device takeover and lateral movement. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 6th percentile).
Hard-coded root credentials in Netis AC1200 Router NC21 firmware V4.0.1.4296 allow attackers who reach the device to log in as root using the trivially guessable password 'root' stored in /etc/shadow.sample. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the credential is static across affected units, making any exposed management interface a one-step compromise. The flaw is classified as CWE-798 (Use of Hard-coded Credentials) and is tagged as an Authentication Bypass.
Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the script to abort with status 255 when parsing a ZIP archive containing an Info-ZIP Unix Extra Field (tag 0x7875) that declares an 8-byte UID or GID size. The bug is a typo in the source (calling unpackValueQ instead of unpackValue_Q), and no public exploit is identified at time of analysis; library callers of IO::Compress/IO::Uncompress are unaffected. EPSS is negligible (0.02%) and impact is limited to crashing the inspection tool, not the consuming application.
Privilege escalation in the Linux kernel BPF subsystem allows unprivileged local users to detach tcx and netkit BPF programs from network devices without holding CAP_NET_ADMIN or CAP_SYS_ADMIN, due to a missing capability check in BPF_PROG_DETACH when no program file descriptor is supplied. The flaw enables low-privileged attackers to tamper with networking integrity and availability on affected kernels, though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.