Memory leak in the Linux kernel's DAMON statistics subsystem (mm/damon/stat) causes kernel memory exhaustion when damon_start() fails during damon_stat_start(). The allocated DAMON context is never freed on the failure path, and the stale global pointer is overwritten on each subsequent enable attempt, making prior allocations permanently unreachable. Exploitation requires local access with low privileges, yields high availability impact (A:H) via progressive kernel memory exhaustion, and no public exploit or active exploitation has been identified at time of analysis.
KVM nested SVM (AMD virtualization) in the Linux kernel incorrectly marks VMCB_LBR dirty in the guest's vmcb12 during nested VM exit processing, triggering architecturally undefined behavior that results in hypervisor availability loss. Affected are Linux kernels from 5.19 through versions preceding the stable-branch patches at 6.18.27 and 7.0.4. A low-privileged local attacker operating within a nested virtual machine on an AMD SVM-capable host can exploit this to crash or destabilize the host KVM layer. No public exploit and no CISA KEV listing exist; EPSS sits at 0.02% (4th percentile), confirming negligible opportunistic exploitation probability.
Kernel panic in the Linux Ceph filesystem client affects systems running fscrypt-encrypted CephFS on kernel versions 6.18.16-6.18.29, 6.19.6, and 7.0.x prior to 7.0.4. An off-by-one error (CWE-193) in `ceph_wbc->num_ops` during encrypted writeback causes a hard BUG_ON assertion in `ceph_submit_write()`, crashing the kernel when a bounce buffer allocation fails under memory pressure. No public exploit exists and EPSS is 0.02% (4th percentile), but the CVE description contains a precise reproduction recipe, making reliable local triggering straightforward for anyone with write access to an affected encrypted mount.
IRQ handler cleanup failure in the Linux kernel Intel QAT (Quick Assist Technology) crypto driver for 6xxx-series devices causes kernel resource leaks and availability impact when device probe partially fails. The flaw manifests during adf_dev_up() failure: because pcim_enable_device() registers pcim_msi_release() as a devres action that runs in LIFO order, MSI-X vectors are torn down while IRQ handlers such as 'qat0-bundle0' are still attached, producing remove_proc_entry() warnings and leaking procfs entries. No public exploit has been identified at time of analysis, and EPSS at 0.02% (4th percentile) confirms negligible exploitation interest; impact is limited to systems that physically host Intel QAT 6xxx accelerator cards.
Incorrect NextRIP state management in the Linux kernel's KVM nested SVM (nSVM) subsystem causes a denial-of-service condition affecting nested AMD virtualization environments from kernel 5.8 onward. After the first L2 VMRUN completes and NextRIP is updated by the CPU or KVM, a subsequent save/restore cycle incorrectly substitutes the stale current RIP in vmcb02, corrupting virtual machine control block state and crashing the nested guest or KVM subsystem. No active exploitation has been identified (not in CISA KEV, EPSS 0.02% at 4th percentile), and the vulnerability is strictly limited to AMD hosts with nested virtualization configured using NRIPS-disabled L1 guests with injected soft interrupts.
Resource leak in the Linux kernel IPMI SSIF driver leaves an orphaned kernel thread running when driver initialization fails mid-sequence. Systems with SSIF-capable IPMI hardware (BMC connected via SMBus/I2C) running unpatched kernels are affected across multiple stable branches. If initialization errors occur after the ssif kthread is spawned but before the IPMI core starts the interface, the thread is never stopped, degrading system availability over time. No public exploit exists and EPSS is 0.02% (4th percentile), making this a routine patch-cycle item rather than an emergency; fixes are confirmed in stable kernel releases 6.18.27 and 7.0.4.
Two kernel heap memory leaks in Linux kernel's weighted interleave NUMA memory policy subsystem allow a local low-privilege user to exhaust kernel memory and cause denial of service. The `weighted_interleave_auto_store()` function in `mm/mempolicy.c` fails to free `new_wi_state` on an early-return path and fails to free the old state object when overwritten via `rcu_assign_pointer()` when processing 'true' writes, because `old_wi_state` is only fetched inside the wrong conditional branch. The second leak is trivially automatable - any authorized sysfs writer can loop-write '1' indefinitely to drive the system into OOM - though no public exploit exists and EPSS sits at a negligible 0.02%.
Lock re-entrancy corruption in the Linux kernel's mm/page_alloc subsystem affects uniprocessor (UP/!CONFIG_SMP) builds, allowing freelist corruption that crashes the kernel. On UP kernels, spin_trylock() is a compile-time no-op that unconditionally succeeds; when alloc_frozen_pages_nolock() is invoked from NMI context, it re-enters rmqueue() and acquires the zone lock already held by the interrupted context, corrupting the page allocator's freelists. No public exploit exists and EPSS sits at the 4th percentile (0.02%), consistent with the narrow scope: only non-default UP kernel builds on specific kernel versions are affected, making this a targeted stability concern for embedded or legacy uniprocessor deployments rather than a broad production threat.
Memory leak in the Linux kernel's EDAC/versalnet driver (mc_probe()) results in unreleased device_node references, enabling local low-privileged users to cause kernel memory exhaustion and availability degradation on AMD/Xilinx Versal SoC systems. The root cause is a missing of_node_put() call on all exit paths of mc_probe(), with the fix applied across stable branches including 6.18.27 and 7.0.4. No public exploit or CISA KEV listing exists, and EPSS sits at 0.02% (4th percentile), reflecting minimal active exploitation risk.
Broken LBR MSR save/restore in the Linux kernel KVM/SVM subsystem allows a low-privileged local attacker to cause high-impact availability failures in virtualized environments running on AMD SVM hardware. MSR_IA32_DEBUGCTLMSR and Last Branch Record (LBR) MSRs are not enumerated by KVM_GET_MSR_INDEX_LIST and cannot be set via KVM_SET_MSRS, meaning VM state is not correctly preserved across save/restore or live migration cycles, particularly when L2 guests are running. No public exploit has been identified at time of analysis, and EPSS of 0.02% indicates very low exploitation probability, but the flaw affects a foundational hypervisor state management path on production AMD virtualization infrastructure.
Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.
Use-after-free race condition in the Linux kernel's fbnic (Facebook NIC) driver can be triggered by a local attacker to crash the system. The fw_log firmware log buffer is freed during device teardown before the mailbox IRQ is disabled, allowing a concurrent MSIX interrupt handler to dereference a freed or NULL pointer. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.02% (4th percentile) reflects very low real-world exploitation probability; the primary risk is a denial of service to systems hosting fbnic NICs.
Uncontrolled BPF program signature size in the Linux kernel allows a low-privileged local user to force the kernel into expensive memory allocation paths (kmalloc_large or vmalloc) by supplying an arbitrarily large signature size value to the BPF_PROG_LOAD operation. Affected kernel versions prior to 6.18.14, 6.19.4, and 7.0 are vulnerable to local denial-of-service through kernel memory exhaustion. No public exploit has been identified at time of analysis and no active exploitation is confirmed (not in CISA KEV), with an EPSS score of 0.02% (4th percentile) indicating very low automated exploitation probability.
NULL pointer dereference in the Linux kernel's AppArmor LSM (`__unix_needs_revalidation()`) allows a local low-privileged user to crash the kernel, resulting in a denial of service. Introduced as a regression in kernel 6.17 with AppArmor 5.0.0, the flaw is triggered by passing file descriptors over UNIX domain sockets via SCM_RIGHTS when the receiving socket or its `sk` pointer is NULL during transient setup or teardown states. No active exploitation is confirmed (absent from CISA KEV), and EPSS sits at 0.02% (4th percentile), indicating low exploitation probability; patches are available in stable releases 6.18.14, 6.19.4, and 7.0.
IO deadloop in Linux kernel's md/raid5 subsystem causes complete availability loss on systems running degraded RAID5 arrays with llbitmap enabled. When llbitmap bit state is 'unwritten', the missing synchronization check in need_this_block() diverges from the check present in handle_stripe_dirtying(), trapping handle_stripe() in an infinite loop that never makes progress - effectively hanging all IO on the affected array. No public exploit is identified at time of analysis, and EPSS at 0.02% (4th percentile) reflects very low real-world exploitation probability, consistent with the narrow deployment conditions required.
Missing MTU validation in the Linux kernel fbnic Ethernet driver allows a local low-privileged user to trigger a denial of service by increasing the interface MTU after an XDP program is already attached. Increasing the MTU beyond the HDS (Header Data Split) threshold causes the fbnic hardware to fragment packets across multiple buffers; since single-buffer XDP programs cannot process multi-fragment frames, the driver silently drops them - breaking new TCP streams and discarding oversized non-TCP traffic. No public exploit exists and EPSS is 0.02% (4th percentile), placing this firmly in the low-priority tier despite its High availability rating; patches are confirmed available in Linux 6.18.14, 6.19.4, and 7.0.
Kernel crash (oops) in the stmmac GMAC4 Ethernet driver causes a denial of service when split header reception is enabled. The stmmac receive path incorrectly assumes that buf2 of the first DMA descriptor is always fully populated with payload, but the GMAC4 hardware does not guarantee this in all cases. When the assumption is violated, the driver miscalculates the length of buf2 in the second descriptor, resulting in an invalid virtual address dereference deep in the DMA cache-invalidation path, crashing the kernel. No public exploit has been identified at time of analysis, and EPSS is 0.02% (4th percentile), indicating negligible opportunistic exploitation interest.
Memory leak in the Linux kernel's NI USB GPIB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failed initialization path. The flaw exists in ni_usb_init(), where a writes buffer is allocated but never freed when ni_usb_setup_init() returns failure, compounding the issue with an incorrect error code (-EFAULT instead of -EINVAL). No public exploit is identified at time of analysis, and EPSS sits at 0.02%, consistent with the niche hardware driver context and local-only attack surface.
Kernel panic in the Linux kernel's Inside Secure EIP-93 hardware crypto driver occurs during driver detach due to a loop iterator bug that causes the same hash algorithm to be unregistered multiple times. Systems equipped with Inside Secure EIP-93 cryptographic accelerator hardware and running unpatched kernels between the introducing commit (9739f5f93b78) and the fix commits are vulnerable. A local low-privileged user who can trigger driver detach - via module unload or device removal - can crash the kernel, resulting in a full system denial of service. No public exploit exists and EPSS is 0.02% (4th percentile), indicating negligible in-the-wild activity.
Btrfs transaction aborts in the Linux kernel allow local low-privileged users to crash the filesystem by triggering a logic defect in DUP chunk allocation that generates overlapping physical address ranges in the chunk map. Systems running btrfs with DUP metadata profiles - the default for single-device btrfs deployments - can encounter EEXIST (-17) errors in insert_dev_extents() during btrfs_create_pending_block_groups(), causing the transaction to abort and the filesystem to enter an error state. No public exploit or active exploitation (CISA KEV) has been identified; with an EPSS of 0.02% (4th percentile), this is a kernel reliability defect of operational concern to btrfs operators rather than a traditional attack vector.
NULL pointer dereference in the Linux kernel's ovpn (in-kernel OpenVPN) TCP socket handling causes a local denial of service via kernel crash. The race condition - between keepalive-driven peer release and concurrent userspace socket closure via tcp_close() - allows a low-privileged local user to trigger a kernel crash when ovpn attempts to dereference a NULL sk->sk_socket pointer during socket detachment. No public exploit has been identified and EPSS stands at 0.02% (4th percentile), reflecting narrow real-world exploitability constrained by the specific configuration and timing required.
Memory leak in the Linux kernel's AMD XDnA accelerator driver (accel/amdxdna) allows a local low-privileged user to degrade system availability by exhausting kernel memory. The amdxdna_ubuf_map() function fails to release previously allocated scatter-gather (sg) and internal sg table memory when error paths are taken during sg_alloc_table_from_pages or dma_map_sgtable operations. No active exploitation is confirmed (absent from CISA KEV), EPSS stands at 0.02% (4th percentile), and impact is strictly limited to availability - no confidentiality or integrity exposure exists.
Deadlock in the Linux kernel mlx5e Mellanox/NVIDIA Ethernet driver allows a low-privileged local attacker to hang the system by triggering network health reporter recovery paths that acquire locks in the wrong order. Specifically, work handlers acquire the netdev instance lock before invoking devlink_health_report, which then attempts to acquire the devlink lock - reversing the mandated devlink → rtnl → netdev ordering and producing an ABBA deadlock. The vulnerability affects systems equipped with Mellanox/NVIDIA ConnectX NICs; no public exploit exists and EPSS sits at 0.02% (4th percentile), consistent with a kernel-internal locking race rather than an externally triggerable flaw.
Divide-by-zero kernel panic (Oops) in the Linux kernel MPTCP subsystem's `mptcp_rcvbuf_grow()` function can be triggered by a local authenticated user under a rare but specific race condition involving concurrent out-of-order packet arrival and receive buffer initialization. The vulnerability also causes a secondary effect where the MPTCP receive buffer slowly drifts toward the `tcp_rmem[2]` maximum, degrading system performance on MPTCP-heavy workloads. No public exploit identified at time of analysis; EPSS is 0.02% (4th percentile), consistent with its local-only, race-dependent nature.
Memory leak in the Linux kernel's af_unix subsystem allows a local low-privileged user to exhaust kernel memory by repeatedly triggering a failure path in unix_stream_connect(). When prepare_peercred() fails after unix_create1() has already allocated a new socket object (newsk), the error path omits the required unix_release_sock() call, leaving kernel memory permanently unreleased. No public exploit has been identified at time of analysis; EPSS at 0.02% (4th percentile) reflects negligible widespread exploitation likelihood, consistent with the local-only attack vector.
Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.
Kernel panic in the Linux inside-secure/eip93 hardware crypto driver occurs when the driver teardown routine unconditionally unregisters all cryptographic algorithms, including those never registered because the underlying EIP93 silicon does not implement them. Platforms with partial EIP93 silicon support - where only a subset of algorithms are burned into hardware - trigger the panic during module removal or system shutdown. No public exploit exists and EPSS sits at the 4th percentile (0.02%), indicating this is primarily a stability defect with negligible exploitation interest rather than a targeted attack surface.
Null pointer dereference in Wireshark's ROHC protocol dissector causes application crashes across two active release branches, constituting a denial-of-service condition. Affected versions span Wireshark 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15; patched releases 4.6.6 and 4.4.16 are available per the vendor advisory wnpa-sec-2026-51. The attack vector is local with required user interaction (CVSS AV:L/UI:R), meaning exploitation requires a victim to open a specially crafted packet capture file - no remote or automated exploitation path exists, and no public exploit code or active exploitation has been identified at time of analysis.
Denial of service in IBM Db2 11.5.x and 12.1.x allows a low-privileged local user to crash the database engine by executing a specially crafted query against range partitioned tables. The vulnerability stems from uncontrolled resource allocation (CWE-770) during query processing, resulting in complete availability loss with no impact to confidentiality or integrity. No public exploit code exists and this vulnerability has not been listed in the CISA KEV catalog at time of analysis.
Denial of service in IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 allows a locally authenticated, low-privileged user to crash the database service by executing a specially crafted SQL query against an instance configured with a small statement heap. The vulnerability stems from uncontrolled resource consumption (CWE-400) during query processing, resulting in high availability impact with no confidentiality or integrity exposure. No public exploit code and no active exploitation have been identified at time of analysis; SSVC classifies exploitation status as none.
Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.
Cross-site scripting in IBM Cognos Analytics and IBM Cognos Transformer allows a remote authenticated attacker to inject arbitrary JavaScript into the web user interface, executing in the browser context of other users within a trusted session. Affected versions span IBM Cognos Analytics 11.2.0 through 12.1.0 and IBM Cognos Transformer 11.2.4 through 12.1.0. The primary risk is credential disclosure - an attacker who can plant a payload could harvest session tokens or credentials from other authenticated users. No public exploit code exists and CISA SSVC rates exploitation as none at time of analysis.
Stored cross-site scripting in creatorsofcode's simplephp admin panel allows authenticated low-privileged users to inject persistent malicious scripts via the /admin/config-module.php configuration endpoint. When an administrator or privileged user subsequently views the affected page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. A proof-of-concept exists per SSVC intelligence; this CVE is not currently listed in CISA KEV.
Stored Cross-Site Scripting in ShopLentor (WordPress plugin, versions ≤ 3.3.8) allows authenticated contributors to permanently embed malicious JavaScript into WordPress pages via the 'blockUniqId' attribute of Product Grid blocks. Any user who subsequently visits an injected page triggers script execution in their browser, enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim. EPSS is negligible at 0.03% (9th percentile), no CISA KEV listing exists, and no public exploit has been identified at time of analysis.
Incorrect authorization in DFIR-IRIS before version 2.4.28 allows authenticated low-privileged users to falsely attribute security alerts to arbitrary customers, corrupting case integrity in digital forensics and incident response workflows. Discovered by SBA Research and disclosed via oss-security on 2026-05-19, this flaw enables manipulation of alert-to-customer linkage without proper authorization checks. No active exploitation has been identified at time of analysis, and a patched release (2.4.28) is available.
Open redirect in WeGIA before version 3.7.3 enables authenticated attackers to weaponize the trusted WeGIA domain for phishing, credential harvesting, and malware distribution by manipulating the unvalidated `nextPage` parameter at the `/WeGIA/controle/control.php` endpoint. Affected deployments include any WeGIA instance running versions prior to 3.7.3 where the control endpoint is accessible to low-privileged authenticated users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering abuse potential against users who trust the institution's domain is the primary real-world risk.
Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.
Unauthenticated statistics reset in WP Promoter plugin (WordPress, versions ≤1.3) allows any remote attacker to permanently delete promotional bar and popup campaign analytics by exploiting a missing capability check on the reset_stats() function. The function is registered on the wp_ajax_nopriv_wpp-reset_stats action hook - WordPress's mechanism for unauthenticated AJAX access - with no nonce validation, capability check, or authentication enforcement of any kind, making the destructive operation trivially invocable via a single HTTP POST request. No public exploit code has been identified at time of analysis, EPSS is 0.06% (18th percentile), and SSVC rates exploitation as none, indicating no observed active exploitation.
Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.
Prototype-chain property leakage in LiquidJS (npm/liquidjs <= 10.25.7) allows unauthenticated remote attackers to read prototype-chain properties of JavaScript objects passed to a {% render %} partial, even when the caller explicitly invoked parseAndRender() with { ownPropertyOnly: true } to lock down the render. The root cause is Context.spawn() failing to propagate the resolved per-render ownPropertyOnly value to child contexts, silently discarding a documented security override. A publicly available proof-of-concept exploit exists demonstrating that top-level {{ user.passwordHash }} is correctly blocked while the identical expression inside a {% render %} partial returns the sensitive value; no vendor-released patch is available at time of analysis.
Denial-of-service exposure in IBM OpenBMC firmware versions FW1110.00 through FW1110.11 allows unauthenticated remote attackers to partially degrade system availability by sending specially crafted network requests exploiting improper input quantity validation (CWE-1284). The attack requires no authentication, no user interaction, and low complexity, making it fully automatable per SSVC assessment - though no public exploit code has been identified at time of analysis. Because BMCs operate independently of the host OS and remain network-accessible even when servers are powered down, disrupting this layer carries operational risk disproportionate to the CVSS 5.3 Medium score alone.
SQL injection in uzy-ssm-mall v1.1.0 exposes sensitive database information to unauthenticated remote attackers via unsanitized input passed through the ProductMapper.xml MyBatis mapper and OrderUtil.java components. The vulnerability requires no authentication or user interaction, making it trivially automatable according to the SSVC framework. No public exploit identified at time of analysis, and EPSS sits at 0.04% (12th percentile), indicating low current exploitation pressure despite the permissive attack surface.
{client_id}-sensors$', the unsanitized client_id value is embedded directly into the server-side regex, letting a crafted client_id (e.g., '.*' or 'legit|(admin)') alter the pattern's matching logic and grant access to topics the user should not reach. No public exploit has been identified at time of analysis, and the attack requires both valid MQTT credentials and a specifically configured authorization policy, but the high subsequent system impact (SC:H/SI:H per CVSS 4.0) elevates this beyond a simple medium-severity finding for affected deployments.
Kirby CMS's content-locking feature leaks authenticated users' email addresses and internal identifiers to low-privilege Panel users who are explicitly prohibited from seeing those users under role-based `users.access` or `users.list` permission restrictions. Any low-privilege authenticated Panel user on an affected site can harvest admin email addresses and user IDs during active content lock windows (default 10 minutes) simply by triggering an edit conflict or inspecting Panel view payloads. No public exploit has been identified at time of analysis, and exploitation is bounded to sites with non-default user-visibility restrictions, but the harvested data directly enables downstream phishing, credential stuffing, and admin account enumeration.
Authenticated cross-client stale result replay in Microsoft UFO's WebSocket task handling allows a low-privileged attacker to retrieve another user's completed automation session output. The framework accepts client-supplied session_id values without verifying ownership, so a requester who knows or can predict a prior session's identifier can hijack its stored result via the normal send_task_end() callback path. No public exploit has been identified at time of analysis, and KEV listing is absent, but the High confidentiality impact (C:H) is significant given UFO orchestrates device automation tasks that may capture sensitive screen content, documents, or credentials.
IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored cross-site scripting in Agent Zero before version 1.15 enables arbitrary JavaScript execution in the application origin by exploiting the image_get API endpoint's failure to set Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers when serving SVG files. An unauthenticated attacker (CVSS PR:N) who can write a crafted SVG to any filesystem path readable by the agent-zero process can then socially engineer an authenticated user into visiting the endpoint, causing the browser to execute embedded scripts, exfiltrate the csrf_token cookie, and issue unauthorized API calls on the victim's behalf. No public exploit has been identified at time of analysis, and SSVC classifies exploitation as none with automatable set to no, reflecting the mandatory user-interaction prerequisite.
Cryptographic signature verification bypass in Northern.tech Mender Client 5 (before 5.0.4) allows unauthenticated remote attackers to circumvent JWT-based authentication controls. Tagged as both an Authentication Bypass and a JWT Attack, this CWE-347 flaw means the client fails to properly validate cryptographic signatures on tokens, potentially enabling unauthorized access to protected functionality or data. No public exploit code has been identified at time of analysis, and the low EPSS score of 0.02% (5th percentile) suggests exploitation is not currently widespread.
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify system configuration data on behalf of a high-privilege user. The CVSS vector (PR:H/UI:R/AC:H) tightly constrains exploitation: a high-privilege administrator must be actively tricked into visiting attacker-controlled content while an authenticated session is live. No public exploit code exists and no KEV listing is present; EPSS at 0.02% (4th percentile) and SSVC Exploitation=none collectively signal negligible observed real-world exploitation activity.
Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated network attackers due to incorrect authorization checks (CWE-863). All GitLab installations running versions from 18.2 through the patched releases are affected - both Community and Enterprise editions. While the direct impact is limited to information disclosure (project enumeration rather than content access), exposed project names and IDs can facilitate targeted follow-on attacks against otherwise hidden repositories. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.