Out-of-bounds heap read in the Linux kernel's ibmasm driver (the IBM Advanced System Management service-processor interface) lets a local privileged user leak adjacent kernel heap memory. The ibmasm_send_i2o_message() function trusts user-controlled command_size and data_size header fields to size a memcpy_toio() without validating them against the real allocation, so a small buffer with inflated header values forces a read of up to ~65 KB past the allocation, which is then forwarded to the service processor over MMIO. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local privilege-bounded information disclosure and integrity compromise in the Linux kernel's SELinux module affects overlayfs mounts where mmap() and mprotect() operations bypass the intended dual-credential access checks. A local authenticated user with access to an overlayfs top-level (user) file can map or change protections on backing files without the mounter's credentials being properly evaluated, undermining the SELinux overlayfs security model. EPSS is very low (0.02%, 5th percentile) and no public exploit identified at time of analysis.
Out-of-bounds read in the Linux kernel's crypto authencesn AEAD wrapper allows a local user with AF_ALG access to trigger memory disclosure and possible denial of service by instantiating an authencesn transform built on an ahash whose digest size is 1-3 bytes (for example cbcmac(cipher_null)). The flaw stems from crypto_authenc_esn_create() failing to validate the inner digest size, letting an invalid default authsize bypass the existing setauthsize() check. No public exploit identified at time of analysis and EPSS probability is negligible (0.02%), but the upstream fix is shipping across multiple stable trees.
Out-of-bounds MMIO read in the Linux kernel's ibmasm (IBM Advanced System Management) misc driver allows a compromised IBM service processor to read 8 bytes from unintended device registers or trigger a machine check exception (system crash) by writing an out-of-range queue reader/writer index before asserting an interrupt. The flaw resides in ibmasm_handle_mouse_interrupt() where raw readl() values are passed unchecked to get_queue_entry(), and is fixed by bounds-checking both indices against REMOTE_QUEUE_SIZE (60). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%.
Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.
Out-of-bounds read in the Linux kernel's ibmasm driver allows a local low-privileged user with write access to the ibmasm command character device to leak kernel heap memory to the IBM Advanced System Management service processor and potentially destabilize the host. The flaw resides in command_file_write(), which trusts attacker-controlled command_size/data_size header fields after allocating a buffer of arbitrary count, enabling get_dot_command_size() to return a value larger than the allocation. EPSS is 0.02% and no public exploit is identified at time of analysis; the issue is not on CISA KEV.
Denial of service in the Linux kernel's RCU (Read-Copy-Update) subsystem allows a local condition to trigger an infinite recursion deadloop in rcu_read_unlock_special() when ftrace is enabled, leading to kernel hang or crash. The flaw stems from a missing recursion-protection flag when raise_softirq_irqoff() is invoked from the RCU unlock path, causing repeated re-entry through the softirq/trace stack. No public exploit identified at time of analysis and EPSS rates exploitation probability at 0.02%.
Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.
Out-of-bounds read in the Linux kernel's AppArmor subsystem allows a local, low-privileged attacker to leak adjacent kernel memory and potentially crash the system when AppArmor parses a policy table built from possibly unaligned, userspace-supplied source data. The flaw stems from unaligned memory accesses during table creation in the policy loader and carries high confidentiality and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.02%, 5th percentile), consistent with a hard-to-reach local-only kernel hardening fix rather than a mass-exploitation target.
Denial of service in the Linux kernel's EFI unaccepted-memory handling allows a boot-time kernel panic on confidential-computing guests, affecting kernels from 6.6 through the 6.19/7.0 development line. The reserve_unaccepted() routine miscalculates the memblock reservation size when the unaccepted memory table is not page-aligned, leaving the table's tail unreserved so it can be overwritten or rendered inaccessible, triggering a panic in accept_memory(). It is observed on Intel TDX VMs with larger memory sizes (e.g. >64GB); there is no public exploit identified at time of analysis and EPSS is negligible (0.02%).
Out-of-bounds stack read in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem, in ima_appraise_measurement() reached via is_bprm_creds_for_exec(), affecting kernels from the 6.14 series up to the fixed stable commits. A misuse of container_of() on a *file pointer computes an invalid stack offset, letting a local execution path read one byte past a stack frame object (flagged by KASAN), which can disclose adjacent stack data or crash the task. EPSS is very low (0.02%, 5th percentile), the CVE is not on CISA KEV, and there is no public exploit identified at time of analysis; the issue is patched upstream.
Out-of-bounds memory access in the Linux kernel's DAMON (Data Access MONitor) subsystem allows privileged local users to crash the kernel by supplying arbitrary node IDs to damos_quota_goal via DAMON_SYSFS. Affecting Linux 6.16 and fixed in 6.18.27, 7.0.4, and 7.1-rc1, the flaw stems from missing validation before si_meminfo_node()/NODE_DATA() lookups and is reproducible with the upstream 'damo' user-space tool. No public exploit identified at time of analysis and EPSS is very low at 0.02%.
High-impact integrity and availability flaw in the Linux kernel's md-llbitmap (multi-device log-based bitmap) subsystem allows a local low-privileged attacker to render RAID bitmap page control structures permanently unusable. When llbitmap_suspend_timeout() times out, percpu_ref is left in a killed state and never resurrected, breaking subsequent md daemon operations on that page. EPSS is very low (0.02%, 4th percentile) and no public exploit is identified at time of analysis, but vendor-released patches are available in 6.18.14 and 6.19.4.
Information disclosure in the Linux kernel BPF subsystem allows a local low-privileged user with BPF program load access to leak kernel memory contents. Incorrect memory-access flags on several ARG_PTR_TO_MEM helper prototypes (notably bpf_get_stack_proto_raw_tp) cause the verifier to wrongly assume helper-written buffers are unchanged, optimizing away subsequent reads and producing stale or uninitialized data that can expose kernel memory. There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and it is not in CISA KEV.
Authentication bypass in pam_usb prior to 0.9.0 lets a local user defeat the USB hardware-authentication factor by deleting their own ~/.pamusb/device.pad file. The flawed pusb_pad_compare() check in src/pad.c only confirmed the user-side pad was readable and treated its absence as a non-fatal failure in certain code paths, so authentication succeeded without the physical USB device ever being verified. There is no public exploit identified at time of analysis, but the technique is trivial - a single file deletion by the account owner.
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.
SQL injection in the UpdateParam function of view.html.php affects MB connect line remote-access portals (mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual) in versions up to and including 2.20.0, letting an attacker inject into a SQL UPDATE statement to read the entire backend database and alter values in a non-critical table. The CVSS 4.0 vector (PR:H) indicates a high-privileged account is required, even though the advisory text labels the flaw 'unauthenticated' - a discrepancy defenders should resolve with the vendor. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC rates exploitation as 'none'.
SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.
SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.
SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. EPSS is very low (0.03%, 10th percentile) and there is no CISA KEV entry; no public exploit identified at time of analysis.
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).
SQL injection in the DevSerialReset function of MB connect line / Helmholz industrial remote-access portals (mbCONNECT24, mymbCONNECT24, myREX24V2, and the .virtual variants) lets a high-privileged remote attacker read the entire backend database and modify values in a non-critical table. The flaw stems from improper neutralization of special elements within a SQL UPDATE statement (CWE-89), yielding total loss of confidentiality and partial integrity impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood very low (0.03%, 10th percentile).
Certificate chain forgery in Erlang/OTP's public_key application (pubkey_cert module) lets a non-CA end-entity certificate act as an intermediate issuer, allowing an attacker holding such a certificate's private key to sign forged leaf certificates for arbitrary identities that public_key:pkix_path_validation/3 will accept. This breaks server identity verification for TLS clients and client-certificate verification for mTLS servers across any application using the OTP ssl stack with the default verifier. Tracked as CWE-295 with a CVSS 4.0 base score of 7.0 (subsequent-system confidentiality and integrity rated High); no public exploit identified at time of analysis and it is not listed in CISA KEV, with the only available code being the vendor fix commits.
Information disclosure in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) stems from an insecure cryptographic password scheme - such as hard-coded keys, weak encryption algorithms, or poor key management - that lets remote, unauthenticated attackers recover or tamper with protected data. The CVSS vector (AV:N/AC:H/PR:N) indicates network reachability without credentials but with high attack complexity, and the primary impact is confidentiality loss (C:H) with minor integrity and availability effects. There is no public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile).
Slab allocator corruption in the Linux kernel's mm/slab subsystem allows local low-privileged users on uniprocessor (UP, !CONFIG_SMP) builds to potentially corrupt kernel memory state when kmalloc_nolock() is invoked from NMI context. The flaw stems from spin_trylock() being a no-op on UP kernels, allowing re-entry into the slab allocator while n->list_lock is already held by the interrupted context. EPSS is very low (0.02%) and no public exploit has been identified at time of analysis, though an upstream patch is available.
Quadratic-complexity denial of service in Botan's BER parser affects all versions prior to 3.12.0, allowing unauthenticated remote attackers to exhaust CPU resources by submitting crafted ASN.1 data. The parser accepted indefinite-length encodings even in structures required to use DER (which explicitly prohibits them), and specific patterns of such encodings trigger O(n²) algorithmic behavior. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
SQL injection in the dsgvo_contracts view of mbCONNECT24 and related industrial remote access platforms (versions up to and including 2.20.0) enables a high-privileged remote attacker to exfiltrate confidential data from the underlying database without integrity or availability impact. The vulnerability (CWE-89, CVSS 4.0: 6.9) is constrained by the PR:H requirement - the attacker must already hold high-privileged credentials - which substantially limits realistic attack surface in well-managed deployments. No public exploit or active exploitation has been identified; CISA SSVC rates exploitation as none and EPSS stands at 0.03% (10th percentile).
SQL injection in the DevSerialReset function of MB Connect Line's mbCONNECT24, myREX24V2, mymbCONNECT24, and myREX24V2.virtual industrial remote access platforms allows a high-privileged remote attacker to read arbitrary database contents via a maliciously crafted SQL SELECT statement. All product variants at or below version 2.20.0 are confirmed affected per ENISA EUVD-2026-32126. No public exploit code exists and EPSS is 0.03% (10th percentile), indicating low observed exploitation pressure at time of analysis; however, the industrial/OT targeting profile warrants attention.
SQL injection in the getAccountByID function of MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual industrial remote-access platforms (all versions up to and including 2.20.0) allows a high-privileged remote attacker to extract data from the underlying database via a crafted SELECT statement. The vulnerability is classified under CWE-89 with confidentiality impact rated High on the vulnerable component, while integrity and availability remain unaffected. No public exploit code exists and no KEV listing has been issued; EPSS (0.03%, 10th percentile) and SSVC signals both indicate low current exploitation likelihood.
NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.
Reachable assertion in TeamSpeak 3 Server's client handshake handler allows remote unauthenticated attackers to crash the server by manipulating the 'proof' argument during connection setup, resulting in a denial of service. All versions from 3.13.0 through 3.13.7 are affected; the issue was independently researched by modzero and disclosed via TeamSpeak security advisory TS-SA-2026-001. No public exploit or CISA KEV listing exists at time of analysis, but the low-complexity, no-privileges-required attack surface makes this straightforward to trigger remotely.
Heap-based buffer overflow in TeamSpeak 3 Server's ECC Key Parser allows remote unauthenticated attackers to crash the server, causing a denial of service against all versions up to and including 3.13.7. The vulnerability was discovered and disclosed by modzero security research (advisory mz-26-01-teamspeak) with a coordinated vendor response resulting in TeamSpeak security advisory TS-SA-2026-001. A proof-of-concept exploit exists per SSVC data, and the attack is automatable, meaning exploitation can be scripted at scale against exposed TeamSpeak server instances. No public exploit identified as confirmed actively exploited in the wild (not listed in CISA KEV at time of analysis).
Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity.
Arbitrary blobstore deletion in BOSH Director allows a compromised, high-privileged BOSH-managed VM to delete any object from the shared Director blobstore by injecting crafted NATS reply messages. All BOSH Director versions prior to v282.1.12 are affected, with the root cause being a complete absence of UUID-format validation, ownership checks, and namespace prefixing in ResourceManager before executing blobstore.delete(). An attacker leveraging this post-compromise path can corrupt or destroy deployment artifacts, compiled packages, and release binaries relied upon by dependent deployments, producing cascading availability failures across the BOSH environment. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms exploitation status as none.
Trust-store poisoning in Samba's certificate auto-enrollment lets an adjacent-network attacker install an attacker-controlled CA certificate when auto-enrollment is enabled. Because Samba retrieves the CA certificate over plaintext HTTP and adds it to the local trust store without verifying authenticity, a man-in-the-middle can have a rogue CA trusted system-wide, enabling interception or spoofing of otherwise trusted TLS communications. The issue carries CVSS 8.0 with high confidentiality and integrity impact and a changed scope; EPSS is 0.00% and no public exploit identified at time of analysis.
Heap buffer overflow in pam_usb prior to 0.9.1 allows a local attacker with high privileges to corrupt heap memory on 32-bit Linux platforms (armv7l, i686) by supplying a crafted configuration file with an excessive device count. The root cause is an unchecked integer multiplication in src/conf.c where n_devices * sizeof(t_pusb_device) wraps around size_t on 32-bit targets, causing xmalloc() to receive a drastically undersized allocation that is silently accepted, enabling out-of-bounds writes into heap memory. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, successful exploitation yields full confidentiality, integrity, and availability impact on the affected host.
Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrative credentials to achieve full system compromise by manipulating the LDAP referral processing path. The plugin deserializes data received from LDAP referrals without validation (CWE-502), which can enable arbitrary code execution on the Jenkins controller. No public exploit exists at time of analysis, and CISA SSVC assesses this as not automatable, though technical impact is rated total - making it a targeted rather than opportunistic threat.
Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral responses without any validation, exposing the underlying Jenkins instance to potential remote code execution via classic Java deserialization gadget chains. Exploitation is constrained by a high privilege requirement and high attack complexity (CVSS PR:H/AC:H), limiting realistic scenarios to attackers who already hold Jenkins administrative credentials or can manipulate LDAP referral destinations. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to abuse the plugin's default LDAP referral-following behavior to force Jenkins to issue out-of-band requests to attacker-controlled or internal network hosts. The vulnerability (CWE-918) stems from the plugin not restricting LDAP referrals by default, which can be weaponized to pivot from the Jenkins server into internal infrastructure. No public exploit code exists and SSVC confirms no known active exploitation, but the technical impact is rated total - confidentiality, integrity, and availability are all at risk if exploitation succeeds.
Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery, allowing a highly privileged attacker who controls LDAP configuration to force the Jenkins server to initiate connections to arbitrary internal hosts by supplying a malicious LDAP server that returns crafted referrals. The CVSS score of 6.6 reflects genuine constraints: network-reachable but requiring both high privileges and high attack complexity, with High confidentiality, integrity, and availability impact if those barriers are cleared. SSVC assessment confirms no current exploitation and a non-automatable attack path, though technical impact is rated total; no public exploit code has been identified at time of analysis.
Unauthenticated manipulation of hidden input fields in Ads by WPQuads WordPress plugin (versions through 3.0.2) allows remote attackers to bypass input validation controls, producing low-severity integrity and availability impact. The root cause is CWE-1284 (Improper Validation of Specified Quantity in Input), enabling attackers to supply out-of-range or unexpected quantity values that the plugin fails to reject. EPSS is 0.06% (18th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA KEV, placing this firmly in lower-priority triage.
Input data manipulation in the Ads by WPQuads WordPress plugin (slug: quick-adsense-reloaded) versions up to and including 3.0.2 allows unauthenticated remote attackers to submit improperly validated input, resulting in low-impact integrity and availability degradation. Discovered and reported by Patchstack (audit@patchstack.com) and tracked under ENISA EUVD-2026-32183, this vulnerability carries a CVSS 6.5 base score. No public exploit code has been identified at time of analysis, and EPSS places exploitation probability at just 0.06% (18th percentile), indicating low real-world exploitation pressure currently.
XPath injection in pam_usb prior to 0.9.0 allows unauthenticated remote attackers to manipulate device-verification queries against /etc/pamusb.conf, potentially bypassing USB hardware authentication entirely. PAM usernames and service names submitted through network-facing services such as SSH are passed unsanitized into XPath expressions; injecting predicates such as `' or @id='victim` causes the device-presence check to evaluate as true without the USB token physically present. No public exploit identified at time of analysis, though the GitHub security advisory, fix commit, and injection test cases demonstrating the technique are publicly available.
Authenticated denial-of-service in IBM Db2 for Linux, UNIX, and Windows allows a low-privileged network user to crash database availability by submitting specially crafted data queries against the Fenced environment. The vulnerability affects IBM Cloud APM Base Private 8.1.4 and Advanced Private 8.1.4, which bundle Db2 as a backend component. No public exploit has been identified at time of analysis, and the CVSS score of 6.5 reflects meaningful but bounded risk due to the authentication prerequisite.
LiquidJS (npm package, versions through 10.25.7) has a complete bypass of its `renderLimit` time-budget defense when processing `{% for %}` or `{% tablerow %}` tags with empty bodies, enabling any low-privileged template author to stall a Node.js event-loop thread for an attacker-controlled duration. Because Node.js is single-threaded, a stall of 2-10+ seconds on one worker blocks all concurrent in-flight HTTP requests on that process, making this a practical denial-of-service vector in SaaS and multi-tenant platforms. A public proof-of-concept is included in the GitHub Security Advisory (GHSA-8xx9-69p8-7jp3) and was reproduced against liquidjs@10.25.7; no patch has been released as of this analysis.
Path traversal in the asperahttpd HTTP component of IBM Aspera High-Speed Transfer Endpoint and Server (versions 3.7.4 through 4.4.7 Fix Pack 1) enables authenticated network users to read arbitrary files from the server's local filesystem beyond their authorized scope. The vulnerability is classified CWE-22 and carries a CVSS 6.5 medium score, reflecting high confidentiality impact with no integrity or availability exposure. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation status as none with partial technical impact, suggesting limited immediate threat despite the sensitive nature of file read primitives in a file-transfer product.
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.