Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.
System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.
The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.
Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.
Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.
Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.
NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver crashes systems running Emulex OneConnect RDMA adapters. The flaw exists in `ocrdma_copy_pd_uresp()`, where error-path code dereferences `pd->uctx` before it is initialized, producing a kernel panic and complete system unavailability when triggered. No public exploit code has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low exploitation probability at this time; however, the local low-privilege vector means any unprivileged user on an affected system with ocrdma hardware present could trigger the crash.
Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.
Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.
Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.
Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.
Memory leak in the Linux kernel's spi: ch341 USB-to-SPI driver allows a local user to degrade system availability by triggering driver unbind without physical device disconnection. The defect lies in incorrect devres (device-managed resource) lifetime scoping - resources are anchored to the parent USB device rather than the USB interface, so they are not released when the driver unbinds during events such as probe deferral or runtime configuration changes. No public exploit has been identified at time of analysis, and an EPSS score of 0.02% (4th percentile) indicates negligible exploitation probability in the near term.
Memory leak in the Linux kernel's drm/xe Intel Xe GPU driver allows a local, low-privileged user to exhaust kernel memory by repeatedly triggering DMA buffer import failures, leading to denial of service. The bug resides in xe_dma_buf_init_obj(), where a pre-allocated buffer object (bo) is not freed when drm_gpuvm_resv_object_alloc() fails, due to ambiguous ownership semantics between the caller and callee on error paths. No public exploit exists and EPSS probability is extremely low at 0.02% (4th percentile), placing this in the maintenance-priority category rather than urgent remediation for most environments.
Memory leak in the Linux kernel's EDAC/versalnet driver allows a local low-privileged user to gradually exhaust kernel heap memory, rated CVSS 5.5 with high availability impact. The flaw exists in init_one_mc() where a kzalloc()-allocated device name string becomes permanently unreachable after device_register() copies and nullifies the pointer, preventing any subsequent free on device removal. No public exploit identified at time of analysis; EPSS at 0.02% (4th percentile) confirms this is a low-exploitation-probability defect rather than an actively targeted vulnerability.
Kernel crash (denial of service) in the Linux kernel's hid-appletb-kbd driver results from calling a mutex-acquiring function from softirq and IRQ atomic contexts on Apple Touch Bar MacBooks running Linux. Authenticated local attackers with low privileges can trigger a kernel BUG by inducing Touch Bar inactivity or generating HID events that exercise the broken brightness-reset path, crashing the system. No public exploit has been identified and EPSS is 0.02% (4th percentile), reflecting the niche hardware requirement; patches are available in kernel versions 6.18.32, 7.0.9, and 7.1-rc4.
Denial of service in the Linux kernel's Microchip Core QSPI driver corrupts SPI transfers on systems using this controller. The spi-microchip-core-qspi driver incorrectly attempts to transmit garbage data during emulated read-only dual/quad SPI operations - a protocol violation, since QSPI lacks a dedicated MOSI line and the core hardware is expected to generate read clock cycles autonomously. The result is a bricked (permanently failed) SPI transfer, causing availability loss for any kernel component or userspace process depending on that SPI bus. No public exploit exists and EPSS probability is 0.02%, consistent with a hardware-specific, locally-triggered driver defect.
Kernel stack memory disclosure in the Linux kernel's pseries/papr-hvpipe driver exposes up to 43 bytes of uninitialized stack data to unprivileged local users on IBM Power (pseries) systems. The `struct papr_hvpipe_hdr` reserved padding fields (`reserved[3]` and `reserved2[40]`) are never zeroed before `copy_to_user()` copies the full structure to userspace, allowing a local attacker to harvest stale kernel stack contents - potentially including ASLR offsets or residual cryptographic material. No public exploit exists and no CISA KEV listing applies; EPSS at 0.02% (4th percentile) reflects low exploitation probability consistent with the narrow pseries-only deployment scope. Vendor-released patches are confirmed in stable branches 6.18.30, 7.0.7, and 7.1-rc3.
Memory leak in the Linux kernel's RISC-V KVM vector context allocation allows a local low-privileged attacker to exhaust kernel memory, causing denial of service on RISC-V hypervisor hosts. The flaw exists in kvm_riscv_vcpu_alloc_vector_context() where a failed second kzalloc call (host_context.vector.datap) returns an error without freeing the first allocation (guest_context.vector.datap), accumulating unreleased kernel memory across repeated vCPU creation attempts. No public exploit exists and no active exploitation is confirmed; EPSS at 0.02% (4th percentile) reflects the narrow RISC-V KVM deployment surface.
The MPTCP (Multipath TCP) path manager in the Linux kernel mishandles socket reference counting during ADD_ADDR retransmission timer callbacks, resulting in a local denial-of-service. When the retransmit timer fires and holds the last reference to a socket, calling __sock_put() instead of sock_put() leaks the socket; and if sock_put() is used without first marking the timer done, the resulting sk_free() call invokes sk_stop_timer_sync() on the same in-flight timer, causing the kernel to wait indefinitely. No public exploit has been identified at time of analysis; EPSS is 0.02% (4th percentile), and the vulnerability is not listed in CISA KEV.
Socket reference count leak in the Linux kernel MPTCP path manager allows a local low-privilege attacker to cause kernel resource exhaustion and denial of service by repeatedly triggering ADD_ADDR retransmission events. Affected versions span from Linux 5.10 through 7.1-rc2, with patches confirmed available in stable releases 6.18.30, 7.0.7, and 7.1-rc3. No public exploit has been identified and EPSS probability is negligible at 0.02%, placing this firmly in routine maintenance priority rather than emergency response.
Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.
Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.
Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.
NULL pointer dereference in the Linux kernel's cros_ec_typec driver crashes the kernel when a Thunderbolt alternate mode operation is processed on affected ChromeOS devices. The flaw originates in cros_typec_register_thunderbolt(), which allocates the adata structure but omits mutex_init(&adata->lock); when cros_typec_altmode_work() later acquires that uninitialized mutex, the kernel dereferences a NULL or garbage pointer and panics. No public exploit code exists and EPSS of 0.02% (4th percentile) reflects the narrow hardware prerequisite and strictly local-only attack surface; the vulnerability is not listed in CISA KEV.
Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.
SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authenticated, unprivileged user to crash the system. The flaw resides in Ubuntu-specific SAUCE patches - out-of-tree modifications maintained by Canonical - meaning the vulnerable code path does not exist in upstream mainline kernels. With a CVSS score of 5.5 and an availability-only impact, the practical consequence is a local denial-of-service: any low-privilege user with shell access can force a kernel panic. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Memory exhaustion via AppArmor notification handling affects Ubuntu Linux kernel versions carrying Ubuntu-specific SAUCE patches (6.8, 6.17, 7.0). An unprivileged local user can trigger a memory leak by eliciting large responses to AppArmor userspace notifications, repeatedly consuming kernel memory without release. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified, but the low-privilege local trigger lowers the bar for insider or co-tenant abuse in multi-user and container environments.
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
Path traversal in the `shame next` subcommand of shamefile (pip/npm/Rust) allows an attacker who controls a `shamefile.yaml` to read one line at a time from any file accessible to the user running the command, including files outside the repository. Affected versions are 0.1.6 and earlier across all three package ecosystems; the fix in 0.1.7 eliminates disk reads entirely by rendering snippets from the registry's cached `content` field. No public exploit identified at time of analysis, and no CISA KEV listing, but the patch commit fully documents the vulnerable code path.
{block_id}/execute endpoint, which skips the credit validation logic present in manager.py. An attacker with a low-privilege account - including one with zero remaining credits - can exploit this to exhaust platform resources and obtain unlimited AI execution at the operator's expense. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Universal Cross-Site Scripting (UXSS) in Google Chrome on iOS prior to 148.0.7778.216 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML into the browser context by convincing a target user to perform specific UI gestures on a crafted HTML page. The vulnerability stems from an inappropriate implementation in Chrome's iOS-specific code layer (CWE-79), and while UXSS attacks typically carry cross-origin escalation potential, the CVSS S:U (Unchanged scope) rating suggests cross-origin impact is not confirmed by the scoring authority. No public exploit or active exploitation has been identified at time of analysis; EPSS at 0.06% places this in the 17th percentile of exploitation likelihood.
Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Path prefix stripping in Hono's app.mount() API exposes mounted sub-applications to incorrect routing due to a raw-vs-decoded URL path inconsistency, potentially allowing unauthenticated remote attackers to reach unintended endpoints and disclose protected information. All Hono versions prior to 4.12.21 are affected across every supported JavaScript runtime. No public exploit or CISA KEV listing exists at time of analysis; however, the CVSS vector AV:N/AC:L/PR:N/UI:N and the 'Information Disclosure / Request Smuggling' classification make this a meaningful priority for any deployment that relies on mount-prefix path logic for access segregation.
Memory disclosure in Google Chrome's Media component on ChromeOS allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory via a specially crafted HTML page. Affected versions are all Chrome builds prior to 148.0.7778.216 on ChromeOS. This vulnerability is a chaining primitive - it cannot be exploited standalone and requires a prior renderer compromise, placing it in the context of multi-stage attack chains rather than direct exploitation. No public exploit code exists and no active exploitation has been identified at time of analysis.
IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthenticated remote attackers to circumvent configured deny and allow rules by submitting non-canonical IPv6 representations of restricted addresses. String equality comparison applied after only partial normalization means that compressed, explicit-zero, or hex-notation IPv4-mapped IPv6 forms of a listed address silently fail to match the normalized rule entry, causing enforcement to be skipped entirely. No public exploit has been identified at time of analysis, but the bypass requires only trivial reformatting of a standard IPv6 address, making it practically low-effort for any attacker aware of the flaw.
Partial denial-of-service in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to degrade availability of the Core component via HTTPS. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the vulnerability is trivially reachable with no authentication, no user interaction, and no special conditions, making automated scanning and opportunistic exploitation straightforward despite the limited availability-only impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Oracle disclosed this through its May 2026 Critical Patch Update.
Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.
Incorrect authorization in OpenStack Neutron 26.0.0 through pre-28.0.1 allows authenticated project readers to write (create and update) tags on same-project resources, exceeding their intended read-only scope. The root cause is a naming mismatch in the tagging controller: single-tag write operations are enforced using plural policy action names (e.g., 'add_tags'), while the configured policy rules use singular names (e.g., 'add_tag'). Because the plural names do not match any defined rule, OpenStack's default policy behavior evaluates the action as permitted. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Unauthenticated network-based data integrity compromise in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows remote attackers to perform unauthorized insert, update, or delete operations against accessible ORDS data via HTTPS. The vulnerability resides in the Core component and is classified as an Authentication Bypass, meaning the access control enforcement in ORDS's request pipeline can be circumvented without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the exploit path is straightforward for any network-adjacent attacker.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
Information disclosure in Red Hat Build of Keycloak exposes client protocol type to unauthenticated remote attackers via error message enumeration. By submitting specially crafted SOAP requests targeting the SAML ECP (Enhanced Client or Proxy) endpoint with varying client IDs, an attacker can observe distinct faultstring values in server responses and map which clients use which protocol types. No authentication, user interaction, or elevated privileges are required, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is straightforward against any exposed instance. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Timing-based user account enumeration in TREK collaborative travel planner (prior to 3.0.18) leaks the existence of registered email addresses through measurable login response latency. When an email exists in the database, the backend performs a bcrypt password comparison before returning HTTP 401, adding approximately 370 ms of latency; when the email does not exist, the backend returns immediately in approximately 10 ms - a ~14× discrepancy that is reliably detectable despite identical HTTP status codes and response bodies. CVSS AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation with no special configuration required; no public exploit identified at time of analysis and this CVE is not listed in CISA KEV.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.
MFA enforcement in Casdoor 2.362.0 and earlier is completely bypassable via the social-login binding flow, where controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable, granting fully authenticated sessions to users who should face a second factor. Remote unauthenticated attackers with access to a linked social identity provider account can exploit this to authenticate as any MFA-protected Casdoor user, nullifying MFA as a compensating control. No public exploit has been identified at time of analysis and EPSS probability is 0.02%, though SSVC classifies the attack as automatable, indicating scripted mass exploitation is technically feasible once targeting criteria are met.
Cross-tenant Insecure Direct Object Reference (IDOR) in OpenReplay Enterprise Edition allows any authenticated user from one tenant to read, update, or delete feature-flag and assist-stats data belonging to another tenant. The vulnerability exists because ProjectAuthorizer skips its tenant-scoped authorization check when the route parameter does not exactly match the camelCase string 'projectId', and EE feature-flag queries filter only on project_id without enforcing tenant_id isolation. Affecting all EE multi-tenant deployments prior to 1.26.0, no public exploit code has been identified at time of analysis, though the sequential integer ID scheme makes enumeration trivially feasible for any authenticated attacker.