Null pointer dereference in Assimp's glTF2 importer (versions up to 6.0.4) allows a local low-privileged attacker to crash any application that processes attacker-supplied 3D model files via the library. The flaw resides in the `ImportAnimations()` function, where `glTF2::LazyDict::operator[]` is invoked with animation channel node indices that are never validated for validity before dereferencing, producing a CWE-476 null pointer dereference and denial-of-service. A public proof-of-concept exploit (poc.zip) has been disclosed and an upstream patch commit is available, though no active exploitation is confirmed by CISA KEV.
JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.
Missing certificate validation during SMTP STARTTLS negotiation in Apache Airflow 2.0.0 through 3.2.1 exposes email traffic to man-in-the-middle interception. Both the core email utility (airflow.utils.email.send_email) and the SMTP provider hook (SmtpHook.get_conn, SmtpHook.aget_conn) called starttls() without an SSL context, causing Python's smtplib to accept any server certificate unconditionally. An unauthenticated network-adjacent attacker who can intercept traffic between the Airflow instance and its configured SMTP relay can present a fraudulent TLS certificate, successfully complete the upgrade handshake, and read all outbound email content in cleartext. No public exploit identified at time of analysis and EPSS is 0.01%, but the impact class is high confidentiality loss per CVSS.
Unintended internal ticket data exposure in OTRS 2026.3.1 occurs because the ticket article forwarding feature enforces the 'Is visible for customer' flag by default and provides no UI control to override it. Authenticated agents who forward ticket articles will inadvertently expose internal communications or notes to customers through the External Frontend without any warning or opt-out. No public exploit code exists and this is not listed in CISA KEV, but the high confidentiality impact (C:H in CVSS) makes this a meaningful data-leak risk for organizations handling sensitive support workflows.
SQL injection in code-projects Online Hospital Management System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `editid` parameter in /patient.php, potentially exposing or modifying patient records. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-authentication, network-accessible exploitation with no special conditions, and a public proof-of-concept has been disclosed via GitHub. While the CVSS 5.5 score reflects limited per-component impact (Low confidentiality, integrity, and availability), the absence of any access barrier combined with POC availability makes this an actionable risk for any exposed deployment.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.
SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /classes/Users.php?f=delete, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and the E:P modifier confirms publicly available exploit code exists. While CVSS impact scores are rated Low across confidentiality, integrity, and availability, the unauthenticated network accessibility combined with a live POC elevates the practical deployment risk for any internet-exposed instance.
Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.
Heap-based buffer overflow in OFFIS DCMTK 3.7.0's dcmqrscp component allows remote low-privileged attackers to trigger memory corruption via the deleteOldestImages function in the DICOM Query/Retrieve database backend. Exploitation requires authenticated network access with low complexity and results in partial confidentiality, integrity, and availability impact without crossing privilege boundaries. No public exploit identified at time of analysis; an upstream git commit patch is confirmed available, though a formally tagged release version incorporating the fix has not been independently verified.
The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.
Per-DAG RBAC bypass in Apache Airflow 3.2.0-3.2.1 allows authenticated users with restricted DAG permissions to read partitioned DAG run metadata for DAGs outside their authorized scope via the /ui/partitioned_dag_runs endpoint. The route enforced asset-level access control via requires_access_asset but omitted the parallel DAG-level check (requires_access_dag) and result-set filtering by readable DAG IDs, creating a gap in the multi-layer authorization model. No public exploit identified at time of analysis; EPSS is 0.01% (4th percentile), indicating very low exploitation probability consistent with the authenticated, information-disclosure-only impact.
{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
DAG authorization bypass in Apache Airflow 3.0.0-3.2.1 allows authenticated low-privileged users to enumerate DAG structure and cross-DAG dependency topology for DAGs they are not authorized to view, by querying the `/ui/structure/structure_data` endpoint without proper RBAC enforcement. The endpoint returned external dependency nodes and edges without applying the `ReadableDagsFilterDep` authorization filter, crossing per-DAG RBAC boundaries. No public exploit exists and EPSS is 0.01% (4th percentile); impact is confined to confidentiality of workflow topology in multi-tenant or fine-grained RBAC deployments.
Uncontrolled resource consumption in Open5GS up to version 2.7.7 allows remote low-privileged attackers to degrade availability of the NRF (Network Repository Function) component by sending crafted requests to the nf-instances SBI endpoint. The vulnerability triggers runaway resource allocation through the nf_info_pool argument in the handle_amf_info function, resulting in a denial-of-service condition against the NRF's NF instance registration and discovery services. A publicly available proof-of-concept exploit exists (E:P in CVSS 4.0 vector), though no public exploit identified at time of analysis has been confirmed by CISA KEV; the upstream issue is flagged as already-fixed.
SQL injection in Bdtask Multi-Store Inventory Management System 1.0 exposes backend database contents through the Accounts Report Handler's date-range search functionality. The vulnerability resides in the accounts_report_search function (Accounts.php), where the dtpToDate argument is passed to a SQL query without sanitization, allowing an authenticated high-privileged user to read, modify, or partially disrupt database data. Publicly available exploit code exists (CVSS 4.0 E:P), though the high-privilege prerequisite significantly limits the realistic attacker population; the vulnerability is not listed in CISA KEV.