Information disclosure in OTRS Document Search Article Meta Filters modules (present in both STORM-powered OTRS and standalone OTRS 2026.x) permits authenticated low-privileged users to enumerate metadata - specifically the count of Configuration Items (CIs), SLAs, and services - for objects they are not authorized to access. Affected versions span OTRS with STORM modules 7.0.X through 2026.X before 2026.4.X, making this a broad version-range exposure with a low CVSS score of 3.5. No public exploit identified at time of analysis and the vulnerability has not been added to the CISA KEV catalog.
Improper access control in Nextcloud Talk's signaling layer allows a low-privileged authenticated user to forcibly mute other participants' microphones during calls on deployments without the High-performance Backend. The vulnerability exists in SignalingController::sendMessages(), which processed 'control' type signaling messages without first validating that the target session (decodedMessage['to']) was a legitimate room participant - allowing session-targeted control commands to reach arbitrary users. No public exploit or CISA KEV listing exists at time of analysis, and real-world impact is limited to call disruption with no data exposure.
Unauthorized file injection in the Nextcloud end-to-end encryption application (versions 1.15.0-1.18.x) allows a low-privileged user possessing a valid E2EE files drop share link to write files into other E2EE-encrypted folders owned by the same share owner. The impact is strictly integrity-limited - confidentiality is unaffected and existing files cannot be read or modified - consistent with the CVSS score of 3.5 (Low). No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; it was responsibly disclosed via HackerOne report #3304830.
Open redirect in Nextcloud's user_oidc plugin (versions 6.1.0 through 8.2.1) allows attackers to craft OIDC login links that silently redirect victims to arbitrary external websites upon successful authentication. The root cause is insufficient redirect URL sanitization in LoginController.php - a single regex stripping the protocol and domain could be bypassed using protocol-relative URLs (e.g., //attacker.com), which browsers resolve as full external URLs. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; however, the phishing potential via trusted login flows warrants prompt patching in user-facing Nextcloud deployments.
Information disclosure in the Nextcloud Approval app prior to version 2.7.2 allows authenticated users to enumerate whether arbitrary files are enrolled in approval workflows, regardless of their access rights to those files. The root cause (CWE-200) is a missing file-access authorization check in ApprovalService.php before workflow association queries are processed, confirmed by the patch diff in PR #356. No public exploit exists and no active exploitation is confirmed; the practical impact is limited to organizational workflow metadata leakage rather than file content exposure.
Android's AppOpsService (AppOpsService.java) exposes protected system or user information to low-privileged local applications due to missing permission checks across multiple functions, enabling unauthorized information disclosure without requiring additional execution privileges. Affected versions span Android 14 through Android 16-QPR2, representing a broad swath of active Android deployments in use today. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); SSVC rates exploitation as none with only partial technical impact, placing this at low urgency for most organizations.
Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.
Lockdown mode bypass in Google Android exposes protected information via a logic error in KeyguardViewMediator.java that allows screen pinning to circumvent lockdown protections. Affected versions span Android 14, 15, 16, and 16-qpr2, with exploitation requiring only local low-privileged access and no user interaction. No public exploit has been identified at time of analysis, and the CVSS score of 3.3 reflects a limited-scope, local-only confidentiality impact.
Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the `updateProvidersWhenServiceRemoved` method of `CredentialManagerService.java`. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Deserialization restriction bypass in QOS.CH Sarl logback-core affects all versions through 1.5.33, allowing unauthenticated network attackers with the ability to influence serialized data to instantiate Java Proxy objects via SimpleSocketServer or SimpleSSLSocketServer. Despite the 'RCE' tag in source intelligence, the vendor explicitly states that no practical path to remote code execution or significant privilege escalation has been identified - this is a security boundary bypass of the HardenedObjectInputStream defense mechanism, not a full compromise vector. A proof-of-concept exists (CVSS E:P), though CVSS 4.0 scores the overall risk at 2.9 due to high attack complexity and prerequisite deployment conditions.
Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.
Nextcloud Collectives versions 2.6.0 through 4.3.0 (exclusive) exposes deleted collective pages to unauthorized guests via a missing permission check in the public trash controller. Guests granted view-only access to a shared collective can bypass deletion-based access controls by directly querying trashbin endpoints, reading content that was intentionally removed. CVSS scores this at 2.6 (Low) with no public exploit identified at time of analysis and no CISA KEV listing, placing real-world priority at the lower end of the risk spectrum.
Cross-site request forgery in the DeepAI platform's account management API allows unauthenticated remote attackers to change an authenticated user's registered email address, enabling full account takeover. The POST endpoint at https://api.deepai.org/change_user_email accepts state-changing requests without any CSRF token or origin validation, meaning a browser will automatically include session credentials when the request is triggered from a third-party page. The vulnerability was fixed server-side on 2026-05-20 per the CVE description; no public exploit or CISA KEV listing is associated with this CVE at time of analysis.
Server-side request forgery in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the `FileDownloadUtils.download2DiskFromNet` function via the `/airag/app/debug` endpoint, coercing the server into issuing arbitrary HTTP requests - including to cloud instance metadata services that may expose cloud credentials. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation is confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects constrained scope and the low-privilege authentication requirement, but defenders on cloud infrastructure using IMDSv1 should treat the real-world impact as potentially higher than the score suggests.
Server-side request forgery in JeecgBoot up to 3.9.2 allows low-privileged remote attackers to make the application server issue arbitrary outbound HTTP requests via the unvalidated `baseUrl` parameter in the `/airag/airagModel/test` endpoint. Publicly available exploit code exists (E:P in CVSS 4.0 vector), though no active exploitation has been confirmed by CISA KEV. Impact is rated low across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), but SSRF primitives in low-code platforms can enable internal network reconnaissance and lateral movement against services inaccessible from the internet. No vendor-released patch has been issued at time of analysis - a fix is planned for an upcoming release.
Server-side request forgery in JeecgBoot up to version 3.9.2 allows remote authenticated attackers to induce the server to issue arbitrary outbound HTTP requests via the WordUtil.addImage function at the /airag/word/edit endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible, low-complexity exploitation requiring only low-privilege credentials with no user interaction needed. Publicly available exploit code exists (E:P in CVSS vector; publicly disclosed per description), and no vendor-released patch has been issued at time of analysis - only a fix planned for an upcoming release.
SQL injection in itsourcecode Content Management System 1.0 exposes the /instructions.php endpoint to database manipulation via the unsanitized topic_id parameter. Low-privileged remote attackers can read, modify, or delete data within the application's database scope. A public proof-of-concept exploit has been published (VulDB submission 823558 / GitHub issue), lowering the exploitation barrier, though the CVSS 4.0 score of 2.1 reflects limited blast radius due to low-impact CIA triad ratings and the low-privilege prerequisite.
SQL injection in OFCMS 1.1.3 enables authenticated remote attackers to manipulate database queries through the JSON Query Interface exposed in SysUserController.java. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and the CVE description), raising the practical risk above what the low CVSS 4.0 score of 2.1 implies. The project maintainers were notified via a Gitee issue report but have not responded, meaning no vendor patch exists at time of analysis - defenders must rely entirely on compensating controls.
SQL injection in OFCMS 1.1.3's JSON Query Interface allows authenticated remote attackers to manipulate database queries via the `Query` function in `SystemParamController.java`. A public proof-of-concept exploit has been released (CVSS E:P confirmed), while the vendor has not responded to the responsible disclosure report, leaving the vulnerability unpatched. The CVSS 4.0 score of 2.1 reflects low-privilege authentication requirements and limited blast radius, but the existence of public exploit code and the absence of any vendor patch elevates practical concern for deployments with internet-exposed admin interfaces.
SQL injection in OFCMS 1.1.3 allows remote low-privileged attackers to manipulate database queries through the Query function of SystemDictController.java's JSON Query Interface. Attackers with a valid low-privilege account can send crafted input to this endpoint to read, modify, or partially disrupt data within the application's database scope. No public exploit identified at time of analysis beyond publicly available proof-of-concept code; the project maintainer has not responded to the responsible disclosure filed via Gitee issue, leaving the vulnerability unpatched.
SQL injection in itsourcecode Content Management System 1.0 allows authenticated remote attackers to manipulate database queries via the topic_id parameter in /admin/edit_topic.php. The CVSS 4.0 vector (PR:L) confirms a low-privileged authenticated account is sufficient to trigger the injection, which yields limited but real confidentiality, integrity, and availability impact against the underlying database component. Publicly available exploit code exists (E:P), though no active exploitation has been confirmed by CISA KEV.
SQL injection in SourceCodester Water Billing Management System 1.0 exposes the User Management Module to database manipulation by authenticated administrators via the ID parameter at /admin/?page=user/manage_user. A publicly available proof-of-concept exploit exists per the CVSS E:P supplemental metric and a researcher's GitHub advisory. Despite network reachability, practical impact is low across confidentiality, integrity, and availability, and exploitation is gated behind high administrative privileges, earning a CVSS 4.0 base score of 2.0.
Path traversal in whatsapp-mcp 0.0.1 exposes arbitrary server files to authenticated adjacent-network attackers via the `mediaPath` argument of the Send API endpoint (`/api/send`). The `sendWhatsAppMessage` function in `whatsapp-bridge/main.go` passed the caller-supplied path directly to `os.ReadFile()` without sanitization, allowing traversal sequences to reference files outside any intended directory. A proof-of-concept exploit has been publicly disclosed (CVSS 4.0 E:P), though no active exploitation is confirmed and no CISA KEV listing exists. The overall CVSS 4.0 score of 2.0 reflects narrow real-world impact: adjacent-network exposure only, low confidentiality loss, and no integrity or availability impact.
Integrity bypass in Siemens kas (pip/kas < 5.3) allows an attacker who controls a referenced external git repository to substitute arbitrary commit content by creating a branch whose name matches the commit SHA recorded in a kas configuration file. Because kas passed the raw SHA string to `git checkout` without forcing disambiguation to a commit object, git resolves a branch of that name instead of the pinned commit, defeating the integrity guarantee users rely on. The primary impact falls on SHA-256 commit IDs; SHA-1 commits face a related but distinct risk through hash-collision substitution. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.