Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC or iApp process by sending a single malformed byte over SCTP to ports 36421 or 36422. The flaw is a reachable assertion in e2ap_create_pdu() that fires before any protocol validation, affecting all three E2AP protocol versions (v1.01, v2.03, v3.01). No public exploit identified at time of analysis and EPSS is low (0.03%), but the trigger is trivial enough that public PoC could appear quickly.
Denial of service in FlexRIC v2.0.0 allows remote unauthenticated attackers to impersonate any xApp by forging the xapp_id field in E42 messages sent to the iApp on port 36422, since the value is not bound to the sender's SCTP association. Misrouted responses corrupt the red-black tree state and can crash the targeted xApp, the RIC, or the iApp itself. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 9th percentile) reflecting limited weaponization to date.
Authorization bypass in FlexRIC v2.0.0 allows a malicious xApp to delete subscriptions belonging to other xApps connected to the same iApp instance, breaking multi-tenant isolation in O-RAN deployments. The root cause is a self-comparison bug in eq_xapp_ric_gen_id() that ignores the xApp identity dimension entirely. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%).
Sensitive data exposure in the Logtivity Activity Logs, User Activity Tracking, Multisite Activity Log WordPress plugin (versions up to and including 3.3.6) allows remote unauthenticated attackers to retrieve embedded sensitive information from data sent by the plugin. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable exploitation with no privileges or user interaction, though no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Authentication bypass in the Advanced Access Manager (AAM) WordPress plugin through version 7.1.0 allows remote unauthenticated attackers to circumvent access controls via URL encoding manipulation, achieving high integrity impact on protected resources. The flaw is reported by Patchstack and tracked under CWE-290 (Authentication Bypass by Spoofing). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC by sending a forged RIC_SUBSCRIPTION_RESPONSE message to TCP port 36421 with an unknown ric_id that has no corresponding pending event. The vulnerability stems from an assert() check in the response handler that causes SIGABRT in Debug builds or a NULL pointer dereference (SIGSEGV) in Release builds. No public exploit identified at time of analysis, though the trivially low complexity and unauthenticated network reach make weaponization straightforward.
Remote denial-of-service in FlexRIC v2.0.0 near-RT RIC allows unauthenticated attackers to crash the controller (port 36421) by completing an SCTP handshake and immediately disconnecting without sending any E2AP message. The cleanup path triggers a reachable assert() because the code assumes an SCTP-association-to-E2-node mapping always exists. No public exploit identified at time of analysis, but the trigger is trivial and the CVSS vector (AV:N/AC:L/PR:N/UI:N, A:H) reflects a low-effort network attack with high availability impact.
Information disclosure in WP Document Revisions WordPress plugin versions before 4.0.0 allows unauthenticated remote attackers to access protected documents due to broken access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N) indicates trivially exploitable confidentiality-only impact, and no public exploit identified at time of analysis, though Patchstack has cataloged the issue with a working proof reference.
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC (port 36421) or iApp (port 36422) by sending a valid E2AP PDU containing an unexpected number of Information Elements, triggering a SIGABRT via overly strict hardcoded assertions. The flaw affects open-source O-RAN near-real-time RAN Intelligent Controller deployments used in 5G research and testbeds, and no public exploit has been identified at time of analysis. The CVSS 7.5 reflects high availability impact with no confidentiality or integrity loss.
Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated network attackers to crash the iApp process listening on TCP port 36422 by sending a malformed E42_RIC_SUBSCRIPTION_REQUEST containing an empty ricEventTriggerDefinition field. The bug stems from inconsistent validation between the E42 decoder and the downstream E2AP encoder, which aborts via SIGABRT on the missing constraint. No public exploit identified at time of analysis, but the trivial trigger condition (single crafted message, no authentication) makes opportunistic disruption of O-RAN near-RT RIC deployments realistic.
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the iApp process on TCP/36421 by sending two E2_SETUP_REQUEST messages reusing the same E2 node configuration, abusing an assert()-based uniqueness check that triggers SIGABRT. The flaw affects FlexRIC, the open-source Near-RT RIC implementation from Eurecom's Mosaic5G project, with CVSS 7.5 reflecting high availability impact and no public exploit identified at time of analysis.
Remote denial of service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the near-RT RIC process by sending a decodable E2AP PDU (such as E2nodeConfigurationUpdate) to port 36421, triggering an unconditional assert(0) in stub handlers for whitelisted-but-unimplemented message types. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with SSVC indicating automatable exploitation and partial technical impact; no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.
Remote unauthenticated denial of service in FlexRIC v2.0.0 allows attackers to crash the entire near-RT RIC service by sending any decodable E2AP PDU with a message type outside the 9-entry whitelist to TCP port 36422. The iApp dispatcher uses assert() for validation, so an unexpected message type triggers SIGABRT in the shared iApp/RIC process, disconnecting all E2 Nodes and xApps. No public exploit identified at time of analysis, but the trivial attack complexity (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a credible operational risk for O-RAN testbeds and lab deployments.
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.
Stack-based buffer overflow in H3C Magic B0 routers (versions up to 100R002) allows remote authenticated attackers to corrupt memory via the SetMobileAPInfoById function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists (disclosed on GitHub and VulDB), and the vendor did not respond to disclosure outreach, leaving devices without an official fix. CVSS 4.0 score of 7.4 reflects high impact to confidentiality, integrity, and availability with low attack complexity.
Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot bootloader when processing commands that set the display mode allows a high-privileged local attacker with physical device access to corrupt memory and potentially execute code outside the bootloader's security context. The flaw, reported by Qualcomm and disclosed in their June 2026 security bulletin, affects Snapdragon platforms across the product line per the supplied CPE. No public exploit has been identified at the time of analysis, and the CVSS 7.2 score reflects the high privilege and physical access barriers that limit broad exploitation.
Memory corruption in Qualcomm Snapdragon fastboot bootloader processing allows a physically present attacker with high privileges to corrupt memory by submitting improperly formatted fastboot commands. The flaw carries a CVSS 7.2 score reflecting physical attack vector with scope change, and no public exploit identified at time of analysis. Disclosed in Qualcomm's June 2026 security bulletin, it affects Snapdragon platforms exposed during device provisioning, recovery, or firmware-flash workflows.
Memory corruption in Qualcomm Snapdragon fastboot bootloader handling allows a privileged local attacker with physical access to corrupt memory by issuing malformed fastboot commands, with scope change (CVSS S:C) indicating impact extends beyond the bootloader's security boundary. The flaw was disclosed by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 7.2 (High). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot OEM command handling allows a local attacker with high privileges and physical access to compromise device confidentiality, integrity, and availability. The CVSS 7.2 score reflects the physical attack vector (AV:P) offset by high impact and scope change, and no public exploit identified at time of analysis. Disclosure originates from Qualcomm's June 2026 security bulletin.
Local privilege-level information disclosure and artifact tampering in CodexBar versions prior to 0.32.0 allows authenticated users on the same macOS host to read App Store Connect API keys and hijack release builds via predictable temporary file paths in the notarization workflow. The flaw stems from writing sensitive credentials and notarization archives to fixed, world-reachable locations rather than per-run private directories, enabling symlink races and pre-creation attacks. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a stack-based memory corruption triggered while processing display command line information with an uninitialized variable. With CVSS 7.2 and a physical attack vector requiring high privileges, the flaw allows a privileged local attacker to corrupt memory and impact confidentiality, integrity, and availability across a changed security scope. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Cross-tenant data forgery in Nezha monitoring dashboard allows any authenticated low-privilege user with a valid agent secret to submit fabricated service-monitor TaskResult messages for services owned by other tenants. The dashboard's inbound result worker validates only that the referenced service ID exists, skipping the ownership and coverage checks enforced on the outbound dispatch path, so attackers can poison victim service history and trigger victim-owned notifications containing attacker-controlled text. A working local proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis in the wild, and the issue is not on CISA KEV.
Reflected cross-site scripting in OTRS 7.0.x and ((OTRS)) Community Edition 6.x and earlier allows remote attackers to execute arbitrary JavaScript in an authenticated agent's browser session by tricking the agent into clicking a crafted ticket-action URL. The CVSS 7.1 (UI:R) rating reflects the need for victim interaction, and no public exploit identified at time of analysis, but the high integrity impact and the ubiquity of OTRS-derived help-desk forks make this a meaningful risk for ticketing environments.
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing authenticated users with access to the Tables app to inject SQL into the ORDER BY clause of database queries. The flaw permits bit-by-bit data extraction or time-based exfiltration against the underlying database, and no public exploit identified at time of analysis. Patches are available in versions 0.9.7 and 1.0.2.
Local privilege escalation in the Linux kernel's SMB/CIFS client allows unprivileged userspace processes to forge cifs.spnego keys via add_key(2) or request_key(2), supplying attacker-controlled pid, uid, creduid, and upcall_target fields that cifs.upcall trusts as kernel-originated. Successful exploitation enables impersonation of CIFS credential negotiation, leading to high confidentiality, integrity, and availability impact on systems mounting SMB shares. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures. Rated high severity (CVSS 7.1). No vendor patch available.
Boot flow tampering in Qualcomm Snapdragon platforms allows a local authenticated attacker to bypass cryptographic verification of partition table entries and modify the device's boot process, achieving high impact to confidentiality and integrity. Qualcomm disclosed the issue in its June 2026 security bulletin, classifying it as an authentication bypass affecting Snapdragon products. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the boot-chain location of the flaw makes it strategically valuable for persistent compromise.
Reflected cross-site scripting in ThimPress LearnPress WordPress plugin through version 4.3.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS scope-changed vector (S:C) indicates impact extends beyond the vulnerable component, typical of XSS reaching the WordPress admin context, and no public exploit has been identified at time of analysis.
DOM-based cross-site scripting in VeronaLabs WP Statistics plugin for WordPress through version 14.16.6 allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into interacting with a malicious link or page. The CVSS 7.1 score reflects unauthenticated network exploitability with user interaction required and a scope change, but no public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV.
DOM-based cross-site scripting in the e4jvikwp VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.8) allows remote attackers to execute arbitrary JavaScript in a victim's browser after the victim interacts with a crafted link or page element. With CVSS 7.1 reflecting a scope change and user interaction requirement, the flaw can be used to hijack hotel administrator sessions or guest-facing booking workflows, though no public exploit identified at time of analysis.
Reflected cross-site scripting in the e2pdf WordPress plugin (versions up to and including 1.32.14) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The flaw stems from improper neutralization of user input during web page generation (CWE-79) and carries a CVSS 3.1 score of 7.1 with a scope change. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
DOM-based cross-site scripting in the GiveWP WordPress donation plugin (versions up to and including 4.14.5) allows remote attackers to execute arbitrary JavaScript in a victim's browser session after the victim interacts with an attacker-supplied link or page element. The flaw carries a CVSS 7.1 score driven by changed scope (S:C), meaning impact extends beyond the vulnerable component into the surrounding WordPress site context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.
Missing brute-force protection on the claim endpoint in unitedbyai droidclaw (all versions up to 0.5.3) allows unauthenticated remote attackers to submit unlimited authentication attempts against the device pairing flow, potentially enumerating or compromising pairing credentials. The root cause is CWE-307 - absent rate limiting or lockout logic in server/src/routes/pairing.ts. A publicly available proof-of-concept exploit exists (hosted on GitHub Gist), though high attack complexity and low confidentiality impact constrain the real-world severity. No patch has been released; the vendor has not responded to the responsible disclosure filed via GitHub issue #14.
Injection vulnerability in NousResearch hermes-agent (all versions through 2026.4.30) allows remote unauthenticated attackers to exploit improper neutralization in the _sanitize_env_lines function of hermes_cli/config.py, achieving partial confidentiality, integrity, and availability impact. The flaw is tagged as code injection (CWE-74), meaning attacker-controlled input passed through this sanitization routine may reach a downstream component in an executable or interpreted context. A public proof-of-concept exploit exists (GitHub gist), though the CVSS vector assigns high attack complexity, indicating exploitation is not trivial. No vendor patch exists; the vendor was unresponsive to coordinated disclosure.
Reachable assertion in SGLang 0.5.10.post1's LoRA adapter scheduler allows a remote unauthenticated attacker to trigger a denial of service via a crafted `lora_path` argument to the inference HTTP endpoint. The root cause is a logic flaw in the batch prefill scheduler: chunked LoRA prefill requests already admitted to the prefill queue are invisible to the LoRA admission check, enabling N+1 distinct adapters to be submitted when `max_loras_per_batch=N`, which forces an assertion failure in `lora_manager.py`. A publicly available proof-of-concept exists (no public exploit identified at time of analysis in the KEV sense), and the CVSS 4.0 score of 2.9 reflects high attack complexity and limited availability impact.
Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file comments system-wide, bypassing file-level access controls. Affected are Nextcloud Server 31.0.0-31.0.11 and 32.0.0-32.0.2, plus a broad range of Nextcloud Enterprise Server branches. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the CVSS Changed scope rating indicates sensitive organizational data embedded in comments - internal notes, credentials, review feedback - can be exposed cross-user without any file-access permission.
Local privilege escalation in Google Android 16-QPR2 enables an unprivileged local actor to delete device supervision data by exploiting a missing null check in the onCreate() method of DisableSupervisionActivity.kt, effectively dismantling enterprise MDM controls without requiring elevated privileges or user interaction. The flaw (CWE-269: Improper Privilege Management) is bounded to local access but operates with no authentication prerequisite, making it exploitable by any installed app or local user on a supervised managed device. No public exploit identified at time of analysis, and an EPSS of 0.01% reflects negligible observed exploitation probability; however, organizational risk in enterprise Android deployments is disproportionately higher than the base score suggests.
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-QPR2) stems from a tapjacking/overlay flaw in the hide() method of WindowState.java, enabling a locally installed malicious application to covertly redirect a user's permission approval to itself. An attacker who has placed an app on the device can silently overlay a transparent window atop a system permission dialog, causing the user's tap to be misinterpreted as consent for sensitive permissions the attacker's app requested. No active exploitation is confirmed (absent from CISA KEV), no public exploit code has been identified, and the EPSS score of 0.01% (1st percentile) reflects negligible observed exploitation probability at time of analysis.
Local privilege escalation in MediaTek's geniezone hypervisor component affects 36 distinct chipsets spanning budget to flagship tiers. An attacker who has already achieved System-level privilege can trigger an out-of-bounds write caused by a missing bounds check, escalating further - likely into kernel or hypervisor trust boundaries - with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and this is not listed in the CISA KEV catalog; however, the post-compromise escalation path makes this relevant to threat actors performing multi-stage device compromise on Android-based MediaTek hardware.
Memory corruption in Qualcomm Snapdragon platforms allows a locally privileged attacker to trigger an out-of-bounds write by issuing a random number generator (RNG) command paired with an undersized output buffer, yielding complete confidentiality, integrity, and availability impact. The vulnerability requires local access and high privileges (CVSS:3.1/AV:L/AC:L/PR:H), placing the base score at 6.7 (Medium) despite the high C/I/A ratings. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack-based buffer overflow in Qualcomm Snapdragon corrupts memory during a data copy operation when the output buffer is sized smaller than the input buffer, enabling a high-privileged local attacker to achieve full compromise of confidentiality, integrity, and availability on affected devices. Rooted in CWE-121, this vulnerability can allow control-flow hijacking via stack memory overwrite on Snapdragon-based platforms. No public exploit identified at time of analysis and no CISA KEV listing, but the high-impact triad (C:H/I:H/A:H) warrants prompt patching in environments where privileged access is shared or contested.
Stack-based buffer overflow in Qualcomm Snapdragon Windows drivers allows a locally authenticated high-privilege attacker to cause memory corruption by sending a malformed trusted application request. The vulnerability affects Snapdragon-based systems running Windows drivers and can result in complete compromise of confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Memory corruption via out-of-bounds write in Qualcomm Snapdragon diagnostic services allows a local, highly-privileged attacker to achieve high-impact compromise of confidentiality, integrity, and availability. The root cause is absent input validation in the diagnostic services component, enabling a crafted payload to corrupt memory. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Remote denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is achievable by an authenticated network attacker exploiting an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only low-privilege authentication and no user interaction, resulting in a full availability impact (A:H). No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad version coverage across current and recent Android releases makes this a notable patching priority.
Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 stems from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, the runtime component of Android's Undefined Behavior Sanitizer (UBSan). An authenticated low-privileged attacker over the network can trigger the overflow to crash the affected component, resulting in high availability impact with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.