Heap buffer overflow in GPAC MP4Box v2.4's MPEG-2 TS demuxer crashes the application when processing a specially crafted MP4 file, resulting in a Denial of Service. The vulnerable function `m2tsdmx_send_packet` in `filters/dmx_m2ts.c` lacked a minimum packet-length guard before performing heap operations on M2TS packet data. No active exploitation has been identified (not in CISA KEV), and impact is limited to availability - no code execution or data exposure is achievable via this path.
Cross-site scripting in Firefox for iOS Reader View allows unauthenticated remote attackers to inject arbitrary markup via maliciously crafted JSON-LD metadata on attacker-controlled pages. When a victim activates Reader View on such a page, injected HTML executes in the context of an internal Firefox origin, leaking sensitive URL parameters that can be leveraged to access internal pages and achieve arbitrary JavaScript execution with elevated browser-origin trust. Mozilla patched this in Firefox for iOS 151.2 per MFSA2026-53; no public exploit code and no CISA KEV listing have been identified at time of analysis.
Reader View in Firefox for iOS executes arbitrary JavaScript due to an incorrect template substitution order, enabling cross-site scripting via JSON-LD data injection. The flaw affects all Firefox for iOS versions prior to 151.2 running on Apple iOS devices; unauthenticated remote attackers can exploit this by luring users to a malicious page and having them activate Reader View, after which attacker-controlled placeholder strings embedded in the page's structured data are processed as executable script. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and no-auth-required access vector (per CVSS PR:N) make it feasible for opportunistic campaigns targeting iOS Firefox users.
Stored cross-site scripting in Kiteworks Secure Data Forms allows authenticated low-privileged attackers to inject persistent malicious JavaScript that executes in other users' browser sessions. All Kiteworks releases prior to version 9.3.0 are affected, and the changed-scope CVSS modifier (S:C) confirms that injected scripts execute beyond the attacker's own session boundary, enabling session hijacking, credential theft, or unauthorized actions on behalf of victim users. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.
Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. Publicly available exploit code exists (E:P confirmed in CVSS vector), but no public exploit identified at time of analysis in CISA KEV, and real-world mass exploitation is significantly constrained by the required user participation and attack complexity.
Regular expression denial of service in Enderfga claw-orchestrator 3.7.0 and earlier allows authenticated remote attackers to degrade service availability by submitting crafted patterns to the Session Grep Endpoint. The validateRegex function in claw-orchestrator/src/embedded-server.ts passes user-supplied body.pattern directly to the V8 JavaScript regex engine, which uses backtracking and can be forced into exponential-time evaluation via patterns like (a+)+$. No public exploit is identified at time of analysis, and the CVSS score of 4.3 (A:L) reflects limited - but real - availability impact via Node.js event loop exhaustion.
Nanobot's Matrix channel media download handler exhausts process memory and bandwidth when authenticated room members submit media events carrying missing or invalid declared size metadata. All versions of Nanobot prior to 0.2.1 are affected (CPE: cpe:2.3:a:hkuds:nanobot:*:*:*:*:*:*:*:*). An authenticated Matrix room member can send multiple concurrent malformed media events, causing the handler to fully materialize response bodies before performing post-download size validation, consuming process resources until service availability degrades. No public exploit code or CISA KEV listing exists at time of analysis; a vendor-released patch is available in v0.2.1.
Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.
Reflected cross-site scripting in the Stormshield Network Security (SNS) appliance login API allows network-accessible attackers to inject and execute arbitrary scripts in a victim's browser session. Affected versions span three distinct release branches: 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5. Successful exploitation can result in session cookie theft, sensitive data exfiltration, or redirection to attacker-controlled sites. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Broken share revocation in Nextcloud Forms versions 4.3.0 through 5.2.7 leaves former collaborators with persistent read access to uploaded respondent files after removal. The vulnerability stems from a two-layer share architecture where removing a collaborator deleted the Forms-layer share record but silently preserved the underlying Nextcloud Files-layer share on the uploaded files folder - meaning removed users retained filesystem-level access to sensitive form submission files. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but the low-complexity network vector (CVSS AV:N/AC:L/PR:N/UI:N) means a removed collaborator can exploit this passively without any additional action.
Server-Side Request Forgery in Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows unauthenticated remote attackers to trigger outbound HTTP requests from the server to internal or restricted network resources by supplying a crafted image URL to the UrlImageConverter component. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, making this trivially reachable against any exposed instance. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Improper authorization in DevaslanPHP project-management (all versions through 2.0.0-beta1) allows any low-privileged authenticated attacker to remotely invoke the KanbanScrumHelper::recordUpdated function in the Ticket Handler component without adequate permission checks, resulting in unauthorized modification of ticket and kanban board records (integrity impact) and limited disruption of availability. The vendor was notified via GitHub issue #141 but had not responded at time of disclosure, meaning no patch is available. No public exploit code has been identified and the CVE does not appear in CISA KEV.
Improper authorization in DevaslanPHP project-management up to 2.0.0-beta1 allows authenticated remote attackers to edit or delete ticket comments they do not own by exploiting missing ownership validation in the Livewire Handler component. The CVSS vector (PR:L, AV:N, AC:L) confirms the attack is network-accessible and requires only a low-privilege account with no user interaction. No vendor patch exists - the maintainer has not responded to the responsible disclosure submitted via GitHub issue - and no public exploit or CISA KEV listing has been identified at time of analysis.
Missing admin-only middleware on DaybydayCRM's SettingsController (`updateOverall` and `updateFirstStep` methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.
Insecure Direct Object Reference in Bottelet DaybydayCRM up to version 2.2.1 allows any authenticated user to view or download arbitrary documents belonging to other users by enumerating the external_id URL parameter in DocumentsController. The missing authorization check in both the view() and download() methods means a low-privilege employee or contractor can exfiltrate documents linked to any Task, Project, Lead, or Client within the CRM. No public exploit identified at time of analysis and no CISA KEV listing, but the attack is trivially executable by any authenticated user given low complexity (AC:L, AT:N) and no user interaction required (UI:N).
Improper authorization in decolua 9router through version 0.4.0 allows remote attackers with low privileges to bypass JWT authentication by manipulating the HTTP Host header, gaining unauthorized access to protected dashboard and API endpoints. The vulnerable isLocalRequest() function in dashboardGuard.js blindly trusted the client-supplied Host header to determine whether a request originated from localhost, enabling any network-reachable attacker to spoof local origin by sending Host: localhost. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patch v0.4.1 is available and confirmed.
Reflected XSS in SOPlanning 1.55 and below allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of authenticated SOPlanning users by delivering a crafted malicious URL containing a payload in the `taches` parameter. The vulnerability stems from insufficient output sanitization of user-supplied input before it is reflected in the HTTP response. No public exploit code or CISA KEV listing exists at time of analysis; this was reported by CERT Poland (CERT.PL) and carries a CVSS 4.0 score of 5.1 (Medium).
Stored XSS in SOPlanning 1.55 and earlier allows an authenticated low-privileged attacker to persist malicious JavaScript inside the application by uploading a crafted backup archive through the /process/upload_backup endpoint. The payload, embedded in a user.csv file within a ZIP, executes in a victim's browser when they click the Edit button on the affected backup entry - enabling session hijacking or UI manipulation against any user who interacts with the backup management interface. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.1 correctly reflects the constrained impact ceiling imposed by required authentication and passive user interaction.
Stored cross-site scripting in Lightweight Music Server (LMS) through version 3.76.0 allows low-privileged authenticated attackers to plant persistent JavaScript payloads via crafted media file metadata fields (GENRE, ARTIST, ALBUM) that execute automatically in any victim's browser upon browsing the web interface. The root cause is unsanitized rendering of library metadata using Wt::TextFormat::UnsafeXHTML in src/lms/ui/Utils.cpp, meaning payloads survive library scanning and are stored permanently. No public exploit code or CISA KEV listing has been identified at time of analysis; VulnCheck and ZeroScience (ZSL-2026-5987) have published coordinated advisories disclosing the vulnerability.
Cross-Site Request Forgery in SOPlanning 1.55 and below allows unauthenticated remote attackers to perform unauthorized group management operations - create, modify, or delete groups - by tricking an authenticated user into visiting a malicious webpage. The vulnerability affects the groupe_save endpoints, which accept forged GET or POST requests without validating request origin. No public exploit has been identified at time of analysis, and no KEV listing exists, but the low attack complexity and lack of privilege requirements for the attacker make social engineering viable against any authenticated user session.
OpenShift Container Platform exposes a resource exhaustion path where low-privileged authenticated users with pod creation rights can trigger cluster-wide API server degradation by exploiting two quota enforcement gaps: completed pods with restartPolicy:Never are excluded from ResourceQuota pod limits, and Kubernetes events are not quota-scoped. By repeatedly creating such short-lived pods, an attacker causes Kubernetes events to accumulate unboundedly in etcd, degrading API server performance across the entire cluster - a scope change (CVSS S:C) that extends impact well beyond the attacker's own namespace. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Authentication bypass in Nextcloud's user_oidc app (versions 1.3.6 through 8.3.x) allows users deleted from LDAP to continue authenticating via OpenID Connect. The root cause is a boolean logic inversion in LdapService.php - the condition `isLDAPEnabled()` was used instead of `!isLDAPEnabled()`, causing the LDAP deletion check to execute only when LDAP was inactive, effectively skipping it in every real-world deployment. No public exploit code has been identified at time of analysis; the issue was responsibly disclosed via HackerOne report #3554696.
PIN authentication bypass in the Nextcloud Files Android app (versions 33.0.0 through 33.0.x) allows a physically present attacker to circumvent the app's passcode lock screen by pressing the Android back button immediately after the host device is unlocked. The PassCodeActivity failed to intercept back-navigation events during PIN verification, granting direct file access without completing authentication. No public exploit identified at time of analysis and no CISA KEV listing; risk is tightly constrained by the physical access vector. Patched in version 33.1.0 via upstream PR #16896.
Path traversal in Nextcloud Server 31.x and 32.x allows authenticated non-admin users to copy arbitrary server-side files into their own Nextcloud storage directory when an administrator has configured the `{lang}` placeholder in the template directory config value. The root cause is insufficient sanitization of the `forceLanguage` HTTP request parameter and the `ACCEPT_LANGUAGE` header in `lib/private/L10N/Factory.php`, which were used unsanitized in filesystem path construction. No public exploit identified at time of analysis, though a HackerOne report (3468140) exists; CVSS scores this as Medium (4.4) due to high complexity and privilege preconditions, and impact is limited to confidentiality with no code execution possible.
Null pointer dereference in ThorVG's SVG loader crashes any process that passes untrusted SVG content through Picture::load(), enabling remote denial-of-service with a trivial 6-byte payload. All ThorVG releases prior to 1.0.5 are affected (CPE: cpe:2.3:a:thorvg:thorvg:*:*:*:*:*:*:*:*). No public exploit identified at time of analysis and no CISA KEV listing, but the fix-confirming PR diff (PR #4387) exposes the exact null-check omissions, substantially lowering the bar for independent exploit development.
User enumeration via Nextcloud Calendar's attendee suggestion endpoint affects authenticated users on versions 5.5.13-5.5.16 and 6.2.0-6.2.2. The `searchAttendee` controller method in `ContactController.php` called the contacts manager search API without passing the instance's configured sharing restriction parameters - meaning enumeration-limiting settings (`shareapi_allow_share_dialog_user_enumeration`, `shareapi_only_share_with_group_members`, group-scoped restrictions) enforced on all other sharing endpoints were silently bypassed here. An authenticated low-privilege attacker can probe the endpoint with partial name or email strings to reconstruct the full user directory, disclosing usernames and email addresses that administrators had intentionally restricted. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed).
Information disclosure in eLabFTW prior to version 5.4.2 allows authenticated users to enumerate resource titles outside their authorization scope via numeric reference/search queries. Affected deployments in regulated environments - such as clinical labs or research institutions embedding patient identifiers, project names, or regulated data in resource titles - face elevated sensitivity risk despite the limited scope of exposure. Content-level access controls remain intact; only titles leak. No public exploit identified at time of analysis, and CVSS rates this Medium (4.3), consistent with authenticated, low-impact disclosure.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated low-privileged user to modify form resources owned by other users by substituting controlled resource identifiers in API requests, bypassing ownership authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerability is remotely exploitable with no complexity barrier beyond holding a valid account. No public exploit code and no CISA KEV listing identified at time of analysis; real-world risk is concentrated in multi-tenant Kiteworks deployments where data isolation between users is a security expectation.
Nextcloud Tables versions 0.8.0 through 1.0.3 improperly disclose view filter criteria to authenticated users holding only read-only permissions on a shared view. The flaw in ViewService.php attempted to sanitize filter arrays for low-privileged users but instead exposed the full filter rules - potentially revealing sensitive column names, threshold values, or data organization logic the view owner intended to keep confidential. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV, indicating no confirmed active exploitation.
Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.
Rename permission bypass in Nextcloud's team folder (groupfolders) feature allows authenticated low-privileged users holding READ and CREATE permissions to rename files in team folders even when UPDATE permission is explicitly denied. Affecting Nextcloud versions 17.0.0 through 21.0.3, the flaw originates from a single-character bitwise operator error in ACLStorageWrapper.php - a `&` used instead of `|` when evaluating combined permission flags effectively nullifies the UPDATE permission check. No public exploit identified at time of analysis; vendor-released patches are available across all affected version branches.
Arbitrary firmware memory writes in Imagination Technologies Graphics DDK affect multiple DDK versions across Guest/Host VM deployments. A logic error in GPU driver address translation permits kernel-level software within a VM to issue malformed commands to GPU firmware, causing writes to memory regions outside the intended GPU memory boundary. The Chrome OS stable channel advisory reference confirms real-world platform-level impact, and a vendor patch is available. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Path traversal during wheel installation in pip allows a malicious package's console_scripts or gui_scripts entry point names to be written outside the intended scripts directory. All pip versions are listed as affected (CPE covers wildcard versions), and exploitation requires a victim to run pip install on a specially crafted package - making this a supply chain attack vector. No public exploit code is identified at time of analysis, no KEV listing exists, and a vendor fix is available upstream via PR #14000, though no specific patched release version is independently confirmed from available intelligence.
Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.
GnuTLS's PKCS#7 padding validation during decryption is not implemented as a constant-time operation, creating a timing side-channel (CWE-208) that remote unauthenticated attackers can exploit to infer padding byte values on CBC-mode cipher suites. Affected deployments include GnuTLS as packaged across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. Red Hat has issued patch RHSA-2026:20613; no active exploitation is confirmed in CISA KEV, and no public exploit code has been identified, but the network-reachable, no-auth-required attack surface warrants patching on systems handling sensitive encrypted traffic.
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other users' resource metadata through insufficient ownership authorization checks on resource identifiers. The vulnerability is classified CWE-639 and carries a CVSS score of 3.7 (Low), reflecting limited confidentiality impact (metadata only, no content) and high attack complexity. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Incorrect permission enforcement in OTRS External Interface and ConfigItem List module allows an authenticated customer to query Configuration Item (CI) data beyond their authorized group scope. The flaw is conditional - both the CMDB module and CustomerGroupSupport must be active simultaneously, substantially narrowing the affected population. Rated CVSS 3.5 (Low) with no confirmed active exploitation and no public exploit code identified at time of analysis, this is a scoped information disclosure risk primarily threatening organizations that expose CMDB asset data through the customer portal.
Information disclosure in OTRS Document Search Article Meta Filters modules (present in both STORM-powered OTRS and standalone OTRS 2026.x) permits authenticated low-privileged users to enumerate metadata - specifically the count of Configuration Items (CIs), SLAs, and services - for objects they are not authorized to access. Affected versions span OTRS with STORM modules 7.0.X through 2026.X before 2026.4.X, making this a broad version-range exposure with a low CVSS score of 3.5. No public exploit identified at time of analysis and the vulnerability has not been added to the CISA KEV catalog.
Improper access control in Nextcloud Talk's signaling layer allows a low-privileged authenticated user to forcibly mute other participants' microphones during calls on deployments without the High-performance Backend. The vulnerability exists in SignalingController::sendMessages(), which processed 'control' type signaling messages without first validating that the target session (decodedMessage['to']) was a legitimate room participant - allowing session-targeted control commands to reach arbitrary users. No public exploit or CISA KEV listing exists at time of analysis, and real-world impact is limited to call disruption with no data exposure.
Unauthorized file injection in the Nextcloud end-to-end encryption application (versions 1.15.0-1.18.x) allows a low-privileged user possessing a valid E2EE files drop share link to write files into other E2EE-encrypted folders owned by the same share owner. The impact is strictly integrity-limited - confidentiality is unaffected and existing files cannot be read or modified - consistent with the CVSS score of 3.5 (Low). No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; it was responsibly disclosed via HackerOne report #3304830.
Open redirect in Nextcloud's user_oidc plugin (versions 6.1.0 through 8.2.1) allows attackers to craft OIDC login links that silently redirect victims to arbitrary external websites upon successful authentication. The root cause is insufficient redirect URL sanitization in LoginController.php - a single regex stripping the protocol and domain could be bypassed using protocol-relative URLs (e.g., //attacker.com), which browsers resolve as full external URLs. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; however, the phishing potential via trusted login flows warrants prompt patching in user-facing Nextcloud deployments.
Information disclosure in the Nextcloud Approval app prior to version 2.7.2 allows authenticated users to enumerate whether arbitrary files are enrolled in approval workflows, regardless of their access rights to those files. The root cause (CWE-200) is a missing file-access authorization check in ApprovalService.php before workflow association queries are processed, confirmed by the patch diff in PR #356. No public exploit exists and no active exploitation is confirmed; the practical impact is limited to organizational workflow metadata leakage rather than file content exposure.
Android's AppOpsService (AppOpsService.java) exposes protected system or user information to low-privileged local applications due to missing permission checks across multiple functions, enabling unauthorized information disclosure without requiring additional execution privileges. Affected versions span Android 14 through Android 16-QPR2, representing a broad swath of active Android deployments in use today. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); SSVC rates exploitation as none with only partial technical impact, placing this at low urgency for most organizations.
Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Local information disclosure in Android's Bluetooth stack allows a low-privileged application to bypass permission enforcement in handleBondStateChanged of AdapterService.java, exposing sensitive Bluetooth bonding state data without requiring any user interaction. Affected versions include Android 15, Android 16, and Android 16-qpr2, as confirmed by the June 2026 Android Security Bulletin and EUVD-2026-33779. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, placing it in the lower tier of operational priority despite the permission bypass nature of the flaw.
Lockdown mode bypass in Google Android exposes protected information via a logic error in KeyguardViewMediator.java that allows screen pinning to circumvent lockdown protections. Affected versions span Android 14, 15, 16, and 16-qpr2, with exploitation requiring only local low-privileged access and no user interaction. No public exploit has been identified at time of analysis, and the CVSS score of 3.3 reflects a limited-scope, local-only confidentiality impact.
Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the `updateProvidersWhenServiceRemoved` method of `CredentialManagerService.java`. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Deserialization restriction bypass in QOS.CH Sarl logback-core affects all versions through 1.5.33, allowing unauthenticated network attackers with the ability to influence serialized data to instantiate Java Proxy objects via SimpleSocketServer or SimpleSSLSocketServer. Despite the 'RCE' tag in source intelligence, the vendor explicitly states that no practical path to remote code execution or significant privilege escalation has been identified - this is a security boundary bypass of the HardenedObjectInputStream defense mechanism, not a full compromise vector. A proof-of-concept exists (CVSS E:P), though CVSS 4.0 scores the overall risk at 2.9 due to high attack complexity and prerequisite deployment conditions.
Nextcloud Server's Circles app exposes a missing access control check on the member-add API endpoint, allowing an authenticated user to add an arbitrary circle - identified only by its internal ID - as a member of another circle without verifying that the requesting user has any relationship to the target circle. Affected versions span 32.0.0-32.0.6 and 33.0.0, with Enterprise editions from 29.x through 31.x also impacted. Exploitation is severely constrained by the 62^15 entropy of circle IDs, making the vulnerability practically exploitable only when an attacker has obtained a valid circle ID through a separate information-disclosure path, at which point they could track or infer circle membership relationships. No public exploit exists and this is not listed in CISA KEV.