DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.
Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthenticated attackers to inject arbitrary StatsD metrics by supplying untrusted input containing unfiltered newlines, colons, or pipe characters. Because the StatsD wire protocol uses these characters as structural delimiters, unsanitized metric names sourced from user-controlled data can be interpreted as additional, attacker-controlled metrics by the receiving StatsD server. No public exploit identified at time of analysis and EPSS sits at the 9th percentile (0.03%), indicating low observed exploitation pressure, but any Perl application forwarding externally-supplied values as StatsD metric names is directly in scope.
Uninitialized memory consumption in libxls 1.6.3 and earlier exposes server-side applications that parse XLS files to application crashes and potential heap memory disclosure. The flaw resides in the OLE container parser: read_MSAT() allocates memory for the Master Sector Allocation Table without fully initializing it, then passes it to ole2_validate_sector_chain(), which may read uninitialized bytes from the heap. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication or user interaction is required - a remote attacker need only supply a crafted XLS file to an application that uses libxls as a parsing backend. No public exploit code or CISA KEV listing exists at time of analysis; EPSS stands at 0.02% (5th percentile), indicating very low observed exploitation activity.
Persistent denial-of-service in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows an unauthenticated adjacent-network attacker to crash the device by sending a low number of crafted, incomplete HTTP requests, rendering it unresponsive until physically power-cycled. The attack exploits uncontrolled resource consumption (CWE-400) in the router's HTTP service, which fails to safely handle malformed or truncated connections. No public exploit code or active exploitation has been identified at time of analysis, and SSVC signals confirm exploitation status as none.
WPS 2.0 brute-force exposure on the Mercusys AC12G (EU) V1 router allows an adjacent unauthenticated attacker to recover Wi-Fi credentials by exhausting the WPS PIN space against a trivially bypassed lockout policy of only 60 seconds per 10 attempts. Firmware version AC12G(EU)_V1_200909 ships with WPS 2.0 enabled by default, meaning no user reconfiguration is required to be vulnerable. Successful exploitation yields full confidentiality and integrity compromise of the wireless network (C:H/I:H), effectively granting the attacker LAN access. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.02% reflects low widespread exploitation probability but does not reduce risk for targeted home or small-office environments.
Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.
Cross-site scripting in Kimi AI v1.0's web interface 'Preview' feature allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by inducing them to view AI-generated content containing unsanitized HTML or JavaScript payloads. The root cause is the application's failure to sanitize or encode output from the AI model before rendering it into the DOM when a user activates the Preview tab. A publicly available proof-of-concept exploit exists at a GitHub repository linked to the CVE; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Stored XSS in the malla Meshtastic dashboard (pip/malla <= 0.1.7) allows any unauthenticated participant on a public MQTT broker to execute arbitrary JavaScript in the browser of every dashboard visitor. Meshtastic node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and interpolated directly into multiple HTML templates and frontend JavaScript files without output escaping. No CSP restrictions are in place, compounding impact. No public exploit identified at time of analysis, though full reproduction steps are published in GHSA-ch57-39q2-4crm.
Use-after-free in OpENer's EtherNet/IP stack (versions up to 2.3.0) exposes industrial control system deployments to remote memory corruption via the CIP SendRRData handler. A low-privileged network attacker can manipulate the `CreateMessageRouterRequestStructure` function in `cipmessagerouter.c` to access freed memory, leading to denial of service, memory corruption, or potentially arbitrary code execution. A public proof-of-concept exploit has been disclosed, and the maintainer has not responded to the coordinated disclosure issue (#566), meaning no patch is available at time of analysis.
Improper authorization across multiple administrative endpoints in SourceCodester Online Boat Reservation System 1.0 allows remote authenticated attackers with low-privilege accounts to bypass access controls and interact with admin-only functionality. The vulnerability, classified as broken access control (CWE-285), enables unauthorized reads, writes, and limited availability impact on restricted resources. A publicly available proof-of-concept exploit has been disclosed on Medium, and no public exploit identified at time of analysis meets the CISA KEV threshold - however, the existence of a walkthrough PoC materially lowers the barrier to exploitation.
Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Arbitrary file write on OpenStack Ironic conductor nodes is achievable via path traversal in virtual media ISO handling (OSSA-2026-018). Authenticated attackers who can supply a malicious ISO image through the deploy_iso_href parameter can write files to arbitrary locations on the conductor host, constrained only by the ironic-conductor process's filesystem permissions. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV, but the vulnerability carries a CVSS 3.1 score of 6.5 and is rated Critical severity by the Ironic project.
Arbitrary file read within GLPI_DOC_DIR is exploitable by authenticated technicians in GLPI versions 0.50 through 10.0.24 and 11.0.0 through 11.0.6, stemming from missing authorization controls (CWE-862) on document directory access. An attacker holding a technician-level account can read any file stored under the GLPI_DOC_DIR path without appropriate privilege checks, exposing potentially sensitive documents, attachments, or internal data. No public exploit is identified at time of analysis, and CISA's SSVC framework rates exploitation as none with non-automatable attack paths.
Cleartext credential exposure in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows a network-positioned attacker to intercept DDNS service credentials in transit. The firmware transmits DDNS credentials over plaintext HTTP with only Base64 encoding - an encoding scheme, not encryption - and contains no TLS implementation whatsoever. A successful man-in-the-middle interception results in full credential disclosure (C:H), enabling an attacker to hijack the associated DDNS hostname and redirect domain traffic. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
Hardcoded WiFi driver credentials embedded in Mercusys AC12G (EU) V1 production firmware (AC12G(EU)_V1_200909) expose a RADIUS shared secret, a WPS test key, and a default PSK that cannot be changed by end users. An attacker within radio/adjacent-network range who has extracted and reverse-engineered the firmware binary can recover these static credentials and use them to authenticate against the router's wireless infrastructure without possessing legitimate user credentials. No public exploit code is confirmed beyond the researcher's advisory, and no active exploitation is indicated - EPSS sits at 0.02% (5th percentile), consistent with a niche, hardware-specific finding.
Integer overflow in the cilium/ebpf Go library (versions up to 0.21.0) allows a local authenticated user to cause an availability impact by supplying crafted BPF Type Format (BTF) data to the LoadCollectionSpec or LoadCollectionSpecFromReader APIs. The flaw resides in the loadRawSpec function where 32-bit header field arithmetic was performed using signed int types, enabling overflow to bypass bounds checks on StringOff, StringLen, TypeOff, and TypeLen fields. No public exploit identified at time of analysis as a KEV listing, though publicly available exploit code exists per VulDB and the CVSS temporal component E:P confirms a proof-of-concept is circulating.
Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.
Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.
Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.
Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.
Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.
Improper locking in the Linux kernel regulator subsystem's `regulator_resolve_supply()` error path allows a local low-privileged attacker to trigger a kernel crash or denial of service. The error path invokes `_regulator_put()` without holding the required `regulator_list_mutex`, producing a lockdep warning and exposing an unguarded concurrent access window when clearing the `rdev` supply pointer. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation probability is very low.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.
Path traversal in Docling's LaTeX backend (pip/docling versions 2.73.0 through 2.90.x) allows an attacker who supplies a crafted LaTeX document to read arbitrary files accessible to the conversion process via the \includegraphics, \input, and \include command handlers. With a high confidentiality impact (C:H) but local attack vector and required user interaction (AV:L/UI:R per CVSS), the practical risk is concentrated in automated document-processing pipelines or services that ingest untrusted .tex files. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. A vendor-released patch exists as of version 2.91.0.
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.
Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Memory exhaustion in quic-go's HTTP/3 implementation allows remote unauthenticated attackers to crash or degrade servers and clients by sending crafted QPACK-encoded HEADERS frames that exploit missing decoded size limits on HTTP trailer field sections. Affected versions (<= 0.59.0) enforce size caps only on the compressed HEADERS frame, not on the decoded output - a malicious peer can achieve roughly 50x expansion via QPACK static table entries, overwhelming available memory. No public exploit code has been identified at time of analysis, but the attack vector is network-accessible with no authentication required, making this a practical denial-of-service risk for any Go application using quic-go for HTTP/3.
Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
Use-of-uninitialized memory in libxls 1.6.3 exposes applications that parse XLS files to potential information disclosure via heap memory leakage. The flaw originates in the OLE layer (ole2_read) and surfaces in xls_parseWorkBook() when processing malformed XLS input, meaning any downstream application or service that accepts and parses XLS files using this library inherits the exposure. With a CVSS score of 5.3 and an EPSS of 0.02% (6th percentile), real-world exploitation probability is low; no public exploit or CISA KEV listing exists at time of analysis.
Stored XSS in ProjectsAndPrograms school-management-system allows an authorized attacker to inject malicious JavaScript into multiple student and teacher object attributes, which then executes in the browsers of other authenticated users. Critically, when chained with CVE-2025-11661 - which grants unauthenticated access to backend endpoints - the attack escalates to fully remote, unauthenticated exploitation, removing the otherwise required low-privilege foothold. No patch has been released and no public exploit code has been identified at time of analysis, though the application is confirmed vulnerable at commit 6b6fae5 per CERT.PL.
Stored cross-site scripting in ERPNext 16.16.0 allows authenticated users to inject arbitrary HTML and JavaScript into the email_id or mobile_no fields of Customer records, which execute silently in the browser of every Point of Sale (POS) operator who subsequently selects the poisoned customer. Because the payload persists in the database, a single injection event affects all future POS operator sessions that encounter that customer - creating a multiplier effect without requiring repeated attacker access. No public exploit code or CISA KEV listing exists at time of analysis; EPSS data was not provided in available intelligence sources.
Hash collision weaknesses in SGLang's multimodal Cache Handler (all versions through 0.5.11) allow a local low-privilege attacker to craft multimodal tensor inputs that produce identical cache keys via truncated SHA256 digests, causing incorrect cache lookups or cache invalidation failures that disrupt LLM serving workflows. The CVSS 4.0 score of 1.1 reflects the strictly local attack vector and high exploitation complexity, limiting real-world impact primarily to multi-tenant inference deployments. Publicly available exploit code exists per GitHub issue #25462, though no confirmed active exploitation has been observed and the vulnerability is not listed in the CISA KEV catalog.
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Security Advisory OSSA-2026-019. The Ironic conductor is a privileged management component that coordinates bare metal node provisioning; arbitrary file read from this host could expose infrastructure credentials, TLS keys, or cloud configuration secrets. No public exploit has been identified at time of analysis, and no CVSS score has been assigned, but the severity is elevated by the conductor's privileged position in OpenStack infrastructure.
Open redirect vulnerability in FOSSBilling's Redirect module (prior to version 0.8.0) allows authenticated administrators to configure arbitrary external URLs as redirect targets without URL scheme validation. Users following a legitimate FOSSBilling link are silently issued a 301 Moved Permanently response to an attacker-controlled phishing site; because 301 responses are persistently cached by browsers, the redirect continues to function even after server-side correction until client caches expire. No public exploit identified at time of analysis; version 0.8.0 (released 2026-05-28) patches the issue.
Stored cross-site scripting in ERPNext 16.16.0 allows an authenticated user holding Item record edit permissions to persist malicious HTML/JavaScript in the item_name, description, or image fields, which executes unescaped in the Point of Sale (POS) cart interface for any operator who subsequently adds that item to a transaction. Reported by Fluid Attacks (EUVD-2026-34158), this is a stored XSS with lateral impact across all POS operator sessions exposed to the poisoned item record. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 4.8 reflects the constrained attack surface imposed by high privilege prerequisites and required passive user interaction.
Stored Cross-Site Scripting in Dovestones Softwares ADPhonebook before v4.0.1.1 permits authenticated admin users to inject persistent JavaScript payloads via the /Admin/Save API endpoint. Because multiple configuration sections lack input validation and output encoding, injected scripts survive across sessions and execute in any victim's browser when the affected configuration pages are loaded, with CVSS scope change (S:C) confirming cross-user impact beyond the planting admin. No public exploitation identified at time of analysis; EPSS is 0.02% (5th percentile), though a publicly available proof-of-concept gist exists at the referenced GitHub URL.
Race condition in the Linux kernel's CoreSight TMC-ETR (Trace Memory Controller, Embedded Trace Router) driver triggers a kernel WARN_ON() when sysfs and perf hardware tracing modes are enabled concurrently, resulting in a denial-of-service condition against the tracing subsystem. The sysfs enable path is split across two separate spinlock-protected critical sections, creating a window where perf mode can initialize drvdata->etr_buf between the sysfs buffer allocation and hardware enablement steps - causing tmc_etr_enable_hw() to encounter an already-initialized pointer and fire WARN_ON(). No public exploit exists and EPSS is 0.02% (4th percentile), indicating near-zero real-world exploitation probability; patched kernel versions 6.18.14, 6.19.4, and 7.0 are available.