Server-side request forgery in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition allows remote unauthenticated attackers to write files to the underlying operating system via crafted HTTP requests, which Cisco notes can be leveraged to escalate to root. Cisco has assigned this a Critical Security Impact Rating despite the 8.6 CVSS score because of the root-escalation pathway. No public exploit identified at time of analysis, and exploitation requires the non-default WebDialer service to be enabled.
Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.
Privilege escalation in the Mojoomla School Management WordPress plugin (versions up to and including 93.2.0) allows authenticated low-privileged users to elevate their permissions to higher-privileged roles such as administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 3.1 score of 8.8 with no public exploit identified at time of analysis. Any WordPress site running the plugin in its default state is vulnerable until an upstream patch is released.
Origin validation bypass in Jupyter Server 1.12.0 through 2.17.0 lets remote attackers defeat CORS origin checks whenever the optional allow_origin_pat configuration is enabled. Because origin matching uses re.match() (anchored only at the start of the string), an attacker-controlled lookalike domain such as trusted.example.com.evil.com satisfies a pattern meant to allow only trusted.example.com, exposing CORS-protected responses, WebSocket kernels, referer checks, and login redirects. Publicly available exploit code exists via the huntr report, but EPSS is very low (0.02%) and SSVC rates exploitation as POC-only and not automatable, so there is no evidence of widespread active exploitation.
Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initialization ordering bug in SR-IOV Physical Function setup, where a failed devm_add_action_or_reset() call invokes kobject_put() on an uninitialized kobject, triggering refcount underflow and use-after-free conditions. The flaw affects Linux kernel 6.19 prior to the 6.19.4 stable patch and has been resolved upstream; no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.02%.
Unauthenticated LAN-to-WAN admin panel exposure in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows any device on the local network to publish the router's own administrative interface to the public internet via a single UPnP SOAP request. Because the device fails to reject loopback and its own LAN IP as the InternalClient in AddPortMapping requests, an attacker can pivot a temporary LAN foothold into a permanent, internet-reachable management plane exposure. No public exploit is identified at time of analysis, but the technique is trivial and well-documented in the referenced advisory.
Authentication brute-force weakness in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows an attacker on the adjacent network to enumerate the admin password without triggering any lockout. The flaw stems from the TDDP password-change endpoint (code=10) lacking the rate limiting that is enforced on the login endpoint (code=7), giving attackers unlimited guessing attempts. No public exploit identified at time of analysis, but a third-party advisory has been published on GitHub.
Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated remote attackers to read arbitrary files on the device via the ugw-logread method. CVSS 4.0 score of 8.7 reflects network-reachable exploitation with only low-privilege user credentials needed, exposing potentially sensitive configuration, credential, and operational data on industrial protocol gateways. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). No public exploit identified at time of analysis, and EPSS data was not supplied for this advisory.
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE (advisory VDE-2026-039), indicating responsible disclosure rather than in-the-wild abuse.
Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical network adapters by transmitting GSO packets with an MSS below 224 bytes, halting all traffic until manual reset. The flaw affects multiple stable kernel branches and is fixed upstream, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile) reflecting low expected exploitation volume despite the high CVSS of 8.6.
Server-Side Request Forgery and path traversal in docling-core versions 1.5.0 through 2.74.0 allow remote attackers to coerce the library into writing files outside the user-defined cache directory by manipulating server-controlled Content-Disposition headers when applications fetch untrusted URLs. The flaw stems from insufficient validation of remote request destinations combined with unsafe resolution of server-supplied filenames. No public exploit identified at time of analysis, but the network-reachable, unauthenticated nature of the bug (CVSS 8.6) makes it a meaningful supply-chain concern for Python applications integrating docling-core for document processing.
Stored cross-site scripting in GLPI 10.0.4 through 10.0.24 allows an authenticated technician to persist a malicious JavaScript payload in the asset locked tab, which executes in the browser of any subsequent user who views the affected asset. The flaw carries a CVSS 4.0 score of 8.4 driven by high impact on confidentiality, integrity, and availability of the victim session, though exploitation requires high privileges (technician role) and user interaction. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.
Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. No public exploit identified at time of analysis and EPSS probability is low at 0.02%, but the CVSS 8.4 reflects high local impact on confidentiality, integrity, and availability.
PHP object injection in Concrete CMS versions below 9.5.2 allows authenticated high-privileged attackers to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The vulnerability requires a malicious serialized payload to be placed in the database beforehand, and no public exploit identified at time of analysis. The vendor scored this 8.4 (CVSS 4.0), and CISA SSVC indicates no observed exploitation but total technical impact if successfully chained.
Server-side request forgery and potential remote code execution in Docling versions 2.82.0 through 2.90.x affect deployments that explicitly enable the Playwright-based HTML rendering backend. When `render_page=True` is set, untrusted HTML documents can execute arbitrary JavaScript in the rendering browser context and reach internal network services, enabling SSRF, data exfiltration, or code execution in the rendering environment. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but a vendor-confirmed fix exists in 2.91.0.
Unauthenticated UPnP abuse in Mercusys AC12G (EU) V1 routers running firmware AC12G(EU)_V1_200909 allows any device on the LAN to invoke 15 of 18 UPnP IGD actions on port 1900, including AddPortMapping and GetExternalIPAddress, without authentication. Because UPnP is enabled by default, an attacker with adjacent network access can punch arbitrary holes through the WAN firewall and enumerate external network state. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the misconfiguration is trivially abusable once on the LAN.
Improper URI validation in docling-core versions 2.5.0 through 2.74.0 lets remote attackers supplying crafted image references read arbitrary local files readable by the processing user or exhaust memory via oversized inline data: payloads. The flaw exists because the library accepted file:// references and did not enforce a decoded-size cap on inline base64 image content. No public exploit identified at time of analysis, but the GitHub advisory GHSA-j5xp-7m2f-49jv confirms the issue and a fixed release (2.74.1) is available.
Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Use-after-free in the Linux kernel NFC HCI SHDLC subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges by triggering teardown races against active timers and queued work items. The flaw exists because llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while timers and the sm_work state-machine handler may still execute concurrently. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the high-impact CVSS (7.8) reflects full CIA compromise on successful exploitation.
Use-after-free in the Linux kernel's procfs subsystem allows a local low-privileged attacker to potentially trigger memory corruption when reading /proc/[pid]/stat due to missing RCU protection around task->real_parent access in do_task_stat(). The race condition occurs when a parent task is released concurrently with another process reading its stat file, leading to a UAF dereference. No public exploit identified at time of analysis, and EPSS scoring is very low (0.02%, 7th percentile), indicating limited expected exploitation activity.
Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.
Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.
Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.
Local privilege escalation and arbitrary code execution in Wassimulator CactusViewer v2.3.0 (Windows) occurs through DLL hijacking, where the application loads a malicious DLL from a writable directory instead of the legitimate library. Exploitation requires user interaction to launch the application after an attacker plants the crafted DLL, and no public exploit identified at time of analysis. EPSS rates exploitation probability at just 0.02% (5th percentile), reflecting the niche user base of this open-source image viewer.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.
Use-after-free race condition in OP-TEE OS versions 3.16.0 through 4.10.x enables local low-privileged attackers to corrupt memory within the secure world when OP-TEE is built as an FF-A Secure Partition Manager Core (SPMC) for S-EL0 Secure Partitions. The flaw stems from missing lock acquisition in sp_mem_remove() during shared-memory teardown, allowing concurrent threads to dereference freed sp_mem_map_region or sp_mem_receiver objects. No public exploit identified at time of analysis, but successful exploitation yields high confidentiality, integrity, and availability impact inside the Trusted Execution Environment.
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive credentials from the MLflow AI Gateway by abusing the `$ENV_VAR` resolution feature in gateway secret configuration. By registering or modifying a gateway route where `api_key` references an environment variable like `$AWS_SECRET_ACCESS_KEY` and pointing `api_base` at an attacker-controlled endpoint, the resolved secret is transmitted in upstream provider authentication headers. Publicly available exploit code exists via the huntr.com bounty disclosure, though EPSS remains low at 0.28% (51st percentile) and the issue is not in CISA KEV.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.
Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.
SQL injection in Mojoomla School Management plugin for WordPress (versions up to and including 93.2.0) allows high-privileged authenticated attackers to inject crafted SQL through unsanitized input, leading to confidentiality compromise of the underlying database and limited availability impact. The scope-changed CVSS 7.6 rating reflects that exploitation can affect resources beyond the vulnerable component, such as the shared WordPress database hosting other plugins or sites. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Path traversal (Zip Slip) in IBM's Docling document processing library before v2.91.0 allows arbitrary file write when the EasyOCR model download function extracts ZIP archives without validating member paths. An attacker who can intercept or substitute the model download source (via MITM, DNS spoofing, or upstream supply-chain compromise) can drop files anywhere the process can write, leading to RCE or persistence. No public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.
Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.
XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Information disclosure in Phoenix Contact CHARX SEC-3000/3050/3100/3150 EV charging controllers allows an unauthenticated attacker on an adjacent network to download controller log files containing restricted information. No public exploit identified at time of analysis, but the low attack complexity and lack of authentication make opportunistic abuse straightforward once an attacker reaches the same network segment. Reported via CERT@VDE under advisory VDE-2026-060.
Denial-of-service condition in the Linux kernel's HNS RoCE (RDMA over Converged Ethernet) driver affects systems using HiSilicon RDMA hardware alongside SUNRPC/NFS-over-RDMA workloads. The hns_roce_irq_workq workqueue lacks the WQ_MEM_RECLAIM flag while being flushed during QP (Queue Pair) destruction from a memory-reclaim context, triggering a kernel warning and potential stall during RDMA transport reset. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis.
Denial of service in Securly Chrome Extension version 3.0.7 allows on-path network attackers to halt all browsing activity by injecting malicious regular expression patterns into an HTTP-delivered configuration file. The extension fetches config.json over plaintext HTTP and compiles attacker-controlled patterns with new RegExp() without complexity checks, enabling catastrophic backtracking (ReDoS). No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the issue is reported by CERT/CC.
Denial of service in Securly Chrome Extension 3.0.7 allows remote attackers to render all web browsing unusable when the extension's filtering service is unreachable. The extension dynamically registers an undeclared content script (content13.min.js) at runtime via chrome.scripting.registerContentScripts(), hiding every page behind a full-page overlay until the service worker validates the page; if Securly's servers fail or are blocked, pages remain indefinitely blank. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile).
Information disclosure in Securly Chrome Extension version 3.0.7 allows remote unauthenticated attackers to retrieve SHA-1 hashes via publicly accessible endpoints, where the hashes are weakly protected by a reversible Caesar cipher. The flaw enables recovery of sensitive identifiers protecting filtered content data, with no public exploit identified at time of analysis and an EPSS score of 0.02% indicating very low predicted exploitation activity.
Remote denial-of-service in FRRouting BGP daemon affects stable branches 10.0 through 10.6 via the rfapiRibBi2Ri() function in the RFAPI module. A remote attacker capable of sending crafted BGP UPDATE messages can crash or hang the routing daemon due to missing input validation on encapsulation sub-TLV length fields. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the attack surface is any BGP peer the router accepts sessions from.
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller that decodes a UTF-8 BOM prefixed JSON document with a throwing filter callback. The flaw arises from a missed pointer restoration when decode_json aborts via a Perl exception, leaving the input scalar with a corrupted SvPVX pointer that fatally aborts the interpreter on later free. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CISA SSVC marks the issue as automatable with partial technical impact.
Information disclosure weakness in Securly Chrome Extension version 3.0.7 stems from continued reliance on the deprecated SHA-1 algorithm to hash and match 25,020 IWF CSAM URLs and 12,352 CIPA blocklist URLs. Because SHA-1 is vulnerable to collision attacks, an adversary with knowledge of the hash list could derive or guess matching URLs, exposing sensitive blocklist contents and undermining the integrity of the content-filtering mechanism. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue was reported through CERT/CC (VU#595768), giving it credible vendor-coordinated provenance.
Cryptographic weakness in Securly Chrome Extension version 3.0.7 and earlier exposes AES-encrypted data to recovery attacks because the extension derives keys using EVP_BytesToKey with MD5 and only a single iteration. Remote attackers who can obtain ciphertext from the extension's storage or network exchanges can feasibly brute-force or precompute keys, leading to disclosure of protected information. EPSS is very low (0.01%), no public exploit has been identified, and the issue is not listed in CISA KEV.
Unauthorized file or directory access in ABB T-MAC Plus version 4.0-24 allows authenticated remote attackers to read, modify, or otherwise interact with resources that should not be externally reachable, with CVSS 4.0 scoring 7.3 due to high confidentiality and availability impact plus scope change to subsequent systems. The flaw is classified under CWE-552 (Files or Directories Accessible to External Parties) and was disclosed by ABB itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.