Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.
Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to remote unauthenticated attackers via a flaw in admin/config.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites - no privileges, no user interaction, no special attack conditions - and a proof-of-concept exploit is publicly available via a GitHub issue report. The vendor has not responded to responsible disclosure and no patched release has been issued, leaving all deployments at or before commit 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 without an official remediation path.
File inclusion in SourceCodester Online Food Ordering System 2.0 allows remote attackers to manipulate the 'page' parameter of /index.php to include arbitrary files via the application's include() function. Publicly available exploit code exists (referenced on GitHub), and the CVSS 7.3 score combined with no authentication or user interaction requirements (AV:N/AC:L/PR:N/UI:N) makes this trivially exploitable against any exposed deployment. The vulnerability falls under CWE-73 (External Control of File Name or Path) and primarily enables information disclosure, though depending on PHP configuration it may escalate to code execution.
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode endpoint's url parameter, causing the server to issue arbitrary outbound HTTP requests via Spring's RestTemplate.getForEntity. The affected component (RestTemplateUtil.java) passes attacker-controlled input directly to the HTTP client without URL validation or allowlisting, enabling internal network reconnaissance, cloud metadata service probing, and potential lateral movement. A public exploit has been disclosed via GitHub issue #35; no vendor patch exists as the project has not responded to the responsible disclosure report.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter sent to the Login function in /admin/admin_class_novo.php, compromising the administrative authentication flow. Publicly available exploit code exists per the referenced GitHub proof-of-concept, raising opportunistic exploitation risk despite the limited deployment footprint of this small-scale PHP e-commerce application. No KEV listing or EPSS score is provided, so exploitation appears opportunistic rather than confirmed active.
Divide-by-zero in lwext4 1.0.0's ext4_block_set_lb_size function (src/ext4_blockdev.c) crashes any application that mounts or processes a crafted ext4 filesystem image with a zero logical block size. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms the impact is limited to availability - no code execution or data exposure - but the crash is reliable and reproducible. Publicly available exploit code exists demonstrating the issue; no active exploitation has been confirmed by CISA KEV.
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NULL pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when a local user processes a crafted media file, resulting in Denial of Service. The flaw exists in gf_filter_pid_resolve_file_template_ex (filter_pid.c), where prop_val->value.string is passed to strncmp without a prior null check - confirmed by upstream commit diff. Publicly available exploit code exists, but SSVC signals no active exploitation and non-automatable attack conditions; no CISA KEV listing is present.
Version disclosure in FOSSBilling prior to 0.8.0 exposes the exact application version string to all visitors - including unauthenticated guests - via cache-busting query parameters appended to every rendered `<script>` and `<link>` HTML tag, directly bypassing the `hide_version_public` security control on every page of the application. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is network-accessible, unauthenticated, and requires no user interaction, making it trivially observable by any visitor. While not directly exploitable for code execution or data access, this reconnaissance enabler meaningfully lowers the barrier to targeting installations with other known FOSSBilling vulnerabilities; no public exploit has been identified at time of analysis and active exploitation has not been confirmed.
Predictable credential generation in ProjectsAndPrograms school-management-system allows unauthenticated remote attackers to derive valid account passwords for any student or teacher whose date of birth is known or guessable. Passwords are constructed deterministically from the user's date of birth alone (e.g., 12072000 for 12 July 2000), and the application never prompts users to change this default credential, leaving accounts permanently exposed. CVSS 4.0 rates this 6.9 with a fully network-accessible, no-authentication attack vector; no public exploit code has been identified at time of analysis, but the trivial exploitation logic requires no tooling.
Remote code execution in Koha v.25.11 and earlier allows unauthenticated network attackers to inject and execute arbitrary code through the Z39.50 configuration module. Koha is a widely deployed open-source integrated library system (ILS); the affected component handles Z39.50, a standard client-server protocol used for querying remote library catalogues. No public exploit identified at time of analysis, though a researcher technical write-up is publicly available at g03m0n.github.io, and EPSS exploitation probability is low at 0.05% (16th percentile). Notable discrepancy: CVSS impact scores (C:L/I:L) appear understated relative to the arbitrary code execution claim and should be treated with caution.
DNS rebinding on the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) exposes the router's web management interface to attacker-controlled external origins due to absent HTTP Host header validation. A remote unauthenticated attacker (per CVSS PR:N) can rebind a malicious domain to the router's LAN IP address, then leverage the router's pre-existing CORS wildcard (Access-Control-Allow-Origin: *) to read admin interface responses cross-origin from within the victim's browser. No public exploit beyond the researcher's advisory exists and no CISA KEV listing is present at time of analysis.
Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthenticated attackers to inject arbitrary StatsD metrics by supplying untrusted input containing unfiltered newlines, colons, or pipe characters. Because the StatsD wire protocol uses these characters as structural delimiters, unsanitized metric names sourced from user-controlled data can be interpreted as additional, attacker-controlled metrics by the receiving StatsD server. No public exploit identified at time of analysis and EPSS sits at the 9th percentile (0.03%), indicating low observed exploitation pressure, but any Perl application forwarding externally-supplied values as StatsD metric names is directly in scope.
Uninitialized memory consumption in libxls 1.6.3 and earlier exposes server-side applications that parse XLS files to application crashes and potential heap memory disclosure. The flaw resides in the OLE container parser: read_MSAT() allocates memory for the Master Sector Allocation Table without fully initializing it, then passes it to ole2_validate_sector_chain(), which may read uninitialized bytes from the heap. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no authentication or user interaction is required - a remote attacker need only supply a crafted XLS file to an application that uses libxls as a parsing backend. No public exploit code or CISA KEV listing exists at time of analysis; EPSS stands at 0.02% (5th percentile), indicating very low observed exploitation activity.
Persistent denial-of-service in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows an unauthenticated adjacent-network attacker to crash the device by sending a low number of crafted, incomplete HTTP requests, rendering it unresponsive until physically power-cycled. The attack exploits uncontrolled resource consumption (CWE-400) in the router's HTTP service, which fails to safely handle malformed or truncated connections. No public exploit code or active exploitation has been identified at time of analysis, and SSVC signals confirm exploitation status as none.
WPS 2.0 brute-force exposure on the Mercusys AC12G (EU) V1 router allows an adjacent unauthenticated attacker to recover Wi-Fi credentials by exhausting the WPS PIN space against a trivially bypassed lockout policy of only 60 seconds per 10 attempts. Firmware version AC12G(EU)_V1_200909 ships with WPS 2.0 enabled by default, meaning no user reconfiguration is required to be vulnerable. Successful exploitation yields full confidentiality and integrity compromise of the wireless network (C:H/I:H), effectively granting the attacker LAN access. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS of 0.02% reflects low widespread exploitation probability but does not reduce risk for targeted home or small-office environments.
Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions when processing attacker-controlled Unicode strings. The canonical ordering step during Unicode normalization used an insertion sort algorithm with O(n²) time complexity, which degrades severely when input contains long runs of combining characters with alternating Canonical Combining Class (CCC) values. An unauthenticated remote attacker can cause excessive CPU consumption by submitting small crafted payloads (e.g., 65 characters) to any service that passes untrusted input to unicodedata.normalize(). No public exploit code or CISA KEV listing exists at time of analysis.
Cross-site scripting in Kimi AI v1.0's web interface 'Preview' feature allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by inducing them to view AI-generated content containing unsanitized HTML or JavaScript payloads. The root cause is the application's failure to sanitize or encode output from the AI model before rendering it into the DOM when a user activates the Preview tab. A publicly available proof-of-concept exploit exists at a GitHub repository linked to the CVE; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Stored XSS in the malla Meshtastic dashboard (pip/malla <= 0.1.7) allows any unauthenticated participant on a public MQTT broker to execute arbitrary JavaScript in the browser of every dashboard visitor. Meshtastic node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and interpolated directly into multiple HTML templates and frontend JavaScript files without output escaping. No CSP restrictions are in place, compounding impact. No public exploit identified at time of analysis, though full reproduction steps are published in GHSA-ch57-39q2-4crm.
Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Arbitrary file write on OpenStack Ironic conductor nodes is achievable via path traversal in virtual media ISO handling (OSSA-2026-018). Authenticated attackers who can supply a malicious ISO image through the deploy_iso_href parameter can write files to arbitrary locations on the conductor host, constrained only by the ironic-conductor process's filesystem permissions. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV, but the vulnerability carries a CVSS 3.1 score of 6.5 and is rated Critical severity by the Ironic project.
Arbitrary file read within GLPI_DOC_DIR is exploitable by authenticated technicians in GLPI versions 0.50 through 10.0.24 and 11.0.0 through 11.0.6, stemming from missing authorization controls (CWE-862) on document directory access. An attacker holding a technician-level account can read any file stored under the GLPI_DOC_DIR path without appropriate privilege checks, exposing potentially sensitive documents, attachments, or internal data. No public exploit is identified at time of analysis, and CISA's SSVC framework rates exploitation as none with non-automatable attack paths.
Cleartext credential exposure in the Mercusys AC12G (EU) V1 router (firmware AC12G(EU)_V1_200909) allows a network-positioned attacker to intercept DDNS service credentials in transit. The firmware transmits DDNS credentials over plaintext HTTP with only Base64 encoding - an encoding scheme, not encryption - and contains no TLS implementation whatsoever. A successful man-in-the-middle interception results in full credential disclosure (C:H), enabling an attacker to hijack the associated DDNS hostname and redirect domain traffic. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.
Hardcoded WiFi driver credentials embedded in Mercusys AC12G (EU) V1 production firmware (AC12G(EU)_V1_200909) expose a RADIUS shared secret, a WPS test key, and a default PSK that cannot be changed by end users. An attacker within radio/adjacent-network range who has extracted and reverse-engineered the firmware binary can recover these static credentials and use them to authenticate against the router's wireless infrastructure without possessing legitimate user credentials. No public exploit code is confirmed beyond the researcher's advisory, and no active exploitation is indicated - EPSS sits at 0.02% (5th percentile), consistent with a niche, hardware-specific finding.
Deadlock in the Linux kernel's ASoC fsl_xcvr audio driver causes a hung task and denial of service on NXP i.MX hardware. The defect was introduced by a prior patch (commit f51424872760) that erroneously added a read lock acquisition on controls_rwsem inside fsl_xcvr_mode_put(), unaware that the caller snd_ctl_elem_write() already holds the write lock on that same semaphore for the duration of the put operation. A local user with low privileges who triggers an ALSA control write on an affected system can induce an unresolvable deadlock. No public exploit exists and EPSS is 0.02%, reflecting very low real-world exploitation probability.
Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.
Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Local denial-of-service via kernel Oops in the Linux kernel SP804 timer driver on ARM32 platforms when read_current_timer() dereferences an uninitialized sched_clkevt pointer. Affected systems are those where sp804_clocksource_and_sched_clock_init is invoked without use_sched_clock=1, yet sp804_register_delay_timer is still called unconditionally - creating the conditions for a NULL/uninitialized pointer access in sp804_read(). EPSS is 0.02% (5th percentile), no KEV listing exists, and no public exploit has been identified, placing this as low operational priority outside specialized ARM32 embedded deployments.
Double-disable of managed clocks in the Linux kernel's fsl-edma (Freescale/NXP eDMA) DMA engine driver triggers kernel WARN_ON warnings during driver removal, causing an availability impact on affected systems. The bug originates from commit a9903de3aa16731846bf924342eca44bdabe9be6, where clocks allocated via devm_clk_get_enabled() - which automatically handles teardown - are also manually disabled in fsl_edma_remove(), resulting in a 'already disabled/unprepared' warning for each clock. No public exploit has been identified at time of analysis, and EPSS is 0.02% (5th percentile), reflecting the low likelihood of targeted exploitation of this kernel quality defect.
Unaligned memory access in the Linux Kernel's AppArmor DFA table parser causes a denial of service on strict-alignment architectures. AppArmor's deterministic finite automaton (DFA) policy tables, which can originate from either kernel or userspace via apparmor_parser, lack guaranteed 8-byte alignment; on architectures that fault or warn on unaligned access (confirmed via SPARC call trace in the description), loading AppArmor profiles triggers a kernel WARNING at security/apparmor/match.c:316 and fails profile loading. No public exploit exists and no KEV listing is present; EPSS is 0.02% (5th percentile), consistent with a low-severity, architecture-specific, local-only issue.
Improper locking in the Linux kernel regulator subsystem's `regulator_resolve_supply()` error path allows a local low-privileged attacker to trigger a kernel crash or denial of service. The error path invokes `_regulator_put()` without holding the required `regulator_list_mutex`, producing a lockdep warning and exposing an unguarded concurrent access window when clearing the `rdev` supply pointer. No public exploit has been identified at time of analysis, and with an EPSS of 0.02% (5th percentile), real-world exploitation probability is very low.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
Denial of service in the Linux kernel's DRM Panthor GPU driver allows a local authenticated user to trigger an unrecoverable system hang via a blocked GPU memory subsystem. Specifically, when `panthor_gpu_flush_caches()` times out due to a blocked memory subsystem - a condition inducible through buggy GPU jobs submitted by user-mode drivers (UMD) - the driver previously had no recovery path, causing indefinite waits and system unavailability. The fix introduces timeout-aware reset scheduling and immediate -EIO short-circuiting for queued flush operations after a failure, but until patched, the condition is exploitable by any local user with access to the GPU device. No public exploit code exists and EPSS is extremely low (0.02%), consistent with a niche hardware-specific local DoS.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.
Path traversal in Docling's LaTeX backend (pip/docling versions 2.73.0 through 2.90.x) allows an attacker who supplies a crafted LaTeX document to read arbitrary files accessible to the conversion process via the \includegraphics, \input, and \include command handlers. With a high confidentiality impact (C:H) but local attack vector and required user interaction (AV:L/UI:R per CVSS), the practical risk is concentrated in automated document-processing pipelines or services that ingest untrusted .tex files. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. A vendor-released patch exists as of version 2.91.0.
Stored Cross-Site Scripting in Koha 25.11 and earlier allows a remote authenticated attacker to inject and execute arbitrary JavaScript in victim browsers via the file upload function within the Invoice features module. The CVSS Scope:Changed designation indicates the injected script executes in a security context beyond the attacker's own session - targeting higher-privileged users (e.g., acquisitions staff or administrators) who subsequently view the affected invoice. A researcher blog post at g03m0n.github.io documents this vulnerability, suggesting public technical details are available. No public exploit identified at time of analysis, and EPSS at 0.05% (16th percentile) indicates low observed exploitation probability.
Hard-coded credentials embedded in NetApp Active IQ OneCollect 2.7.3 allow any low-privileged authenticated user to perform unauthorized AutoSupport operations beyond their intended authorization scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible exploitation with low complexity, requiring only a low-privilege account with no special attack conditions. No public exploit has been identified and the vulnerability does not appear in the CISA KEV catalog at time of analysis.
Hard-coded credentials in NetApp Active IQ Config Advisor 6.7.3 enable authenticated low-privileged attackers to perform unauthorized AutoSupport operations against connected NetApp infrastructure. The embedded credentials bypass intended access controls, allowing any account holder to trigger or manipulate AutoSupport telemetry functions beyond their assigned privilege level. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Memory exhaustion in quic-go's HTTP/3 implementation allows remote unauthenticated attackers to crash or degrade servers and clients by sending crafted QPACK-encoded HEADERS frames that exploit missing decoded size limits on HTTP trailer field sections. Affected versions (<= 0.59.0) enforce size caps only on the compressed HEADERS frame, not on the decoded output - a malicious peer can achieve roughly 50x expansion via QPACK static table entries, overwhelming available memory. No public exploit code has been identified at time of analysis, but the attack vector is network-accessible with no authentication required, making this a practical denial-of-service risk for any Go application using quic-go for HTTP/3.
Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.
Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.
Use-of-uninitialized memory in libxls 1.6.3 exposes applications that parse XLS files to potential information disclosure via heap memory leakage. The flaw originates in the OLE layer (ole2_read) and surfaces in xls_parseWorkBook() when processing malformed XLS input, meaning any downstream application or service that accepts and parses XLS files using this library inherits the exposure. With a CVSS score of 5.3 and an EPSS of 0.02% (6th percentile), real-world exploitation probability is low; no public exploit or CISA KEV listing exists at time of analysis.