Discretionary access control bypass in Google Chrome's Extensions subsystem affects all versions prior to 149.0.7827.53, enabling integrity compromise without exposing confidential data. Exploitation requires convincing a target user to install a crafted malicious Chrome Extension, placing social engineering at the center of any attack path. No public exploit code exists and no active exploitation has been confirmed; EPSS sits at 0.01% (1st percentile), indicating very low observed exploitation probability at time of analysis.
Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.
Cross-origin data leakage via an inappropriate CSRF-class implementation in Google Chrome's Payments component on Android prior to 149.0.7827.53 allows network-delivered exploitation when a victim visits a crafted HTML page. The confidentiality impact is rated High by CVSS (C:H), as sensitive payment-related data from one origin can be exposed to an attacker-controlled page. No public exploit has been identified at time of analysis and the EPSS score of 0.01% (1st percentile) indicates a low probability of in-the-wild exploitation, making this a medium-priority patch rather than an emergency response item.
Out-of-bounds heap read in Google Chrome's Extensions component on Linux exposes sensitive process memory to a malicious extension author. Affected versions are Chrome on Linux prior to 149.0.7827.53; Windows and macOS are not listed as affected. Exploitation requires convincing a target user to install a crafted malicious extension, limiting exposure compared to the CVSS 6.5 score implies - no public exploit identified at time of analysis, and EPSS of 0.01% (1st percentile) reflects low current exploitation probability.
Same-origin policy bypass in Google Chrome's Extensions subsystem (versions prior to 149.0.7827.53) allows an attacker who socially engineers a user into installing a crafted malicious extension to violate cross-origin boundaries, enabling unauthorized integrity impact against content from other origins. The CVSS vector (I:H, C:N) confirms the impact is write/modify-only - sensitive data exfiltration is not a direct consequence. No public exploit code or active exploitation has been identified at time of analysis; EPSS is negligible at 0.01% (1st percentile), consistent with the social-engineering prerequisite limiting mass exploitation.
Navigation restriction bypass in Google Chrome's Extensions subsystem (all versions prior to 149.0.7827.53) enables circumvention of browser-enforced navigation controls when a user installs a crafted malicious extension. Rooted in CWE-284 (Improper Access Control), the flaw allows the extension to override navigation guards - potentially enabling unauthorized redirects or bypass of URL-based security policies - with a high integrity impact per CVSS (I:H). No public exploit has been identified at time of analysis, EPSS is 0.01% (1st percentile), and the vulnerability is not listed in CISA's KEV catalog, indicating low current exploitation momentum despite a medium CVSS score of 6.5.
Site isolation bypass in Google Chrome prior to version 149.0.7827.53 enables an attacker to circumvent Chrome's site isolation security boundary through a crafted malicious extension, resulting in high integrity impact (I:H per CVSS). The attack is gated by user interaction - specifically, the victim must be convinced to install the malicious extension - after which the extension exploits insufficient policy enforcement in Chrome's Extensions subsystem to cross site isolation boundaries without authorization. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) indicates negligible current exploitation interest.
Insufficient policy enforcement in Google Chrome's Extensions subsystem prior to version 149.0.7827.53 allows a crafted extension to bypass discretionary access controls (DAC), producing high-integrity impact with no confidentiality or availability consequence. Exploitation requires an attacker to socially engineer a user into installing a malicious extension, after which the extension subverts Chrome's permission boundary enforcement. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; EPSS is extremely low at 0.01% (1st percentile), consistent with no observed mass exploitation.
Improper input validation in MISP's over-correlations endpoint allows an authenticated high-privileged attacker to inject arbitrary ordering clauses into database queries via the user-controlled `order` request parameter. All MISP instances running version 2.5.38 and earlier are affected. While direct impact is bounded by query-ordering manipulation, the vulnerability carries SQLi tags and high subsequent system impact scores (SC:H/SI:H/SA:H in CVSS 4.0), suggesting that a successfully crafted ordering expression could escalate to unsafe query construction or unintended data exposure. No public exploit has been identified at time of analysis.
DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.
Stored cross-site scripting in Arket Globe Document Intelligence 5.0.0.559 enables authenticated low-privilege attackers to inject persistent JavaScript payloads into document text fields, which execute in the browsers of other users viewing the 'Task in Progress / Recent' page. The CVSS High confidentiality impact (C:H) reflects the realistic risk of session token theft or account takeover against higher-privileged users such as administrators. Publicly available exploit code exists on GitHub (vincenzo-emanuele/CVE-2025-65640), and while no CISA KEV listing is present, the SSVC framework confirms exploitation-class proof-of-concept activity.
Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.
Navigation restriction bypass in Google Chrome's Glic component (versions prior to 149.0.7827.53) enables remote attackers to circumvent browser navigation controls by delivering a crafted HTML page that the victim must open. The vulnerability is rooted in an inappropriate implementation (CWE-284, Improper Access Control) within the Glic subsystem and yields limited but multi-dimensional impact across confidentiality, integrity, and availability (C:L/I:L/A:L). No public exploit identified at time of analysis and this CVE does not appear in CISA KEV; Google has assigned a 'Medium' severity rating consistent with the CVSS 6.3 score.
Navigation restriction bypass in Google Chrome prior to 149.0.7827.53 allows a remote, unauthenticated attacker to circumvent policy enforcement in the browser's Actor component by delivering a crafted HTML page to a target user. The flaw (CWE-602) enables unauthorized navigation actions that could expose users to cross-origin manipulation or redirects with low but non-trivial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, and EPSS of 0.02% combined with SSVC exploitation status of none indicates limited active threat, though the broad attack surface of any Chrome desktop user visiting a malicious page warrants timely patching.
Same-origin policy bypass in Google Chrome's Media Session component (prior to 149.0.7827.53) enables remote attackers to violate cross-origin isolation via a crafted HTML page. The vulnerability stems from an inappropriate implementation (CWE-346: Origin Validation Error) in the Media Session API, which fails to properly enforce origin boundaries. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; EPSS sits at 0.02% (4th percentile), consistent with low observed exploitation activity.
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.
Reflected XSS in WWBN AVideo's YouTubeAPI plugin allows any unauthenticated remote attacker to execute arbitrary JavaScript in a victim's browser by inducing the victim to open a single crafted URL. The unsanitized `$_GET['search']` parameter is interpolated raw into pagination link href attributes in `plugin/YouTubeAPI/gallerySection.php`, and the AVideo Layout plugin then automatically hoists the injected script tag into a clean executable inline script block at page bottom - bypassing naive attribute-context filters. A detailed proof-of-concept is publicly documented in GitHub Security Advisory GHSA-hgjh-6wj8-gcgf; no active exploitation confirmed in CISA KEV at time of analysis.
Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to inject arbitrary scripts or HTML across origin boundaries by delivering a crafted QR code and convincing the target to perform specific UI gestures within the browser. The CVSS Scope:Changed rating confirms this bypasses the same-origin policy, meaning injected scripts can access sessions and data from other open origins. No public exploit code has been identified at time of analysis, and the EPSS score of 0.07% (22nd percentile) indicates low observed exploitation probability, though the attack is fully network-accessible once social engineering is achieved. Note: the 'RCE' tag attached to this CVE is inconsistent with the description, which describes UXSS - not OS-level code execution - and should be treated as a tagging error.
Universal Cross-Site Scripting (UXSS) in Google Chrome for Android's Tab Group Sync feature allows remote unauthenticated attackers to inject arbitrary scripts or HTML via malicious network traffic against Chrome versions prior to 149.0.7827.53. The CVSS Changed Scope (S:C) confirms that injected content escapes the vulnerable component's origin boundary, affecting other origins - the defining characteristic of UXSS, which is more severe than conventional XSS because it bypasses the browser-level same-origin policy rather than just application-level controls. No public exploit has been identified at time of analysis, and EPSS at 0.07% (22nd percentile) reflects low current exploitation probability; the vulnerability is not listed in CISA KEV.
Universal Cross-Site Scripting (UXSS) in Google Chrome's DevTools component allows an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, bypassing the same-origin policy. Affected versions are all Chrome releases prior to 149.0.7827.53. No public exploit code exists and no active exploitation has been observed; this vulnerability functions as a second-stage capability within a broader attack chain requiring prior renderer compromise.
Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 149.0.7827.53 allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page, requiring only user interaction. The Scope:Changed CVSS component (S:C) confirms this bypasses Chrome's Same-Origin Policy, enabling access to content from other origins in the victim's browser session. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, UXSS classes in major browsers are historically targeted by threat actors for session hijacking and credential theft.
Universal Cross-Site Scripting (UXSS) in Google Chrome's XML processing component allows remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. All Chrome versions prior to 149.0.7827.53 are affected, with the Scope:Changed (S:C) CVSS vector confirming this vulnerability can bypass the Same-Origin Policy - the defining characteristic of UXSS. No public exploit code has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) reflects low observed exploitation probability, though UXSS primitives are historically attractive to threat actors targeting session data and credential theft at scale.
Universal Cross-Site Scripting (UXSS) in Google Chrome's Keyboard implementation prior to version 149.0.7827.53 enables remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page. The Scope:Changed CVSS vector reflects the fundamental nature of this class: successful exploitation bypasses the Same-Origin Policy, potentially granting script access to sessions, cookies, and DOM content across all origins open in the browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) indicates low current exploitation probability, though UXSS primitives are historically high-value for targeted attacks.
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.
Out-of-bounds write in Samsung's rlottie animation rendering library allows a crafted Lottie animation file to trigger integer truncation in the embedded FreeType rasterizer, causing memory corruption. All rlottie versions before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are affected, spanning any downstream product or platform embedding this library (including Samsung TV and appliance firmware). Exploitation requires local access and user interaction to render a malicious animation, with primary impact being high availability loss (crash/DoS) and limited integrity impact; no public exploit identified at time of analysis and no active exploitation confirmed.
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Uncontrolled recursion in Samsung's rlottie library, affecting all versions before commit e2d19e3b, allows a locally-delivered malicious Lottie animation file to crash the host application by triggering infinite recursive resolution of circular precomposition asset references during parsing. The CVSS vector (AV:L/UI:R/A:H) confirms the primary impact is high availability loss - a stack overflow - with no confidentiality exposure despite the 'Information Disclosure' tag in source metadata. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.
Out-of-bounds read in Samsung's rlottie rendering library prior to commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd allows a local attacker to crash the rendering process (high availability impact) or cause low-level integrity corruption by supplying a crafted Lottie animation file. Two distinct code paths are affected: signed integer overflow in FreeType raster bit-shift macros and a missing zero-stopCount guard in gradient color table generation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the wide embedding of rlottie in Samsung consumer devices (TVs, appliances) represents a meaningful aggregate exposure.
Uncontrolled memory allocation in Samsung Open Source rlottie allows a local attacker to trigger excessive heap allocation by supplying a crafted Lottie animation file containing polygon or polystar shape elements with arbitrarily large point counts. Affected are all rlottie versions prior to commit 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd. An attacker who can cause a user to open a malicious .lottie or .json animation - in any application embedding the rlottie library - can achieve a high-severity denial-of-service and a minor integrity impact, consistent with the CVSS A:H/I:L scoring. No public exploit code exists and no CISA KEV listing is present at time of analysis.
Uncontrolled recursion and uninitialized pointer access in Samsung's rlottie animation library allow a locally-delivered malicious Lottie file to crash any host application via stack exhaustion. All rlottie versions prior to commit eae37633fda13ac05b25c6c95aacea4bc33c80a3 are affected; the PR #593 fix confirms cyclic layer parent references in crafted JSON animation payloads as the definitive trigger. No public exploit code has been identified at time of analysis and rlottie is not listed in CISA KEV, though the high availability impact (A:H) makes denial-of-service reliable for applications that accept user-supplied animation content.
Privilege escalation in Google Chrome's Enterprise feature (versions prior to 149.0.7827.53) allows a local attacker with physical device access to elevate privileges and access confidential information. The CVSS vector (AV:P/C:H) confirms the attack requires hands-on physical access to the target device, limiting the realistic threat surface to scenarios such as unattended or shared managed endpoints. No public exploit exists and no active exploitation has been identified at time of analysis; EPSS at 0.01% (1st percentile) and SSVC exploitation status of 'none' align with the low overall risk posture.
Missing authorization on the Admin Dashboard endpoint of LakshayD02's Hostel-Management-System-PHP allows low-privileged authenticated users to manipulate the ID parameter in hostel/index.php to access or modify records beyond their permitted scope. All commits up to f87e67c283bab6f718faf2fec6ae39a13bd7036b are affected; the project uses no formal versioning, so no unaffected release exists. Publicly available exploit code exists, and the project maintainer had not responded to coordinated disclosure at time of reporting.
SQL injection in itsourcecode Fees Management System 1.0 exposes the `/receipt.php` endpoint to database manipulation by authenticated remote attackers via the `ef_id` parameter. The CVSS temporal metric E:P confirms a publicly available exploit, disclosed via a GitHub issue, meaning exploitation is accessible to low-skilled attackers. No CISA KEV listing is present, but the combination of public POC, network-reachable attack vector, and low attack complexity makes this a credible threat for any internet-facing deployment of this PHP application.
Reflected cross-site scripting in itsourcecode Fees Management System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript into a victim's browser session by manipulating the 'page' parameter in /navbar.php. The attack requires user interaction - a victim must follow a crafted URL - limiting mass exploitation, but publicly available exploit code (referenced via a GitHub issue) lowers the barrier for targeted phishing campaigns. No CISA KEV listing; EPSS data was not provided, though the combination of no authentication requirement and public POC warrants prompt attention for exposed deployments.
SQL injection in itsourcecode Fees Management System 1.0 allows authenticated remote attackers with low privileges to manipulate database queries via the `ID` parameter in `/manage_user.php`. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only a low-privilege account, with confidentiality, integrity, and availability all partially impacted. A public proof-of-concept exploit is available (E:P in CVSS temporal metrics, corroborated by a GitHub issue), though no active exploitation has been confirmed via CISA KEV. No vendor-released patch has been identified at time of analysis.
SQL injection in itsourcecode Fees Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the `ID` parameter in `/manage_student.php`, resulting in partial compromise of confidentiality, integrity, and availability. The affected product is a PHP-based academic fee tracking application; exploitation requires a valid low-privilege account but no additional user interaction. A publicly available proof-of-concept exploit (referenced via GitHub) lowers the bar for opportunistic exploitation, though no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.
Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter `pr_profile_image` in `application/PHP/objects/profiles/change_profile_image.php` performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. A publicly available exploit exists via the project GitHub issue tracker; the vendor has not responded to the disclosure, and no patch has been released. No CISA KEV listing at time of analysis.
Unrestricted file upload in mjperpinosa's stumasy PHP application allows authenticated remote attackers to upload arbitrary and potentially dangerous file types via the up_file_to_post parameter in add_post.php, enabling likely remote code execution through web shell deployment. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation requiring only low-privilege authentication with no user interaction. A publicly available proof-of-concept exploit exists (disclosed via GitHub issue), and the vendor has not responded to the responsible disclosure - no patch is available at time of analysis.
Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-origin data leakage in Google Chrome's WebRTC implementation allows a network-positioned attacker to extract sensitive cross-origin information via crafted malicious network traffic. Affected versions are all Chrome releases prior to 149.0.7827.53; the fix is available in the stable channel update. No public exploit exists and no active exploitation has been identified - EPSS sits at 0.02% (4th percentile) and CISA SSVC assesses exploitation as none and automation as not feasible, placing real-world urgency well below the raw CVSS confidentiality impact suggests.
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.
UI spoofing via malicious network traffic in Google Chrome's TabGroups feature (all versions prior to 149.0.7827.53) enables remote unauthenticated attackers to misrepresent browser interface elements to victims, exploiting CWE-451 (UI Misrepresentation of Critical Information). The CVSS 5.4 score reflects limited but real confidentiality and availability impact (C:L/A:L), with Chromium's own severity team rating it Low. No public exploit identified at time of analysis, and Google has released a remediation in the 149.0.7827.53 stable channel update.
UI spoofing in Google Chrome's Accessibility component on Android prior to 149.0.7827.53 enables remote attackers to misrepresent interface elements via a crafted HTML page. Per the CVSS vector (PR:N/UI:R), unauthenticated remote attackers can achieve this through user-visited pages, with limited integrity and availability impact (I:L/A:L) and no confidentiality breach. EPSS at 0.03% (11th percentile) indicates very low exploitation probability, no public exploit exists, and this vulnerability is not listed in the CISA KEV catalog.
Script injection via Chrome's Accessibility component allows a remote attacker who convinces a victim to install a malicious extension to perform Universal Cross-Site Scripting (UXSS), injecting arbitrary scripts or HTML into web page contexts the user visits. Affected are all Chrome desktop versions prior to 149.0.7827.53. EPSS is 0.01% (2nd percentile) and this vulnerability is not in CISA KEV, indicating very low real-world exploitation probability at time of analysis; however, the social-engineering prerequisite (malicious extension installation) remains a credible threat vector in targeted campaigns.
Unauthenticated cross-origin read and write access to local development secrets in the Nhost CLI configserver affects all developers running `nhost dev` with CLI versions prior to 1.46.0. The hidden `configserver` subcommand exposes a Mimir GraphQL API with no-op authorization middleware and wildcard CORS (`Access-Control-Allow-Origin: *`), allowing any web page from an arbitrary origin to exfiltrate Hasura admin secrets, JWT signing keys, webhook secrets, and Grafana credentials, or inject attacker-controlled values into the local `.secrets` file. Publicly available exploit code exists within the security advisory itself; this CVE is not listed in CISA KEV, so no confirmed active exploitation in the wild is established at time of analysis.
Cross-origin data leakage in Google Chrome's GPU component (prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin information by delivering a specially crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) assigns a score of 6.5 Medium, reflecting high confidentiality impact tempered by required user interaction and the critical prerequisite of a pre-compromised renderer. No public exploit has been identified at time of analysis, and EPSS registers at 0.05% (15th percentile), consistent with a multi-stage exploitation barrier.
Authenticated low-privileged users in MISP versions up to and including 2.5.38 can manipulate the fields parameter of the New Users and New Organisations dashboard widgets to bypass server-side field redaction and retrieve restricted metadata - including user email addresses even when email disclosure is explicitly disabled via Security.disclose_user_emails configuration. The root cause is an order-of-operations flaw: in the original code, the email redaction check was applied after the fallback logic that repopulated the field list, meaning a crafted empty field selection after validation could trigger a return of unredacted model fields. No public exploit has been identified at time of analysis, and SSVC rates exploitation status as none; however, the low attack complexity and absence of user interaction requirements mean any authenticated user can reliably reproduce the condition.
Private galaxy metadata in MISP versions up to and including 2.5.38 was exposed to authenticated non-site-admin users through the event template builder workflow due to missing organisation and distribution-based access controls. The EventTemplatesController.php __setBuilderConfig() method queried all enabled galaxies without filtering by ownership or distribution level, allowing users from one organisation to read galaxy names, types, and descriptions that belong to other organisations and are marked private. No public exploit has been identified and SSVC rates exploitation as none; however, in multi-tenant intelligence-sharing environments this information disclosure carries meaningful operational security risk, as galaxy metadata can reveal the intelligence focus areas or classification schemes of peer organisations.
Metric injection in Net::Statsd for Perl (all versions before 0.13) allows network-reachable, unauthenticated attackers to forge additional StatsD metric lines by embedding newlines, colons, or pipes in metric names or values passed through the library. Any application that feeds untrusted external input into Net::Statsd method calls without prior sanitization is directly exposed, because the wire format uses those characters as delimiters between metrics in a single UDP datagram. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the CVSS AV:N/AC:L/PR:N/UI:N surface warrants prompt patching wherever user-controlled strings reach metric instrumentation calls.