Heap corruption in Google Chrome's WebAuthentication component prior to version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code through a crafted HTML page combined with user interaction. The flaw is a use-after-free (CWE-416) rated High severity by Chromium and carries a CVSS 7.5 score, though exploitation requires specific UI gestures from the victim. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Google Chrome on macOS prior to version 149.0.7827.53 stems from a use-after-free condition in the Passwords component, allowing a remote attacker to execute arbitrary code if a victim is convinced to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying severity as Critical, though CVSS scores it 7.5 due to high attack complexity and required user interaction. There is no public exploit identified at time of analysis and SSVC indicates exploitation status is none.
Unauthenticated information disclosure in the SP Project & Document Manager WordPress plugin (versions up to and including 4.71) allows remote attackers to enumerate file metadata and obtain download links for arbitrary files stored within project folders. The flaw stems from a broken authorization gate in the view_file AJAX handler where a negated nonce check is OR-chained with permission checks, causing the entire condition to evaluate true when no valid nonce is supplied. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects confidentiality-only impact with no integrity or availability consequences.
Heap buffer overflow in the Media component of Google Chrome before 149.0.7827.53 enables remote attackers to achieve arbitrary code execution within the renderer sandbox after luring a user to a crafted HTML page and tricking them into performing specific UI gestures. Google rates the underlying Chromium issue as High severity, and while publicly available exploit code exists is not confirmed, vendor patches have been released through the Stable channel update. No active exploitation has been reported via CISA KEV at time of analysis.
Privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via an integer overflow in the CredentialProvider component. Exploitation requires user interaction with a crafted HTML page and a prior renderer compromise, and no public exploit has been identified at time of analysis. Chromium rates the security severity as Medium despite the CVSS 7.5 score.
Remote heap corruption in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free in the Passwords component, letting a remote attacker who lures a user into specific UI interactions trigger memory corruption via a crafted HTML page. Chromium rates the underlying flaw Critical and a vendor patch is available, though no public exploit has been identified at time of analysis and active exploitation has not been confirmed by CISA KEV.
Heap corruption in Google Chrome's Ozone display layer on Linux versions prior to 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to perform specific UI gestures on a crafted HTML page. Chromium rates the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The defect is a use-after-free (CWE-416) reachable from the renderer's interaction with the Linux display abstraction.
Privilege escalation in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that abuses insufficient input validation in the Extensions component. Google rates the Chromium severity as Medium while NVD assigns CVSS 7.5 (High); no public exploit identified at time of analysis and CISA SSVC reports no observed exploitation.
Privilege escalation in Google Chrome's Extensions component prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox restrictions via a crafted HTML page. Chromium rates the issue High severity; no public exploit has been identified at time of analysis and SSVC reports exploitation status as none, though the technical impact is total if chained successfully.
Sandbox escape in Google Chrome prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting the Password Manager component. The flaw is rated CVSS 7.5 (High) with EPSS at 0.05% (15th percentile) and no public exploit identified at time of analysis, though Google has shipped a patched stable channel release.
Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. No public exploit identified at time of analysis, but the issue is trivially reproducible and a fixed version 0.21 has been released on CPAN.
Metric injection in the Etsy::StatsD Perl module (versions through 1.002002) allows remote attackers to inject arbitrary statsd metrics by supplying input containing unescaped newlines, colons, or pipe characters to metric names or values. Applications that build metrics from untrusted sources (HTTP parameters, user identifiers, log fields) can be coerced into emitting forged measurements, corrupting downstream monitoring, dashboards, and alerting. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Client-side denial of service in Axios versions before 0.32.0 (0.x line) and before 1.16.0 (1.x line) allows attackers who influence the XSRF cookie name configuration to trigger catastrophic regex backtracking when axios reads document.cookie in browser environments. The flaw stems from unescaped interpolation of the cookie name into a dynamically constructed RegExp, and a detailed proof-of-concept is published in the GitHub Security Advisory, though no public exploitation has been observed in the wild.
Denial-of-service via size-limit bypass in Axios 1.7.0 through 1.15.x affects server-side Node.js applications that select the fetch adapter and rely on maxContentLength or maxBodyLength as a security boundary. Attackers controlling response bodies, data: URLs, or forwarded request payloads can exhaust memory, CPU, or network resources because the fetch adapter never reads those limits. No public exploit identified at time of analysis beyond the advisory's own proof-of-concept code.
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the bare-metal provisioning service by submitting a crafted JSON payload to certain API or JSON-RPC endpoints. CVSS 7.5 reflects high availability impact with no authentication required, though EPSS is only 0.04% (12th percentile) and SSVC marks exploitation as 'none' - no public exploit identified at time of analysis. The flaw is tracked as a CWE-770 unbounded resource consumption issue and documented in OpenStack Security Note OSSN-0099.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free in the Dawn WebGPU implementation, enabling a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%), though Google has released a stable channel update addressing the flaw.
Proxy credential disclosure in Axios Node.js HTTP adapter (versions <1.16.0 and <=0.31.1) allows an attacker-controlled redirect target to receive the victim's authenticated proxy credentials via a stale Proxy-Authorization header. When a Node.js application uses an authenticated HTTP_PROXY and follows a redirect to a URL that resolves to no proxy (e.g., an https:// destination when HTTPS_PROXY is unset), the previously-set Proxy-Authorization header is not cleared and is sent to the final origin. No public exploit identified at time of analysis, though the advisory itself publishes a working PoC.
Predictable password generation in Cloud Foundry's BOSH windows-utilities-release (versions prior to v0.23.0) allows remote attackers to recover the local Administrator password set by the randomize_password job. The Get-RandomPassword routine seeds its PRNG from system clock state, so an attacker who can estimate VM boot time can reduce the search space to a small candidate list and brute-force the credential, defeating the hardening control that was supposed to lock down the account. No public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:H) reflects the realistic recoverability of high-value Administrator credentials over the network.
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Heap information disclosure in HTML::Entities for Perl (versions before 3.84) allows remote attackers to leak adjacent heap memory contents when decoding entities. The XS routine _decode_entities retains a stale pointer into a hash value SV after grow_gap() reallocates the buffer, causing a use-after-free read that copies freed heap bytes into the output scalar. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix is confirmed via GH PR #56.
Command injection in nvm (Node Version Manager) versions through 0.40.4 allows attackers controlling the configured Node.js/io.js mirror to execute arbitrary shell commands as the user running nvm. Mirror-supplied version strings flow unsanitized into an `eval`'d curl/wget invocation in `nvm_download()` and into an awk program in `nvm_get_checksum()`, enabling injection via constructs like `$(id)`. No public exploit is identified at time of analysis, but the GitHub Security Advisory (GHSA-3c52-35h2-gfmm) and committed regression tests demonstrate the bug class, and CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) reflects that the default TLS-protected nodejs.org mirror is unaffected.
Denial of service in Dell BSAFE SSL-J allows unauthenticated remote attackers to exhaust resources on systems using the cryptographic library, rendering affected services unavailable. The flaw stems from CWE-770 (allocation of resources without limits or throttling) and carries a CVSS 7.5 score reflecting network-reachable, no-privilege exploitation with high availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-origin data disclosure in Google Chrome on Windows prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to leak data from other origins via a crafted HTML page in the Dawn (WebGPU) component. Google rates the underlying issue High severity, but no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.05%.
Information disclosure in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to leak sensitive process memory through a crafted HTML page that triggers an uninitialized memory read in the Dawn WebGPU implementation. Google rates the underlying Chromium issue as High severity, and a patched stable channel build is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Local root code execution in libinput versions before 1.30.4 and 1.31.x before 1.31.3 is possible because the libinput-device-group helper fails to escape the 'phys' string returned for an input device, allowing injection of attacker-controlled udev properties that are subsequently evaluated as privileged actions. The flaw, tracked as CWE-93 (CRLF/property injection), enables an unprivileged local user who can attach or simulate a device with a crafted physical-path identifier to escalate to root. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Man-in-the-middle attack against OpenStack oslo.messaging 1.0.0 through 17.3.0 is possible because the RabbitMQ driver validates the certificate chain but skips TLS hostname verification, letting any cert signed by the deployment CA impersonate the broker. An attacker positioned on the control-plane network can intercept and tamper with RPC and notification traffic between OpenStack services, with no public exploit identified at time of analysis but a credible POC pathway documented in OSSN-0096.
Improper input validation in the Perl module Net::CIDR::Set through version 0.20 allows attackers to bypass network access controls by submitting network masks containing Unicode digits (e.g., Arabic-Indic numerals like U+0661) or leading zeros that are silently ignored or misinterpreted. The CVSS 7.3 score reflects low-impact compromise across confidentiality, integrity, and availability via the network, with no public exploit identified at time of analysis. Applications using this module for ACL or firewall-like decisions may grant access to wider IP ranges than intended.
Local privilege escalation in Google Chrome for Android prior to 149.0.7827.53 stems from an inappropriate implementation in the Custom Tabs component, where a crafted XML file processed by a local attacker can elevate privileges within the browser context. The flaw is rated CVSS 7.3 (Chromium severity Medium) and requires user interaction, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile). A vendor patch is available in the Stable channel update referenced by the Chrome Releases advisory.
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 stems from a use-after-free condition in the Updater component, allowing a local attacker who can place a malicious file to elevate to OS-level privileges. The flaw was reported by Google's Chrome security team with no public exploit identified at time of analysis, and EPSS scoring is very low at 0.01% reflecting minimal predicted exploitation activity. Chromium rates the severity as Medium while the CVSS base score of 7.3 reflects the high impact of OS-level privilege escalation.
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command injection in the Supermicro AS-2115HS-TNR BMC's SMTP service allows an authenticated administrator to inject crafted characters into the SMTP configuration, causing the underlying system to execute unintended OS commands during process invocation. Successful exploitation can yield arbitrary code execution on the baseboard management controller, denial of service, or persistent compromise of the management plane. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privilege escalation in Red Hat OpenShift's Cloud Credential Operator (CCO) Mint-mode on AWS allows an attacker who compromises operator credentials to perform destructive actions across the entire AWS account rather than only cluster-owned resources. The over-privileged IAM policies break least-privilege boundaries, turning a single cluster credential leak into an account-wide blast radius. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthorized eSIM profile manipulation in the Acer Connect M6E 5G Portable WiFi Router allows adjacent attackers to rewrite or delete cellular eSIM profiles without authentication because management API endpoints fail to validate caller authorization. The flaw maps to CWE-287 (Improper Authentication) and is reported by Acer with CVSS 4.0 score 7.2, with no public exploit identified at time of analysis.
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.
Authorization bypass in DFIR-IRIS prior to v2.4.28 allows any authenticated user to read IOCs across cases they should not access, perform bulk IOC disclosure, and create cases without role checks via an optional GraphQL endpoint at /graphql. No public exploit identified at time of analysis, but the trivial nature of the IDOR (simply supplying an arbitrary caseId to the GraphQL resolver) makes weaponization straightforward for anyone with valid platform credentials. EPSS data not provided; the vulnerability is not listed in CISA KEV.
Privilege escalation via overly permissive RBAC in Red Hat OpenShift Pipelines operator allows any authenticated cluster user to write to Kueue and cert-manager custom resources, enabling disruption of multi-tenant workload scheduling and tampering with cluster TLS certificates. The flaw stems from the tekton-scheduler-rolebinding ClusterRoleBinding granting system:authenticated overly broad write permissions. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the attack requires only basic cluster authentication.
Denial of service in the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) lets an unauthenticated attacker on the adjacent network abuse the device dissociation API to forcibly unbind arbitrary client endpoints from the router. With no public exploit identified at time of analysis and no CISA KEV listing, this is a connectivity-disruption issue rather than a code execution risk, but it can knock legitimate users off the WiFi at will. CVSS 4.0 scores it 7.1 due to high availability impact via a low-complexity, no-privilege adjacent attack.
Credential theft and authorization tampering in Cloud Foundry BOSH (versions prior to v282.1.9) stems from the nats-sync component disabling TLS certificate validation when contacting the BOSH director. An attacker positioned on the network between nats-sync and the director can intercept Basic auth headers or UAA client secrets and modify the VM list written into the NATS authorization file, ultimately gaining administrative director access. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Credential theft and UAA token redirection in Cloud Foundry BOSH versions prior to v282.1.9 allows a network-positioned local attacker to intercept Basic-auth secrets and OAuth requests flowing between bosh-monitor and the BOSH director or UAA. The flaw stems from hard-coded OpenSSL::SSL::VERIFY_NONE in the HttpRequestHelper, effectively disabling TLS certificate validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Plaintext exposure of pre-signed Backblaze B2 upload URLs in GNCC GP5 camera firmware v7.1.76 allows physically-proximate attackers with serial UART access to harvest live cloud storage tokens. The leaked PUT URLs enable unauthorized write operations against the device's Backblaze B2 cloud storage bucket until the tokens expire. No public exploit identified at time of analysis, though a public research write-up describing the issue is referenced.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.
Stored cross-site scripting in the SMS module of Neterbit NW-431F Router firmware 20241014-IR03 and earlier allows remote attackers to inject JavaScript payloads via inbound SMS messages, which execute in the administrator's browser when the SMS interface is viewed. No public exploit identified at time of analysis, though a researcher repository on GitHub documents the issue. The cellular-router form factor makes the SMS vector particularly notable because injection can originate from the mobile network rather than the local LAN.