Predictable password generation in Cloud Foundry's BOSH windows-utilities-release (versions prior to v0.23.0) allows remote attackers to recover the local Administrator password set by the randomize_password job. The Get-RandomPassword routine seeds its PRNG from system clock state, so an attacker who can estimate VM boot time can reduce the search space to a small candidate list and brute-force the credential, defeating the hardening control that was supposed to lock down the account. No public exploit identified at time of analysis, but the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/C:H) reflects the realistic recoverability of high-value Administrator credentials over the network.
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Heap information disclosure in HTML::Entities for Perl (versions before 3.84) allows remote attackers to leak adjacent heap memory contents when decoding entities. The XS routine _decode_entities retains a stale pointer into a hash value SV after grow_gap() reallocates the buffer, causing a use-after-free read that copies freed heap bytes into the output scalar. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix is confirmed via GH PR #56.
Command injection in nvm (Node Version Manager) versions through 0.40.4 allows attackers controlling the configured Node.js/io.js mirror to execute arbitrary shell commands as the user running nvm. Mirror-supplied version strings flow unsanitized into an `eval`'d curl/wget invocation in `nvm_download()` and into an awk program in `nvm_get_checksum()`, enabling injection via constructs like `$(id)`. No public exploit is identified at time of analysis, but the GitHub Security Advisory (GHSA-3c52-35h2-gfmm) and committed regression tests demonstrate the bug class, and CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) reflects that the default TLS-protected nodejs.org mirror is unaffected.
Denial of service in Dell BSAFE SSL-J allows unauthenticated remote attackers to exhaust resources on systems using the cryptographic library, rendering affected services unavailable. The flaw stems from CWE-770 (allocation of resources without limits or throttling) and carries a CVSS 7.5 score reflecting network-reachable, no-privilege exploitation with high availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-origin data disclosure in Google Chrome on Windows prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to leak data from other origins via a crafted HTML page in the Dawn (WebGPU) component. Google rates the underlying issue High severity, but no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.05%.
Information disclosure in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to leak sensitive process memory through a crafted HTML page that triggers an uninitialized memory read in the Dawn WebGPU implementation. Google rates the underlying Chromium issue as High severity, and a patched stable channel build is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Local root code execution in libinput versions before 1.30.4 and 1.31.x before 1.31.3 is possible because the libinput-device-group helper fails to escape the 'phys' string returned for an input device, allowing injection of attacker-controlled udev properties that are subsequently evaluated as privileged actions. The flaw, tracked as CWE-93 (CRLF/property injection), enables an unprivileged local user who can attach or simulate a device with a crafted physical-path identifier to escalate to root. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Man-in-the-middle attack against OpenStack oslo.messaging 1.0.0 through 17.3.0 is possible because the RabbitMQ driver validates the certificate chain but skips TLS hostname verification, letting any cert signed by the deployment CA impersonate the broker. An attacker positioned on the control-plane network can intercept and tamper with RPC and notification traffic between OpenStack services, with no public exploit identified at time of analysis but a credible POC pathway documented in OSSN-0096.
Improper input validation in the Perl module Net::CIDR::Set through version 0.20 allows attackers to bypass network access controls by submitting network masks containing Unicode digits (e.g., Arabic-Indic numerals like U+0661) or leading zeros that are silently ignored or misinterpreted. The CVSS 7.3 score reflects low-impact compromise across confidentiality, integrity, and availability via the network, with no public exploit identified at time of analysis. Applications using this module for ACL or firewall-like decisions may grant access to wider IP ranges than intended.
Local privilege escalation in Google Chrome for Android prior to 149.0.7827.53 stems from an inappropriate implementation in the Custom Tabs component, where a crafted XML file processed by a local attacker can elevate privileges within the browser context. The flaw is rated CVSS 7.3 (Chromium severity Medium) and requires user interaction, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 4th percentile). A vendor patch is available in the Stable channel update referenced by the Chrome Releases advisory.
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.53 stems from a use-after-free condition in the Updater component, allowing a local attacker who can place a malicious file to elevate to OS-level privileges. The flaw was reported by Google's Chrome security team with no public exploit identified at time of analysis, and EPSS scoring is very low at 0.01% reflecting minimal predicted exploitation activity. Chromium rates the severity as Medium while the CVSS base score of 7.3 reflects the high impact of OS-level privilege escalation.
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command injection in the Supermicro AS-2115HS-TNR BMC's SMTP service allows an authenticated administrator to inject crafted characters into the SMTP configuration, causing the underlying system to execute unintended OS commands during process invocation. Successful exploitation can yield arbitrary code execution on the baseboard management controller, denial of service, or persistent compromise of the management plane. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Privilege escalation in Red Hat OpenShift's Cloud Credential Operator (CCO) Mint-mode on AWS allows an attacker who compromises operator credentials to perform destructive actions across the entire AWS account rather than only cluster-owned resources. The over-privileged IAM policies break least-privilege boundaries, turning a single cluster credential leak into an account-wide blast radius. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthorized eSIM profile manipulation in the Acer Connect M6E 5G Portable WiFi Router allows adjacent attackers to rewrite or delete cellular eSIM profiles without authentication because management API endpoints fail to validate caller authorization. The flaw maps to CWE-287 (Improper Authentication) and is reported by Acer with CVSS 4.0 score 7.2, with no public exploit identified at time of analysis.
Information disclosure in Hermes WebUI before v0.51.221 allows authenticated remote attackers to read arbitrary files outside the designated workspace by placing symlinks that resolve to external host paths and accessing them through the workspace file or listing APIs. Because the vulnerable code only blocked raw '..' traversal and a small denylist of system directories rather than enforcing that resolved targets stay within the workspace root, attackers can disclose sensitive host content such as SSH keys, cloud credentials, and application tokens. No public exploit identified at time of analysis, but the patch and a VulnCheck advisory are published and the fix is straightforward to reverse-engineer from the upstream commit.
Authorization bypass in DFIR-IRIS prior to v2.4.28 allows any authenticated user to read IOCs across cases they should not access, perform bulk IOC disclosure, and create cases without role checks via an optional GraphQL endpoint at /graphql. No public exploit identified at time of analysis, but the trivial nature of the IDOR (simply supplying an arbitrary caseId to the GraphQL resolver) makes weaponization straightforward for anyone with valid platform credentials. EPSS data not provided; the vulnerability is not listed in CISA KEV.
Privilege escalation via overly permissive RBAC in Red Hat OpenShift Pipelines operator allows any authenticated cluster user to write to Kueue and cert-manager custom resources, enabling disruption of multi-tenant workload scheduling and tampering with cluster TLS certificates. The flaw stems from the tekton-scheduler-rolebinding ClusterRoleBinding granting system:authenticated overly broad write permissions. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the attack requires only basic cluster authentication.
Denial of service in the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) lets an unauthenticated attacker on the adjacent network abuse the device dissociation API to forcibly unbind arbitrary client endpoints from the router. With no public exploit identified at time of analysis and no CISA KEV listing, this is a connectivity-disruption issue rather than a code execution risk, but it can knock legitimate users off the WiFi at will. CVSS 4.0 scores it 7.1 due to high availability impact via a low-complexity, no-privilege adjacent attack.
Credential theft and authorization tampering in Cloud Foundry BOSH (versions prior to v282.1.9) stems from the nats-sync component disabling TLS certificate validation when contacting the BOSH director. An attacker positioned on the network between nats-sync and the director can intercept Basic auth headers or UAA client secrets and modify the VM list written into the NATS authorization file, ultimately gaining administrative director access. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Credential theft and UAA token redirection in Cloud Foundry BOSH versions prior to v282.1.9 allows a network-positioned local attacker to intercept Basic-auth secrets and OAuth requests flowing between bosh-monitor and the BOSH director or UAA. The flaw stems from hard-coded OpenSSL::SSL::VERIFY_NONE in the HttpRequestHelper, effectively disabling TLS certificate validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Plaintext exposure of pre-signed Backblaze B2 upload URLs in GNCC GP5 camera firmware v7.1.76 allows physically-proximate attackers with serial UART access to harvest live cloud storage tokens. The leaked PUT URLs enable unauthorized write operations against the device's Backblaze B2 cloud storage bucket until the tokens expire. No public exploit identified at time of analysis, though a public research write-up describing the issue is referenced.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.
Stored cross-site scripting in the SMS module of Neterbit NW-431F Router firmware 20241014-IR03 and earlier allows remote attackers to inject JavaScript payloads via inbound SMS messages, which execute in the administrator's browser when the SMS interface is viewed. No public exploit identified at time of analysis, though a researcher repository on GitHub documents the issue. The cellular-router form factor makes the SMS vector particularly notable because injection can originate from the mobile network rather than the local LAN.
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Static zero-filled AES-CBC Initialization Vectors in the Acer Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019) eliminate the cryptographic randomness CBC mode requires, enabling network-accessible attackers to conduct replay attacks and known-plaintext decryption of device-encrypted traffic without authentication. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no privileges or user interaction required, though the impact is scoped to partial confidentiality loss (VC:L) with no integrity or availability impact. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Hardcoded AES-128-CBC cryptographic keys embedded in the AcerConnect OTA application allow unauthenticated remote attackers to forge authorization credentials for arbitrary IMEI numbers against the Connect M6E 5G Portable WiFi Router (firmware ≤ M6E_AI_1.00.000019). Once credentials are forged, attackers can enumerate OTA catalog items and retrieve protected firmware binaries via pre-signed cloud storage links. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the static nature of the hardcoded key means any actor who obtains the application binary can trivially reproduce the attack.
Hard-coded AWS Cognito credentials embedded in leftover debug modules of the Acer Connect M6E 5G Portable WiFi Router expose internal cloud test sandbox environments to remote unauthenticated attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no network proximity, and no user interaction is required, meaning any attacker who obtains the static credentials - through firmware extraction or disclosure - can authenticate to Acer's AWS Cognito-backed test infrastructure. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
The web administration panel of the Acer Connect M6E 5G Portable WiFi Router binds to the wildcard IPv6 address [::] on port 8080, exposing internal API endpoints over the public WAN interface without default firewall restrictions. All firmware versions through M6E_AI_1.00.000019 are affected, enabling authenticated remote attackers with high-privilege credentials to reach and query administrative APIs that are intended to be LAN-restricted only. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the design flaw structurally expands the attack surface for any admin-level compromise.
Insecure Direct Object Reference in ITPison's OMICARD EDM (an email marketing platform) enables unauthenticated remote attackers to manipulate a specific request parameter to retrieve arbitrary users' email addresses without authorization. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms fully remote, zero-authentication exploitation requiring no user interaction, though impact is bounded to low-level confidentiality loss with no integrity or availability consequence. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and write files to arbitrary locations outside the intended extraction directory. When an application or user calls tarfile.extractall() with the data filter active, specially crafted symlinks using empty names, directory-like names, or trailing slashes can redirect subsequent archive members through attacker-controlled paths, subject to the permissions of the extracting process. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is network-accessible and requires only that a victim initiate extraction of a crafted archive (UI:A).
U-Boot bootloader authentication bypass on GNCC GP5 v7.1.76 grants a physically-proximate attacker full root access to the device by interrupting the boot sequence and injecting crafted kernel boot arguments. The vulnerability stems from insufficient input validation in the bootloader's handling of kernel command-line parameters, allowing an attacker to override security controls set during the normal boot process. Publicly available exploit code exists via a GitHub IoT vulnerability research repository; no CISA KEV listing has been identified at time of analysis, consistent with the physical-access prerequisite limiting widespread automated exploitation.
Universal Cross-Site Scripting (UXSS) in Google Chrome's SVG implementation prior to version 149.0.7827.53 allows remote unauthenticated attackers to bypass same-origin policy by injecting arbitrary scripts or HTML across origins via a crafted HTML page. Exploitation requires user interaction and high attack complexity (CVSS AC:H/UI:R), and EPSS at 0.06% (18th percentile) reflects limited real-world exploitation activity. No active exploitation is confirmed by CISA KEV and no public exploit code has been identified at time of analysis.
Remote code execution in Google Chrome on Windows prior to version 149.0.7827.53 allows a remote attacker to run arbitrary code when a victim is lured into performing specific UI gestures involving a malicious file delivered through the PlatformIntegration component. The flaw stems from improper input validation (CWE-20) and, while a vendor patch is available, no public exploit has been identified at time of analysis and EPSS scoring (0.04%) indicates very low near-term exploitation probability.
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 802.11ah radio range to disclose up to 9 bytes of kernel heap memory or trigger a kernel panic (DoS) by transmitting a crafted beacon or probe response frame containing a malformed Vendor Information Element. The morse.ko kernel driver function morse_vendor_find_vendor_ie() fails to validate IE body length against the expected structure size before downstream callers read at fixed offsets, requiring only that the IE length field exceed 3 bytes. No public exploit identified at time of analysis; EPSS places exploitation probability at 0.03% (8th percentile) with no CISA KEV listing, though the zero-prerequisite radio-range attack surface warrants prompt patching for HaLow-enabled deployments.
Incorrect native memory address resolution in Netty's Oblivious HTTP (OHTTP) BoringSSL JNI bridge allows unauthenticated remote attackers to corrupt memory belonging to concurrent connections and disclose the contents of adjacent pooled direct buffers - including HPKE encryption key material - on affected OHTTP gateways. The flaw exists in versions prior to 0.0.22.Final of netty-incubator-codec-ohttp and is only reachable when the JVM is configured to deny `sun.misc.Unsafe` access, causing the vulnerable fallback address-resolution path to activate. This directly undermines the confidentiality guarantees Oblivious HTTP is designed to provide; no public exploit code exists and the vulnerability is not listed in the CISA KEV catalog (CVSS 4.0 E:U).
Admin account takeover in Shopware's PHP e-commerce platform is achievable by any low-privilege admin holding the user_recovery:read ACL through a three-endpoint attack chain requiring no special tooling. The vulnerability stems from the UserRecoveryDefinition exposing a secret password-reset hash via the Admin API search endpoint - a hash the recovery flow assumes is delivered exclusively via email - enabling the attacker to bypass the intended out-of-band delivery mechanism entirely. Patched versions 6.6.10.18 and 6.7.10.1 are available; no public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is fully documented in the GitHub Security Advisory GHSA-8v9p-g828-v98f.
Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.
Truncation of chunked Oblivious HTTP (OHTTP) streams in netty-incubator-codec-ohttp prior to 0.0.22.Final silently passes partial, cryptographically-incomplete messages to the receiving application with no decryption error or exception. An on-path adversary - the OHTTP relay itself or a MITM on the relay↔gateway or relay↔client transport - can cut a legitimate chunked-OHTTP message at any non-final chunk boundary and cleanly close the outer HTTP body, bypassing the cryptographic integrity guarantee the final-chunk marker is designed to provide. No public exploit is identified (CVSS E:U) and no CISA KEV listing exists, but the integrity impact is rated High (VI:H) given that receivers silently accept and may act on structurally incomplete messages.
In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Injection (CWE-74) in Copilot Chat within Microsoft Edge enables unauthenticated remote attackers to disclose sensitive information when a victim user interacts with maliciously crafted content. The vulnerability resides in improper neutralization of special elements passed to a downstream component of the chat pipeline, resulting in high confidentiality impact with no integrity or availability effect. No public exploit code exists at time of analysis (CVSS E:U), and Microsoft has released an official patch per MSRC advisory CVE-2026-47644.
Out-of-bounds read in the Chromecast component of Google Chrome prior to version 149.0.7827.53 enables a remote attacker - who has already compromised the renderer process - to leak potentially sensitive data from process memory by delivering a crafted HTML page. This is a chained vulnerability: exploitation is conditional on a prior renderer compromise, making it a second-stage information-disclosure step rather than a standalone attack. No public exploit code has been identified and EPSS probability stands at 0.05% (15th percentile), consistent with a medium-severity, constrained attack path. Google has released a fix in stable channel 149.0.7827.53.
Cross-origin data leakage in Google Chrome's Skia graphics library affects all versions prior to 149.0.7827.53, exploitable by a remote attacker who has already compromised the renderer process. Via a crafted HTML page, the attacker can abuse insufficient input validation in Skia to extract sensitive cross-origin data, bypassing browser isolation boundaries. No public exploit code has been identified at time of analysis, and the EPSS score of 0.05% (15th percentile) reflects low observed exploitation activity.
Cross-origin data leakage in Google Chrome's Printing subsystem (all versions prior to 149.0.7827.53) enables a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin data by serving a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects high confidentiality impact with no integrity or availability loss, though the real-world attack requires a pre-compromised renderer - making this a second-stage chaining vulnerability rather than a standalone initial-access vector. No public exploit code or CISA KEV listing has been identified, and EPSS at 0.05% (15th percentile) confirms low current exploitation probability.
Memory disclosure in Google Chrome's GPU component (versions prior to 149.0.7827.53) enables a remote attacker who has already compromised the renderer process to read sensitive data from process memory by delivering a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input passed to the GPU subsystem, classified as CWE-20 (Improper Input Validation), and is rated Medium severity by the Chromium security team despite a CVSS Confidentiality impact of High - reflecting that successful exploitation requires a prior renderer compromise as a prerequisite. No public exploit code has been identified and EPSS probability stands at just 0.05% (15th percentile), indicating low current exploitation likelihood.
Cross-origin data leakage in the Glic component of Google Chrome (prior to 149.0.7827.53) can be triggered by a remote attacker who has already compromised the renderer process, using a crafted HTML page to exfiltrate sensitive cross-origin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects high confidentiality impact but masks the realistic complexity: renderer compromise is an explicit prerequisite, making this a chained exploit rather than a standalone attack. No active exploitation has been confirmed (CISA KEV absent, SSVC exploitation=none, EPSS 0.05% at 15th percentile), and a vendor-released patch is available.
Memory disclosure in Google Chrome's Network component (versions prior to 149.0.7827.53) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by delivering a crafted HTML page to the victim. This is a chained, two-stage attack: exploitation requires a prior renderer process compromise as an explicit prerequisite, which substantially elevates the real-world difficulty beyond what the CVSS 6.5 score alone implies. No active exploitation has been identified (SSVC Exploitation: none; EPSS: 0.05% at the 15th percentile), and no public exploit code exists at time of analysis.
Cross-origin data leakage in Google Chrome's Codecs subsystem affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to exfiltrate sensitive data from other origins via a crafted video file. The vulnerability bypasses Same-Origin Policy protections and exposes high-confidentiality content (CVSS C:H), though impact is scoped to information disclosure with no integrity or availability consequence. This CVE is not currently listed in CISA KEV, no public exploit has been identified at time of analysis, and EPSS at 0.05% (15th percentile) indicates low widespread exploitation probability.