Weak cryptographic salt generation in HAX CMS (haxcms-php) versions prior to 26.0.1 allows remote unauthenticated attackers to predict or recover salt values used during installation and authentication-related operations. The flaw stems from using PHP's uniqid() - a timestamp-based, non-cryptographic function - as a randomness source (CWE-338). No public exploit has been identified at time of analysis and the CVE is not on CISA KEV.
Denial of service in CloudburstMC Network versions prior to 1.0.0.CR3-20260418.124334-32 allows remote unauthenticated attackers to close the parent Netty channel, rendering the network layer inoperable. Any publicly accessible application depending on the affected library is exposed, and no public exploit has been identified at time of analysis. The CVSS 7.5 score reflects a high-availability impact with no confidentiality or integrity loss.
Denial of service in Cloudburst Network (cloudburstmc/network) versions prior to 1.0.0.CR3-20260417.085727-30 allows remote attackers to stall the underlying Netty event loop, rendering network processing inoperable for any publicly accessible application that depends on the library. The flaw scores CVSS 7.5 with a fully remote, low-complexity, unauthenticated availability impact, and no public exploit identified at time of analysis.
Remote denial of service in klever-go v1.7.17 allows any connected P2P peer to send a 442-byte compressed RequestDataType_HashArrayType message that expands into 200,000 decoded hash entries, driving roughly 156 MiB of heap pressure and synchronous CPU work per request inside TxResolver and TrieNodeResolver. The flaw stems from antiflood logic that only counts compressed wire size, leaving validator nodes exposed to resource exhaustion from repeated or concurrent malicious requests. Publicly available exploit code exists (vendor-published PoC) but the issue is not in CISA KEV; EPSS data was not provided.
Stored Cross-Site Scripting in NocoDB <= 2026.05.0 allows authenticated commenters to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. Successful exploitation runs script in the NocoDB origin under the victim's session, enabling theft of the auth JWT from localStorage. No public exploit identified at time of analysis; EPSS is low (0.11%, 29th percentile) and the issue is not listed in CISA KEV.
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Path traversal in MoviePilot's AliPan, U115, Rclone, and SMB cloud storage download handlers allows an attacker who controls remote filenames to write files outside the configured download directory. The flaw stems from unsanitized concatenation of filenames returned by remote cloud APIs, enabling overwrite of configuration files, plugins, or other files accessible to the application process. No public exploit identified at time of analysis, but a vendor patch is available via upstream commit a0b3800.
Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Sandbox policy bypass in Twig templating engine versions 3.25.0 and earlier allows sandboxed template authors to invoke arbitrary `__toString()` methods on any `Stringable` object reachable in the render context, even when those methods are not allowlisted by `SecurityPolicy::checkMethodAllowed()`. The flaw stems from `SandboxNodeVisitor` only wrapping a hardcoded subset of AST nodes in `CheckToStringNode`, leaving many string-coercion points (conditional expressions, comparison/`matches` operators, tests, ranges, includes, spread arguments) unguarded - and the comparison-operator vector enables byte-by-byte oracle recovery of sensitive object string forms. No public exploit identified at time of analysis; fix shipped in Twig 3.26.0 (also referenced by Symfony's advisory page).
Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.
Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.
Remote code execution within the Chrome renderer sandbox affects Google Chrome desktop builds prior to 149.0.7827.53, stemming from an inappropriate implementation in the Extensions subsystem. An attacker in a privileged network position can deliver a crafted Chrome Extension that, with user interaction, executes arbitrary code confined to the sandbox. No public exploit identified at time of analysis and EPSS probability is very low (0.01%), but a vendor patch is available.
Denial of service in Arista CloudVision Exchange (CVX) allows an attacker with high-privilege access to a connected switch to crash CVX agents by sending malformed TCP packets, causing instability across the CVX cluster. The flaw stems from improper input validation (CWE-20) of messages received from connected switches, and no public exploit has been identified at time of analysis.
Denial of service in Arista EOS switches and CloudVision Exchange (CVX) servers arises from improper input validation in the TCP messaging protocol that governs EOS-CVX cluster communication. Sending malformed messages in either direction - from a CVX server to an EOS switch, or vice versa - triggers a Sysdb agent crash on the EOS device (causing a soft reset) or agent crashes on the CVX server (causing cluster-wide instability). Exploitation requires the attacker to already hold high-privilege access on a device within the cluster, and no public exploit code or CISA KEV listing exists at time of analysis, making this a targeted insider or post-compromise threat rather than an opportunistic one.
Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.
Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) Captive Portal Custom Handler allows administrators authenticated to the management UI to execute arbitrary shell commands on the underlying platform. The CVSS 4.0 score of 7.0 reflects high privilege requirements (PR:H) offset by network reach and high confidentiality impact, with no public exploit identified at time of analysis.
Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows authenticated high-privileged remote attackers to inject OS commands through the Captive Portal application framework via encrypted password handling. The flaw is unique to release 17.4.0 with earlier versions unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score of 7.0 reflects high attacker privilege requirement balanced against high confidentiality impact on the firewall appliance.
Authenticated command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) allows administrators with existing access to the browser management pipeline to break out and execute arbitrary terminal/shell script code on the underlying appliance OS. The flaw stems from insufficient input validation (CWE-78) within management-plane functionality and carries a CVSS 4.0 score of 7.0 with no public exploit identified at time of analysis. Because exploitation requires high-privileged authentication, the issue is a privilege-boundary breach rather than an unauthenticated remote takeover.
Command injection in Arista Edge Threat Management Next Generation Firewall (NGFW) version 17.4.0 allows high-privileged authenticated attackers to abuse insecure input validation in the Reports application to execute OS commands on the appliance. The flaw uniquely affects 17.4.0, with earlier releases unaffected, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.0 with confidentiality high and integrity/availability low, reflecting a scope-changing impact constrained by the high privileges required.
Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.
Authentication bypass via SAML session replay in Siderolabs Omni stems from a TOCTOU race condition in the SAML interceptor (internal/pkg/auth/interceptor/saml.go), where the SAMLAssertion 'Used' flag is checked and updated non-atomically. Concurrent requests bearing the same saml-session token can each observe Used==false, allowing an attacker who has intercepted a victim's token to authenticate multiple times as the victim and persist access by registering attacker-controlled public keys. No public exploit identified at time of analysis; the issue was reported by bugbunny.ai and fixed in Omni v1.6.6 and v1.7.3.
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.
Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.
Timing oracle in NocoDB's shared-view password authentication allows a network-positioned attacker to recover legacy plaintext passwords character-by-character through response time measurement. Affected installations are those where shared-view passwords were set before the bcrypt migration - passwords stored as bcrypt hashes (prefixed $2a$/$2b$) were never vulnerable. The strict-equality (===) JavaScript comparison leaked both password length and per-character prefix timing, enabling incremental brute-force without any prior authentication. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.
Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.
Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.
Improper input validation in Samsung Members prior to version 5.8.01.5 allows local authenticated attackers to access arbitrary URLs and launch arbitrary Android activities using Samsung Members' application privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms local access with low privileges and no additional preconditions, with the score of 6.9 reflecting a high availability impact on the vulnerable component alongside low integrity impact. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the ability to hijack privileged activity launches on Samsung devices makes it a meaningful local privilege-chaining vector.
Improper export of the ExpressHomeWidgetReceiver Android component in Samsung Assistant (prior to version 9.3.14) enables a local attacker without special privileges to send crafted intents to the exposed receiver and execute arbitrary scripts on the device. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) with a local attack vector - an on-device malicious application is a realistic threat model. No public exploit has been identified and this CVE does not appear in CISA KEV at time of analysis.
Improper export of the SmartHomeWidgetReceiver Android component in Samsung Assistant prior to version 9.3.14 allows a local attacker without any privileges to send crafted intents directly to the exposed receiver and execute arbitrary scripts. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) constrained to the local attack surface (AV:L), aligning with the 'Information Disclosure' tag. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 permits local attackers to access sensitive information without requiring prior privileges or user interaction. Affecting devices running Android 14, 15, and 16, the flaw stems from improper access controls within the telephony subsystem. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the low attack complexity and absence of privilege prerequisites lower the bar for local exploitation.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Improper Android component export in Samsung's Galaxy Editing Service exposes privileged operations to local, low-privileged attackers on Android 14, 15, and 16 devices prior to SMR Jun-2026 Release 1. A malicious app installed on the device can directly invoke these exported components - bypassing intended permission controls - to execute operations with elevated privileges, resulting in high integrity impact on the vulnerable system. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-origin data leakage in Google Chrome for Android prior to 149.0.7827.53 exposes sensitive information through insufficient policy enforcement in the WebAuthentication (WebAuthn) component. An attacker who has already achieved renderer process compromise can exploit this gap to extract cross-origin data by delivering a crafted HTML page to a victim, requiring user interaction. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at a low 0.05% (16th percentile), consistent with Google's own 'Low' severity classification for Chromium.
Local File Inclusion in HAX CMS's saveOutline endpoint allows an authenticated low-privileged user to read arbitrary files on the server by injecting path traversal sequences into the location field written to site.json. Both the PHP and NodeJS backend variants (haxtheweb/haxcms-php and haxtheweb/haxcms-nodejs) are affected across all versions prior to 26.0.0. There is no public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the confidentiality impact is rated High given that exfiltrable targets include /etc/passwd, application secrets, and web-server-readable configuration files.
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 arises from insufficient policy enforcement in the CSS subsystem, allowing unauthenticated remote attackers to read data across origin boundaries by directing a user to a crafted HTML page. The CVSS vector scores high confidentiality impact (C:H) with no privileges required (PR:N), though mandatory user interaction (UI:R) is a prerequisite. No public exploit has been identified at time of analysis, EPSS probability is very low at 0.03% (11th percentile), and Chromium's own internal severity rating is 'Low' - all signals consistent with limited real-world exploitation risk despite the elevated CVSS confidentiality impact.
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.
Cross-origin data leakage in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows an unauthenticated remote attacker to read sensitive cross-origin information by serving a crafted HTML page and social-engineering the victim into performing specific UI gestures. The CVSS score of 6.5 reflects high confidentiality impact (C:H), though the attack is gated by mandatory user interaction, which materially limits real-world exploitability. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at just 0.03% (11th percentile), and the Chromium security team rated this vulnerability Low severity - all signals consistent with a narrowly exploitable information disclosure rather than a broad critical threat.
Cross-origin data leakage in Google Chrome on Android (prior to 149.0.7827.53) enables remote unauthenticated attackers to exfiltrate data from other origins by directing a victim to a crafted HTML page that exploits an inappropriate UI implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects low-complexity network exploitation requiring only a single user interaction, with high confidentiality impact and no integrity or availability loss. No public exploit code and no active exploitation have been identified; an EPSS of 0.03% at the 11th percentile aligns with Chromium's own internal Low severity rating, placing this firmly in the patch-and-move-on category.