Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet destined for a configured decapsulation IP to be silently unwrapped and forwarded into the network. Unauthenticated remote attackers (PR:N, AV:N per CVSS 4.0) can inject traffic into network segments by exploiting this check bypass on switches with VXLAN, decap-groups, or GRE configurations. The CVE description explicitly states this issue has been reported as exploited in the wild; however, a CISA KEV entry was not confirmed in the provided data. The integrity impact is assessed as low on both the vulnerable and subsequent systems per CVSS 4.0 (VI:L/SI:L), but the network trust boundary violation in a core switching context warrants elevated operational priority.
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.
Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.
Timing oracle in NocoDB's shared-view password authentication allows a network-positioned attacker to recover legacy plaintext passwords character-by-character through response time measurement. Affected installations are those where shared-view passwords were set before the bcrypt migration - passwords stored as bcrypt hashes (prefixed $2a$/$2b$) were never vulnerable. The strict-equality (===) JavaScript comparison leaked both password length and per-character prefix timing, enabling incremental brute-force without any prior authentication. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.
Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.
Unauthenticated repository exposure in HAX CMS PHP (versions 2.0.0 through 25.x) allows any remote attacker to browse git repositories and full commit history via the unprotected gitlist plugin. The CVSS 4.0 vector confirms no authentication, no user interaction, and network-level access with low complexity, making exploitation trivially achievable against any public-facing instance. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the absence of access controls on the gitlist endpoint represents a direct confidentiality risk for any sensitive data stored in or committed to those repositories.
Improper input validation in Samsung Members prior to version 5.8.01.5 allows local authenticated attackers to access arbitrary URLs and launch arbitrary Android activities using Samsung Members' application privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms local access with low privileges and no additional preconditions, with the score of 6.9 reflecting a high availability impact on the vulnerable component alongside low integrity impact. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the ability to hijack privileged activity launches on Samsung devices makes it a meaningful local privilege-chaining vector.
Improper export of the ExpressHomeWidgetReceiver Android component in Samsung Assistant (prior to version 9.3.14) enables a local attacker without special privileges to send crafted intents to the exposed receiver and execute arbitrary scripts on the device. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) with a local attack vector - an on-device malicious application is a realistic threat model. No public exploit has been identified and this CVE does not appear in CISA KEV at time of analysis.
Improper export of the SmartHomeWidgetReceiver Android component in Samsung Assistant prior to version 9.3.14 allows a local attacker without any privileges to send crafted intents directly to the exposed receiver and execute arbitrary scripts. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) constrained to the local attack surface (AV:L), aligning with the 'Information Disclosure' tag. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 permits local attackers to access sensitive information without requiring prior privileges or user interaction. Affecting devices running Android 14, 15, and 16, the flaw stems from improper access controls within the telephony subsystem. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the low attack complexity and absence of privilege prerequisites lower the bar for local exploitation.
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an adjacent network segment to crash the ONVIF service by injecting format specifiers into AddScopes scope parameters, resulting in a denial-of-service condition that disrupts normal camera operation. The vulnerability (CWE-134) is confined to availability impact only - no confidentiality or integrity compromise is possible. No public exploit code has been identified at time of analysis, and a vendor-released patch is available from TP-Link.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Improper Android component export in Samsung's Galaxy Editing Service exposes privileged operations to local, low-privileged attackers on Android 14, 15, and 16 devices prior to SMR Jun-2026 Release 1. A malicious app installed on the device can directly invoke these exported components - bypassing intended permission controls - to execute operations with elevated privileges, resulting in high integrity impact on the vulnerable system. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-origin data leakage in Google Chrome for Android prior to 149.0.7827.53 exposes sensitive information through insufficient policy enforcement in the WebAuthentication (WebAuthn) component. An attacker who has already achieved renderer process compromise can exploit this gap to extract cross-origin data by delivering a crafted HTML page to a victim, requiring user interaction. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at a low 0.05% (16th percentile), consistent with Google's own 'Low' severity classification for Chromium.
Local File Inclusion in HAX CMS's saveOutline endpoint allows an authenticated low-privileged user to read arbitrary files on the server by injecting path traversal sequences into the location field written to site.json. Both the PHP and NodeJS backend variants (haxtheweb/haxcms-php and haxtheweb/haxcms-nodejs) are affected across all versions prior to 26.0.0. There is no public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the confidentiality impact is rated High given that exfiltrable targets include /etc/passwd, application secrets, and web-server-readable configuration files.
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
Side-channel information leakage in the Paint component of Google Chrome prior to 149.0.7827.53 enables cross-origin data theft via a crafted HTML page requiring only victim interaction. The CVSS 6.5 rating reflects high confidentiality impact with no attacker privileges required, but real-world risk is tempered by mandatory user interaction, Chromium's own 'Low' severity classification, and an EPSS exploitation probability of just 0.03% (11th percentile). No public exploit has been identified at time of analysis, and a vendor-released patch is available in Chrome 149.0.7827.53.
Cross-origin data leakage in Google Chrome prior to 149.0.7827.53 arises from insufficient policy enforcement in the CSS subsystem, allowing unauthenticated remote attackers to read data across origin boundaries by directing a user to a crafted HTML page. The CVSS vector scores high confidentiality impact (C:H) with no privileges required (PR:N), though mandatory user interaction (UI:R) is a prerequisite. No public exploit has been identified at time of analysis, EPSS probability is very low at 0.03% (11th percentile), and Chromium's own internal severity rating is 'Low' - all signals consistent with limited real-world exploitation risk despite the elevated CVSS confidentiality impact.
Side-channel information leakage via Performance APIs in Google Chrome prior to 149.0.7827.53 enables a remote attacker to read cross-origin data by luring a victim to a crafted HTML page. The CVSS confidentiality impact is rated High (C:H), yet Chromium's own security team classified this as 'Low' severity - a notable internal/external discordance suggesting practical exploitation is constrained. No public exploit code exists and EPSS stands at just 0.03% (11th percentile), consistent with the low-exploitation-probability profile typical of browser timing side-channels.
Cross-origin data leakage in Google Chrome's Passwords component (all versions prior to 149.0.7827.53) allows an unauthenticated remote attacker to read sensitive cross-origin information by serving a crafted HTML page and social-engineering the victim into performing specific UI gestures. The CVSS score of 6.5 reflects high confidentiality impact (C:H), though the attack is gated by mandatory user interaction, which materially limits real-world exploitability. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at just 0.03% (11th percentile), and the Chromium security team rated this vulnerability Low severity - all signals consistent with a narrowly exploitable information disclosure rather than a broad critical threat.
Cross-origin data leakage in Google Chrome on Android (prior to 149.0.7827.53) enables remote unauthenticated attackers to exfiltrate data from other origins by directing a victim to a crafted HTML page that exploits an inappropriate UI implementation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) reflects low-complexity network exploitation requiring only a single user interaction, with high confidentiality impact and no integrity or availability loss. No public exploit code and no active exploitation have been identified; an EPSS of 0.03% at the 11th percentile aligns with Chromium's own internal Low severity rating, placing this firmly in the patch-and-move-on category.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer on Windows allows a remote unauthenticated attacker to read sensitive cross-origin memory contents by delivering a crafted HTML page to a victim. Affected are all Chrome versions on Windows prior to 149.0.7827.53. The root cause is an uninitialized memory use (CWE-457) within ANGLE, Chrome's graphics abstraction library. No public exploit has been identified at time of analysis, EPSS is very low at 0.03% (11th percentile), and the vulnerability is not listed in the CISA KEV catalog, consistent with the vendor's own 'Low' severity rating.
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Uninitialized heap memory disclosure in 7-Zip's UEFI capsule (.scap) parser exposes potentially sensitive heap contents when an unauthenticated remote attacker delivers a crafted capsule file that a user opens. The OpenCapsule function allocates a heap buffer sized by the attacker-controlled CapsuleImageSize field without zero-initialization, then silently ignores read failures on truncated files, causing the unread tail - containing raw heap data - to be surfaced as extracted file content. Affecting versions 9.21 through 26.00, a fix is available in 26.0.1; no public exploit code has been identified at time of analysis.
Navigation policy bypass in Google Chrome on Android (prior to 149.0.7827.53) enables a remote attacker who has already achieved renderer process compromise to circumvent navigation restrictions through a specially crafted HTML page. The vulnerability carries a CVSS integrity impact of High (I:H) with no confidentiality or availability impact, indicating the primary risk is unauthorized navigation to restricted targets - a technique commonly used to chain into further exploitation. No public exploit identified at time of analysis, and EPSS of 0.02% (6th percentile) reflects negligible current exploitation probability; however, its value as a chaining primitive in multi-stage browser attacks warrants attention.
Navigation restriction bypass in Google Chrome's Shortcuts feature on macOS allows remote attackers to circumvent Chrome's internal URL filtering or navigation controls via a crafted malicious file. Affected versions are all Chrome releases on Mac prior to 149.0.7827.53. The CVSS vector (PR:N, UI:R, I:H) indicates no attacker authentication is required but user interaction with the malicious file is mandatory; EPSS at 0.02% (4th percentile) and no public exploit identified at time of analysis confirm low exploitation probability, consistent with Chromium's own 'Low' severity rating.
Navigation restriction bypass in Google Chrome for Android's Page Info component (prior to 149.0.7827.53) enables an attacker who has already compromised the renderer process to circumvent Chrome's navigation controls via a specially crafted HTML page. This is a chained exploitation scenario: the vulnerability cannot be triggered standalone but requires a prior renderer compromise as a prerequisite, limiting its practical threat surface. No public exploit has been identified at time of analysis, EPSS is negligible at 0.02%, and the vulnerability is not listed in CISA KEV. Google rates its internal severity as Low.
File System Access API in Google Chrome prior to 149.0.7827.53 allows a remote attacker to bypass discretionary access control (DAC) by convincing a user to perform specific UI gestures on a crafted HTML page. The CVSS vector (I:H, C:N, A:N) confirms the impact is limited to unauthorized file integrity compromise - an attacker could write or modify local files beyond what the user explicitly permitted. No public exploit code exists and EPSS is 0.02% (4th percentile), aligning with Chromium's own internal 'Low' severity rating, indicating limited real-world exploitation likelihood at time of analysis.
Cross-origin data leakage via Chrome's CustomTabs component on Android exposes confidential web content to attackers who can deliver a crafted HTML page to a victim. Affected versions are all Chrome for Android releases prior to 149.0.7827.53. Despite Chromium's internal 'Low' severity rating, the CVSS confidentiality impact is scored High (C:H), and user interaction is required (UI:R) - meaning exploitation depends on a victim opening attacker-controlled content. No public exploit code exists and no active exploitation has been identified; EPSS at 0.01% (1st percentile) corroborates low near-term exploitation likelihood.
CORS origin allowlist bypass in sanic-cors 2.2.0 and prior enables cross-origin access to authenticated resources by exploiting an unanchored regular expression in the origin-matching logic. The library's try_match() function in sanic_cors/core.py uses Python's re.match() - which matches only from the start of a string, not the full string - allowing an attacker who controls a domain prefixed with a trusted origin (e.g., trusted.example.com.attacker.com) to satisfy the allowlist check. Exploitation requires a victim user to visit an attacker-controlled page, placing this in a network-accessible, user-interaction-required threat model. No public exploit code has been identified at time of analysis, and no KEV listing exists.
Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.
Improper access control in the MediaTek Audio HAL on Samsung Mobile Devices running Android 14, 15, and 16 permits local unprivileged attackers to invoke restricted privileged functions within the audio subsystem. The CVSS 4.0 subsequent system impact is rated High across confidentiality, integrity, and availability (SC:H/SI:H/SA:H), indicating that successful exploitation can cascade well beyond the Audio HAL itself to compromise broader device system components. No public exploit identified at time of analysis; Samsung has released a fix in SMR Jun-2026 Release 1.
Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.
OAuth authorization code exchange in NocoDB versions up to 2026.05.0 is vulnerable to a race condition that breaks the single-use guarantee enforced by PKCE. By submitting two or more concurrent token-exchange requests before the server atomically marks the authorization code as consumed, an attacker who controls a malicious OAuth client can obtain multiple valid (access_token, refresh_token) pairs from a single authorization code, resulting in unauthorized long-lived session access alongside the legitimate token. Fixed in 2026.05.1 via an atomic compare-and-swap database operation; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
User enumeration via observable timing discrepancy in NocoDB's sign-in endpoint allows network-positioned attackers to determine whether an email address is registered. The authentication service (`auth.service.ts`) returned immediately for unknown users without executing a bcrypt password hash comparison, producing measurably shorter response times than for known users - a classic timing side-channel. No public exploit has been identified at time of analysis, but the technique requires no privileges and is straightforward to execute against any network-accessible NocoDB instance running versions prior to 2026.04.1.
Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.
Privilege escalation in Google Chrome's Extensions subsystem, affecting all versions prior to 149.0.7827.53, allows a remote attacker who socially engineers a user into installing a crafted malicious extension to gain elevated privileges within the browser context, impacting confidentiality, integrity, and availability at a low-to-moderate level. The CVSS score of 6.3 (Medium) reflects the network-reachable attack vector offset by mandatory user interaction (UI:R), and Chromium's own security team rated this as Low severity - a notable downgrade from the NVD-calculated score. No public exploit code and no KEV listing have been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) corroborates minimal observed exploitation activity.
Multiple reflected Cross-Site Scripting vulnerabilities in damasac's thaipalliative_lte PHP application (through version 3.0) allow unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs. The vulnerable file /substudy/ezform.php unsafely echoes four distinct user-controlled parameters - idFormMain, id (in two locations), and ptid_key - directly into HTML attributes and JavaScript contexts without output encoding. A proof-of-concept exists per SSVC data; however, EPSS is very low at 0.08% (23rd percentile) and exploitation is not confirmed by CISA KEV, suggesting limited widespread attacker interest at time of analysis.
Universal Cross-Site Scripting (UXSS) in the Omnibox component of Google Chrome prior to 149.0.7827.53 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML across origin boundaries by exploiting insufficient input validation. Successful exploitation requires convincing a victim to visit a crafted HTML page and perform specific UI gestures, as confirmed by the UI:R CVSS component and the CVE description. No public exploit has been identified at time of analysis, and the EPSS score of 0.07% (22nd percentile) combined with Google's own 'Low' severity classification indicates limited near-term exploitation likelihood.
Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.
Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attackers to manipulate HTTP Host headers, causing the application to generate attacker-controlled redirect URLs targeting victims - a classic open redirect primitive (CWE-601) confirmed by the Open Redirect tag. The CVSS 6.1 score reflects Changed scope (S:C), meaning impact crosses beyond the vulnerable component, with low confidentiality and integrity impact consistent with phishing and session-hijacking abuse. No public exploit code or CISA KEV listing has been identified at time of analysis.