Denial of service in Tenda FH451 router firmware V1.0.0.9 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the list1 parameter of the fromDhcpListClient function. Publicly available exploit code exists in a GitHub research repository, though the vulnerability is not listed in CISA KEV and no EPSS score has been published at time of analysis. Impact is limited to availability - no confidentiality or integrity loss is indicated.
Cross-workspace tenant isolation bypass in FlowiseAI versions prior to 3.1.2 allows authenticated low-privileged users to reassign assistant resources to arbitrary workspaces by manipulating server-controlled fields in the assistant update endpoint. The flaw is a mass assignment issue (CWE-284) tracked as EUVD-2026-35109, with publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as widely deployed exploitation. SSVC indicates total technical impact but non-automatable exploitation.
Denial of service in Tenda AC1206 routers (firmware v15.03.06.23) is triggered by stack-based buffer overflows in the fromGstDhcpSetSer function reachable through the username and password parameters of a crafted HTTP request. Remote attackers with network reach to the device's web management interface can crash the service without authentication, and no public exploit identified at time of analysis although proof-of-concept research material is hosted on GitHub.
Remote denial-of-service in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows unauthenticated attackers to exhaust process memory by opening a TCP connection and sending data without CRLF terminators when PROXY protocol v1 support is enabled. The vulnerability lives in the PROXY v1 pre-parse buffer, which grows without bound while Puma waits for the '\r\n' delimiter, leading to OOM kills or container restarts. No public exploit identified at time of analysis, and the issue only affects servers explicitly opting into the non-default `set_remote_address proxy_protocol: :v1` configuration.
Memory exhaustion denial-of-service in Netty's netty-transport-sctp module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to crash JVM processes by sending unbounded SCTP DATA fragments that never set the complete flag. The flaw stems from the SCTP reassembly handler wrapping each new fragment into a fresh CompositeByteBuf around the prior accumulator, producing an N-deep recursive buffer chain that consumes memory and CPU per access, with no public exploit identified at time of analysis.
Remote denial-of-service in Netty's netty-handler component allows unauthenticated attackers to exhaust server memory by sending a crafted TLS ClientHello with an attacker-controlled 24-bit handshake length field, triggering an immediate ~16 MiB unpooled heap allocation per connection. Affects Netty 4.1.x through 4.1.134.Final and 4.2.x through 4.2.14.Final when using the default SniHandler/AbstractSniHandler constructors, which disable both the length guard and handshake timeout. No public exploit identified at time of analysis, but the trivial nine-byte trigger and CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) make weaponization straightforward.
Memory leak in Netty's HAProxy codec (io.netty:netty-codec-haproxy) allows remote unauthenticated attackers to exhaust server memory by sending PROXY protocol v2 frames containing a malformed PP2_TYPE_SSL TLV with a length below 5 bytes. The flaw causes a retained slice on the pooled cumulation buffer to never be released when an IndexOutOfBoundsException escapes the decoder's narrow exception handler. No public exploit identified at time of analysis, but the issue is trivially reproducible from the advisory's technical detail and affects any service that accepts PROXY v2 input from untrusted peers.
Remote denial-of-service in Netty's HTTP/3 codec (io.netty:netty-codec-http3, versions 4.2.0.Final through 4.2.14.Final) allows an unauthenticated attacker to exhaust server memory by streaming an unbounded number of HTTP/3 headers over a single connection until the JVM throws an OutOfMemoryError. The flaw stems from an insecure default in Http3ConnectionHandler that follows RFC 9114's unlimited HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE rather than mirroring the 8192-byte cap Netty applies to HTTP/1.1 and HTTP/2. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the vendor advisory (GHSA-c2rx-5r8w-8xr2) rates the issue high severity and a fix is shipped in 4.2.15.Final.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 stems from a heap buffer overflow in the mod_proxy_html output filter, where a malicious or compromised backend can return crafted HTML that corrupts memory in the proxying httpd worker. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) reflects unauthenticated network exploitation with availability-only impact, and no public exploit was identified at time of analysis.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or destabilize the kernel by issuing crafted GPU system calls. The flaw affects Graphics DDK 24.2 RTM, 25.1 RTM through 25.3 RTM, and 26.1 RTM, and impacts any device shipping the affected PowerVR/IMG GPU driver stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Remote denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows unauthenticated attackers to exhaust direct memory by sending crafted RESP protocol payloads lacking the required \r\n terminator across multiple concurrent connections. The RedisDecoder buffers digit streams indefinitely while awaiting a line terminator, eventually triggering OutOfDirectMemoryError and preventing legitimate connections from being processed. No public exploit identified at time of analysis, but the vendor advisory GHSA-6ghj-frrj-jjj3 confirms the issue and patched releases are available.
Denial of service in Netty's netty-codec-redis module (versions <= 4.1.134.Final and 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to exhaust JVM heap memory by sending Redis payloads with unbounded nested array headers. The RedisArrayAggregator allocates a new AggregateState and ArrayList for every nested array header without enforcing a depth limit, so a continuous stream of `*1\r\n` headers triggers an OutOfMemoryError. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in the Linux kernel flow dissector allows remote attackers to trigger an unaligned access exception by sending crafted PPPoE Protocol Field Compression (PFC) frames to an Ethernet interface on alignment-sensitive architectures such as MIPS. The flaw affects kernels from 6.0 onward where Receive Packet Steering (RPS) or similar features invoke the flow dissector on incoming frames, and no PPPoE session needs to be active on the targeted interface. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the vendor has released patched kernel versions.
Denial of service in the Linux kernel's NVMe-over-TCP target (nvmet_tcp) module allows remote initiators to trigger a recursive nvmet-wq workqueue flush during controller teardown, producing a lockdep-flagged deadlock condition in nvmet_ctrl_free(). The flaw affects systems exposing NVMe-TCP targets where controller release work and async_event_work are both queued on the same nvmet workqueue. EPSS is 0.02% (7th percentile) and there is no public exploit identified at time of analysis; vendor patches have been issued across multiple stable branches.
Traffic amplification in Netty's QUIC codec (io.netty:netty-codec-classes-quic versions 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to weaponize Netty-based QUIC servers as DDoS reflectors. The default NoQuicTokenHandler's validateToken() unconditionally returns 0, which the server misinterprets as a successfully Retry-validated client address, bypassing RFC 9000's 3× anti-amplification limit and causing the server to reflect full-size handshake flights (including certificates) toward a spoofed victim IP. No public exploit identified at time of analysis, but the fix is published in Netty 4.2.15.Final.
Use-after-free in the mod_http2 module of Apache HTTP Server versions 2.4.55 through 2.4.67 allows remote attackers to trigger memory corruption when the server's file handle pool is exhausted. The flaw carries a CVSS 7.3 (low impact across confidentiality, integrity, and availability) and is reachable over the network without authentication or user interaction, though no public exploit identified at time of analysis. Tagging emphasizes denial-of-service and memory corruption as the primary realistic outcomes.
Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from an infinite loop condition in the mod_proxy_ftp module when interacting with an attacker-controlled backend FTP server. Remote attackers can degrade availability and partially impact confidentiality and integrity without authentication, though exploitation requires a proxied request path to a malicious FTP backend. No public exploit identified at time of analysis, and EPSS is very low at 0.02%.
{realm}/partialImport endpoint to bypass Fine-Grained Admin Permissions (FGAP) and promote themselves to full realm administrator. The flaw is an improper authorization check (CWE-863) on imported users carrying realm-admin role mappings. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Authentication bypass in Bludit CMS versions prior to 3.22.0 allows deactivated user accounts to retain authenticated access through persistent 'Remember Me' cookies, because the disable-account workflow fails to invalidate tokenAuth and tokenRemember values stored in the JSON database. Any user who previously logged in with the persistent session option can continue to act with their original privileges even after an administrator disables them. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation via authorization bypass in Snipe-IT versions prior to 8.6.0 allows any authenticated user holding only the granular `users.edit` permission to disable administrator and superuser accounts through the bulk-edit endpoint, effectively locking all admins out of the instance. By toggling the `activated` and `ldap_import` flags on admin targets, a low-privileged actor denies admins both interactive login and password-reset recovery. No public exploit identified at time of analysis, but the upstream fix and detailed advisory disclose the exact attack surface.
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Local privilege escalation and integrity compromise in Imagination Technologies Graphics DDK (GPU driver) allows non-privileged users to corrupt sparse memory mapping state via improper GPU system calls, leading to out-of-bounds memory access. The flaw stems from implicit scaling errors in pointer arithmetic across buffers of differing sizes (CWE-468), affecting DDK releases 24.2 RTM, 25.1-25.3 RTM, and 26.1 RTM. No public exploit identified at time of analysis, but the local attack vector with low complexity makes this attractive for sandbox escape chains on Android/Linux devices using PowerVR GPUs.
Information disclosure in FlowiseAI Flowise prior to version 3.1.2 allows authenticated users to retrieve encrypted credential blobs (API keys, passwords, OAuth tokens for OpenAI, AWS, etc.) by querying the credentials API with a credentialName filter. The /api/v1/credentials endpoint correctly strips the encryptedData field on unfiltered queries but omits this sanitization on the filtered code path, exposing AES-encrypted secrets to any authenticated caller. No public exploit identified at time of analysis, though a working curl reproduction is published in the GHSA advisory.
Local denial of service in the Linux kernel hfsplus filesystem driver occurs when hfsplus_fill_super() fails to release tree->tree_lock on an error path during HFS+ mount, causing a 'held lock freed' warning and potential lockdep-detected kernel instability. The flaw affects systems with CONFIG_HFSPLUS_FS enabled and is triggered when hfsplus_cat_build_key() returns an error during superblock initialization. No public exploit identified at time of analysis, and EPSS is very low (0.02%).
Information disclosure in the Linux kernel's Intel Xe DRM graphics driver (drm/xe) allows a local user to read stale data from previously freed memory pages belonging to other processes. The xe_vm_madvise_ioctl() handler failed to reject PAT indices set to XE_COH_NONE (non-coherent) coherency mode on CPU-cached buffer objects, letting a GPU bypass dirty CPU caches and read sensitive content directly from DRAM before the kernel's page-clearing writeback completes. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, consistent with a local, race-dependent leak rather than a widely weaponized flaw.
Authenticated arbitrary local file read in Basekick Labs Arc analytics platform allows any token holder - even one with an empty permissions array - to exfiltrate sensitive host files (auth.db bcrypt hashes, arc.toml S3/TLS secrets, /proc/self/environ) and pivot to SSRF against cloud metadata endpoints by abusing unblocked DuckDB I/O functions in the SELECT clause. The flaw stems from an incomplete regex denylist in internal/api/query.go that filtered only read_parquet and arc_partition_agg while leaving the wider DuckDB I/O family (read_csv_auto, read_json, read_text, read_blob, glob, parquet_metadata, read_xlsx, etc.) and SELECT-list scalar table functions unguarded. No public exploit identified at time of analysis, but the GHSA advisory ships a working single-request proof-of-concept and the fix is shipped in Arc 2026.06.1.
Information disclosure in nebula-mesh through v0.3.1 allows any holder of an operator API key to read the server-wide audit log via GET /api/v1/audit-log, exposing cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entries. The handleGetAuditLog endpoint enforces only bearer authentication with no admin-role check, so a low-privilege tenant can enumerate staffing patterns and high-value targets. Publicly available exploit code exists in the form of a one-line curl reproducer published in the GHSA advisory; no public exploit identified at time of analysis as actively weaponized, and the issue is not on CISA KEV.
Cross-site request forgery in nebula-mesh's admin web UI (versions <= 0.3.2) lets a remote attacker trigger privileged operator actions - CA signing, API key minting, operator disablement, server-setting changes, and forced logout - when a logged-in operator visits an attacker-controlled page. SameSite=Lax on the session cookie does not block top-level cross-site form POSTs, sibling-subdomain attackers, or the GET /ui/logout route, so the impact is privilege escalation rather than nuisance. No public exploit identified at time of analysis beyond the working reproducer in the advisory itself.
Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.
YAML injection in nebula-mesh (juev/nebula-mesh, forked as forgekeep/nebula-mesh) prior to v0.3.2 allows an authenticated operator to inject arbitrary YAML keys into a managed agent's config.yml via the unvalidated adv_tun_device and ListenHost host-override fields. A successful injection lets the attacker self-promote a target host to a Nebula lighthouse or relay, redirecting and intercepting mesh traffic across the overlay network. No public exploit identified at time of analysis, but a detailed PoC payload is published in the GHSA advisory itself.