Unrestricted resource allocation in AMD µProf allows a local low-privileged user to consume excessive system resources, resulting in a loss of availability (denial of service). The CVSS 4.0 score of 6.8 reflects a locally exploitable, low-complexity attack requiring only low privileges with no user interaction needed. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the straightforward nature of resource exhaustion attacks makes it a realistic local threat on systems where AMD µProf is deployed.
Improper access control in AMD µProf exposes a kernel-shared memory section to low-privileged local users, enabling writes that can crash the system or cause a denial of service. All AMD µProf versions prior to 5.3 are affected across supported platforms. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) indicates straightforward local exploitation requiring only basic user privileges with no additional complexity or user interaction.
Plaintext credential exposure in MongoDB Server allows a local authenticated attacker to retrieve the LDAP query password from log files. When an administrator uses the runtime setParameter command to configure the ldapQueryPassword parameter, MongoDB writes the new password value to mongod.log in cleartext. Any local user with read access to the log file - a broad class on many deployments - can silently capture these credentials and use them to authenticate against or query the connected LDAP directory. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Heap corruption via use-after-free in Chrome's Ozone display subsystem (versions prior to 149.0.7827.103) enables a local attacker with physical device access to achieve high-impact compromise across confidentiality, integrity, and availability. The CVSS vector (AV:P/AC:L/PR:N/UI:N) confirms physical presence is the primary prerequisite, with no authentication or user interaction required once access is obtained. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in Chrome 149.0.7827.103.
Fortinet FortiOS and FortiProxy expose an internal debug interface (CWE-1244) that allows authenticated administrators to execute arbitrary Lua scripts through crafted CLI commands, exceeding their intended administrative scope. The vulnerability spans broad version ranges of both products, including FortiOS 6.4 through 7.6.2 and FortiProxy 7.0 through 7.6.3. While exploitation requires existing high-privilege (admin) access - limiting opportunistic attack surface - the CVSS temporal vector (E:P) confirms a proof-of-concept exploit exists, and the official fix is available (RL:O). No public exploit identified at time of analysis beyond the proof-of-concept, and this vulnerability is not listed in CISA KEV.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Unintended data disclosure in SAP's Operational Data Provisioning RFC (ODP-RFC) modules stems from missing caller identification controls that fail to restrict invocation to permitted SAP-internal applications. Highly privileged customer or third-party applications can invoke these internal RFC modules outside their intended usage context, exposing sensitive operational data across a Changed scope boundary (S:C). No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the High confidentiality impact combined with scope change warrants attention in SAP environments where ODP is exposed to external RFC consumers.
Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.
Security feature bypass in Microsoft Visual Studio Code allows a local unauthenticated attacker to circumvent a built-in protection mechanism through improper input validation, requiring user interaction to trigger. With CVSS 7.1 and scope-changed impact (S:C) yielding high confidentiality exposure, the flaw lets a crafted input cross VS Code's trust boundary on the local host. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
{id} endpoint. The root cause is an uncaught exception (CWE-400) that propagates unhandled through the job scheduling subsystem, making availability the sole impact with no confidentiality or integrity loss. A public vulnerability disclosure repository exists, lowering the bar for exploitation by any attacker who already holds the required permission.
Denial-of-service in FlashMQ MQTT broker prior to version 1.26.2 allows any authenticated (low-privilege) connected client to crash the entire broker process by deliberately exceeding the permitted write buffer over-commit threshold. The crash occurs because the resulting internal safeguard exception is raised in a C++ destructor code path during stack unwinding - a context where exceptions cannot be caught - forcing a call to std::terminate() and aborting the server. No public exploit has been identified at time of analysis, but exploitation requires only valid MQTT credentials, making this a realistic risk for any FlashMQ deployment with untrusted or semi-trusted client populations.
NULL pointer dereference in GPAC MP4Box v2.4 allows unauthenticated remote attackers to crash the application by delivering a crafted MP4 file that a user opens. The vulnerable function ctts_box_write in isomedia/box_code_base.c fails to validate a pointer before dereferencing it when processing a malformed Composition Time to Sample (ctts) box, resulting in a denial-of-service condition. No public exploit code or active exploitation has been identified; SSVC rates exploitation status as none, though delivery is rated automatable.
Denial-of-service in GPAC MP4Box v2.4 allows remote attackers to crash the multimedia tool via a crafted MP4 file that triggers a floating-point exception in the gf_opus_parse_packet_header function. No public exploit identified at time of analysis, and CISA has not listed this in KEV; SSVC scoring indicates exploitation has not been observed but the flaw is automatable with partial technical impact. CVSS 7.5 reflects high availability impact achievable without authentication or user interaction once a malicious file is processed.
Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.
Improper access control in Fortinet FortiPortal versions 7.0.x (all), 7.2.0-7.2.8, and 7.4.0-7.4.7 enables an authenticated low-privilege attacker to bypass authorization controls and gain unauthorized read access to sensitive data. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates low-complexity network exploitation by any authenticated user, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis based on CISA KEV, though publicly available exploit code exists per the CVSS temporal E:P metric, and Fortinet has issued an official fix.
Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.
Site isolation bypass in Google Chrome's Extensions subsystem prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to defeat cross-origin security boundaries via a crafted HTML page requiring one user interaction. The root cause is CWE-20 (Improper Input Validation) in the Extensions layer, meaning the Extensions subsystem fails to adequately validate untrusted input before acting on it across site isolation boundaries. EPSS is low at 0.02% (6th percentile), no public exploit code or CISA KEV listing exists at time of analysis, and a vendor patch is confirmed at 149.0.7827.103.
Site isolation bypass in Google Chrome Extensions (versions prior to 149.0.7827.103) enables a remote attacker who has already compromised the renderer process to escape cross-origin content boundaries via a crafted HTML page. The vulnerability stems from improper input validation (CWE-20) in the Extensions subsystem, producing a high integrity impact (I:H) with no confidentiality or availability loss per the CVSS vector. No public exploit code exists and no active exploitation has been confirmed, with EPSS at 0.02% (6th percentile), consistent with a chained, high-complexity attack path.
Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.
Denial-of-service via crafted TIFF image upload in Apache Answer through 2.0.0 allows an authenticated user to crash the server process by triggering excessive memory allocation during image decoding. The vulnerability stems from improper handling of specially crafted TIFF files in the file upload feature, where no bounds are placed on memory consumed during the decode phase. No public exploit code or active exploitation has been identified at time of analysis; however, the low technical barrier to trigger the crash once authenticated elevates its operational risk for community and enterprise deployments.
Insufficient validation of user-supplied avatar image URLs in Apache Answer through 2.0.0 allows authenticated users to set arbitrary external URLs as profile images, causing the platform or clients to issue outbound HTTP requests to attacker-controlled servers on page load. This exposes user IP addresses, HTTP headers, and browsing activity to third-party infrastructure whenever affected profiles are viewed. Rated moderate severity by Apache; no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthorized information disclosure in Apache Answer through 2.0.0 allows authenticated users to bypass access restrictions on the 'unlisted question' feature by querying direct API endpoints. Rather than enforcing the same visibility controls applied at the UI layer, the underlying API routes expose unlisted questions along with their associated answers, comments, and full revision history to any authenticated user. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the straightforward nature of the bypass - direct API calls - lowers the practical bar for exploitation by any platform user.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
SQL injection in SAP S/4HANA (On-Premise) exposes sensitive ERP database content to authenticated network attackers via a vulnerable remote-enabled function module. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only a low-privilege SAP user account, with high confidentiality impact and no effect on data integrity or system availability. No public exploit or CISA KEV listing has been identified at time of analysis; SAP has issued a security note addressing the issue.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker with low privileges to inject malicious script content into web pages, enabling spoofing attacks against other users. All three active SharePoint server product lines - Server 2019, Enterprise Server 2016, and Subscription Edition - are affected across broad version ranges. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patches are available for all affected product lines.
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated attacker with low privileges to inject malicious script that, after victim interaction, results in spoofing and disclosure or alteration of sensitive content within a victim's browser session. The CVSS 7.3 (AV:N/AC:L/PR:L/UI:R) rating reflects network-reachable exploitation with low complexity but requires both a valid SharePoint account and user interaction. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing and high-impact disclosure or modification of data rendered in the victim's context. The CVSS 7.3 vector requires user interaction and existing access to the SharePoint site, and no public exploit identified at time of analysis. The flaw is consistent with the CWE-79 class of input neutralization failures during web page generation.
Cross-site scripting in Microsoft SharePoint Server enables network-based spoofing attacks by injecting malicious scripts into rendered web pages, requiring victim user interaction to trigger. Three SharePoint server product lines are affected across the 16.0.x code branch, with vendor-released patches available for all. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables network-based spoofing attacks against authenticated users who interact with attacker-controlled content. The vulnerability stems from insufficient input neutralization during web page generation (CWE-79), allowing injected script to execute in a victim's browser context. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via Microsoft's Security Response Center.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables network-based spoofing attacks by injecting malicious scripts into rendered web page output. The vulnerability carries a CVSS 5.4 (Medium) score with low attack complexity and no privilege requirement per the CVSS vector, but requires victim user interaction - a pattern consistent with reflected or stored XSS leading to in-browser script execution within a trusted SharePoint domain. No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad enterprise deployment footprint of SharePoint elevates real-world relevance beyond the moderate CVSS score.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables a network-based attacker to perform spoofing by injecting malicious script into web page generation, affecting the confidentiality and integrity of victim sessions. The attack requires user interaction - a victim must click or load attacker-controlled content - which limits opportunistic exploitation but makes it viable via phishing or social engineering. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, vendor-released patches are confirmed across all three affected release lines.
Cross-site scripting in Microsoft SharePoint Server on-premises deployments (2016, 2019, and Subscription Edition) enables network-based spoofing attacks by injecting malicious script into pages rendered within victims' browser sessions. All three actively supported SharePoint on-premises product lines are affected across broad version ranges, with fixed releases confirmed in the June 2026 patch cycle. No public exploit code has been identified at time of analysis and the vulnerability is absent from the CISA KEV catalog, but low attack complexity and wide enterprise deployment footprint make prompt patching a reasonable priority.
Stored or reflected cross-site scripting in Microsoft SharePoint Server (the platform underlying Office Project Server) enables an authenticated low-privileged attacker to inject malicious script into web-rendered content, facilitating spoofing attacks against other users. The CVSS vector (PR:L/UI:R) confirms exploitation requires an authenticated account and victim interaction, constraining opportunistic use. No public exploit code has been identified at time of analysis, a vendor patch has been released, and no CISA KEV listing is present.
Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.
Stored or reflected cross-site scripting in Microsoft SharePoint on-premises deployments enables an authenticated attacker to perform spoofing attacks against other users over a network. Affected products span three major on-premises release lines: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The CVSS vector (PR:L, UI:R) confirms exploitation requires a low-privileged authenticated account and victim user interaction, meaningfully constraining opportunistic attack. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.
{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.