Denial-of-service exposure in FreeSWITCH versions prior to 1.11.0 stems from a vendored, unpatched copy of libexpat XML tokenization code embedded in the bundled xmlrpc-c library. The function PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c was cloned from an outdated upstream libexpat release and never received the corresponding security fix, leaving FreeSWITCH's XML parsing surface vulnerable. An authenticated low-privilege attacker over the network can exploit this to achieve high availability impact against the telecom stack; no public exploit or CISA KEV listing has been identified at time of analysis.
Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. No public exploit identified at time of analysis and no CISA KEV listing, but the wide version range across four active Spring Framework release trains represents significant ecosystem exposure.
Path traversal in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 exposes arbitrary file system locations via the SFTP directory listing endpoint. An authenticated low-privileged network attacker can send a crafted path to GET /api/sftp/uploadFiles to read files outside the intended directory scope, resulting in unauthorized disclosure of file system contents. No active exploitation or public proof-of-concept has been identified at time of analysis; the impact is limited to confidentiality with no integrity or availability consequence.
Improper authorization in TYPO3 CMS Backend API routes allows authenticated backend users to retrieve file metadata for files and folders outside their permitted file mounts or storages. Specifically, the ImageProcessController and LinkController endpoints failed to call checkActionPermission('read') before returning resource data, letting any backend-authenticated user enumerate file system structure beyond their assigned access scope. No active exploitation has been reported and no public exploit code has been identified at time of analysis, but the low-complexity network-accessible nature of the flaw makes it straightforward for any backend user to abuse.
Missing authorization in TYPO3 CMS's DataHandler allows authenticated backend users with low privileges to move content records across pages without holding edit permissions on the source page. The `moveRecord()` method in `DataHandler.php` validated destination-page access but omitted the symmetrical check on the source page, enabling unauthorized restructuring of the content hierarchy. Affected versions are 13.0.0-13.4.31 and 14.0.0-14.3.3; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Uninitialized memory use in the Video component of Google Chrome on Windows (prior to 149.0.7827.103) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by directing the victim to a crafted HTML page. The vulnerability is Windows-specific, rated High severity by Chromium's internal scale, and carries a CVSS 5.3 due to the high attack complexity and required user interaction stacking atop the renderer-compromise prerequisite. No public exploit identified at time of analysis; Google has released a fix in version 149.0.7827.103.
Integer overflow in libyuv allows a renderer-compromised attacker to read sensitive process memory in Google Chrome prior to 149.0.7827.103. This is a chained, post-exploitation vulnerability: the attacker must first control the Chrome renderer process (via a separate exploit), then serve a crafted HTML page that triggers the libyuv integer overflow to extract memory contents - making this a privilege escalation and data exfiltration primitive within a broader attack chain. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in Chrome's Media component on ChromeOS allows an attacker who has already compromised the renderer process to exfiltrate potentially sensitive data from process memory via a crafted HTML page. Affected are all Chrome for ChromeOS releases prior to 149.0.7827.103. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained by both the ChromeOS-only scope and the mandatory prerequisite of a pre-compromised renderer, making this a chained attack scenario rather than a standalone critical threat.
Security bypass in Spring WebFlux's Kotlin Router DSL (CWE-284: Improper Access Control) allows remote unauthenticated attackers to circumvent access control rules in Spring Framework 5.3.0 through 5.3.48. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation without authentication, though high attack complexity constrains opportunistic exploitation. No public exploit identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.
Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.
Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.
TYPO3 CMS clipboard functionality exposes unauthorized records and files to authenticated backend users due to missing read permission enforcement. Affected versions span 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2. A low-privileged backend user can insert arbitrary database records or file system objects into their clipboard, causing the application to resolve and expose metadata about resources they are not authorized to view - effectively bypassing access controls on content visibility. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Open redirect exploitation in TYPO3 CMS allows unauthenticated remote attackers to bypass the `GeneralUtility::sanitizeLocalUrl` locality check by crafting URLs containing backslash sequences, control characters, or slash-pattern variations that the prior implementation failed to reject, redirecting victims to arbitrary external sites for phishing. All major active TYPO3 branches are affected: versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30, and 14.0.0-14.3.2. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the bypass patterns are explicitly documented in the upstream fix's own test suite, substantially lowering the bar to reproduction.
Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.
Unauthenticated local-network control of NETGEAR CAX30, RAX30, RAX5, and RAXE300 routers is possible through an authentication bypass rooted in improper input validation (CWE-20). An attacker already present on the local network segment - such as a guest Wi-Fi user, a compromised IoT device, or a rogue actor on the same LAN - can circumvent authentication and gain full administrative control, enabling arbitrary configuration changes, traffic interception, or persistent backdoor installation. No public exploit code has been identified at time of analysis, and NETGEAR has released firmware patches for all four affected product lines.
Use-after-free in the HarmonyOS package management module allows a locally authenticated, highly privileged attacker to corrupt memory and primarily impact service availability. The CVSS vector (AV:L/AC:H/PR:H) constrains the attack to local, high-complexity scenarios requiring administrative privileges, yielding a medium-severity score of 5.2. No public exploit code or CISA KEV listing has been identified at time of analysis, though the Authentication Bypass tag in the intelligence data warrants scrutiny given the high-privilege prerequisite implied by CVSS.
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload in the `project` request parameter. The injected input breaks out of both JavaScript string and HTML attribute context within the body onload event handler, granting attacker-controlled script execution in the victim's session. No active exploitation is confirmed (not in CISA KEV), but a public GitHub gist documenting the issue exists, suggesting POC-level detail is openly accessible.
Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.
Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in Evoluted PHP Directory Listing Script through version 4.0.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL. The `dir` parameter in `index.php` is rendered unsanitized in two distinct HTML contexts: the page `<title>` element and breadcrumb `<a href>` attributes, each enabling distinct injection techniques — title context breakout and event handler injection respectively. No public exploit has been confirmed via CISA KEV, though a proof-of-concept gist is referenced in the NVD advisory data, indicating exploit code may be publicly accessible.
Use-after-free memory corruption in tmux's SIXEL image handling allows a local low-privileged attacker with high complexity to trigger memory corruption or denial of service in versions up to 3.6a. The root cause lies in the `image_free()` function in `image.c`, where image structs retain stale pointers to their original parent screen's image list after alternate screen transitions, causing `TAILQ_REMOVE` to dereference an invalid list pointer. No active exploitation is confirmed (not in CISA KEV), though publicly available exploit code exists per the CVE vector's E:P designation and a public gist from XlabAITeam. A fix is available in tmux 3.7-rc.
Denial of service in Elixir's standard library Version module (versions 1.5.0 through 1.20.0) allows any caller passing an attacker-controlled version string to exhaust CPU and memory or crash the calling BEAM process. The five public entry points - Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1 - pass numeric version components to :erlang.binary_to_integer/1 without length bounds, triggering super-linear arbitrary-precision integer conversion; a single ~1 MB all-digit component suffices. Applications routinely invoke these functions on untrusted input (HTTP parameters, package metadata), making the effective attack surface broader than the CVSS AV:L classification implies. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in TYPO3 CMS allows authenticated editors to embed raw HTML and JavaScript payloads into page titles that are written to the search index without sanitization. When the EXT:indexed_search (Indexed Search) plugin renders frontend search results, these unsanitized titles are output directly into the HTML response, executing attacker-controlled scripts in the browsers of any user who views those results. No public exploit or CISA KEV listing is identified at time of analysis, but the stored nature of the XSS - requiring only a single malicious edit to affect many users over time - elevates practical impact beyond what the medium CVSS 4.0 score of 5.1 might suggest.
Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local network-adjacent modification of router software and functionality. The CVSS 4.0 vector assigns PR:N (no privileges required) and AV:A (adjacent network), yet the CVE description scopes the vulnerability to 'authenticated administrators' - the 'Authentication Bypass' tag supplied by NETGEAR suggests the input validation flaw may itself circumvent authentication controls, reconciling this apparent conflict. Integrity impact is rated High (VI:H) against the vulnerable system, meaning successful exploitation allows unauthorized firmware or configuration modification. No public exploit is identified at time of analysis (E:U), and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.
Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA.
Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.
Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.
Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file via the AWX CLI. Affecting Red Hat Ansible Automation Platform 2, the vulnerability (CWE-22) allows an unauthenticated attacker who can deliver a malicious YAML file to a victim to read arbitrary YAML-formatted files from that user's local filesystem - including potentially sensitive configuration, credential, or key material files - without any write or execution capability. No public exploit identified at time of analysis; CVSS 4.7 reflects the real-world constraints of local attack vector, high complexity, and mandatory user interaction.
Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.
TLS certificate validation failure in the ReadyCloud client app on multiple NETGEAR router models exposes confidential data to network interception. The app does not properly validate TLS certificates (CWE-325), enabling a network-positioned attacker to perform man-in-the-middle (MiTM) attacks against ReadyCloud communications. Affected models include the RAX35, RAX38, RAX40, RAX120v1, and RAX120v2 running firmware below the patched versions; no public exploit code exists and no active exploitation has been confirmed.
Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.
Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.
OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation.
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.