Remote code execution in Google Chrome on macOS prior to 149.0.7827.103 stems from a use-after-free condition in the browser's Bluetooth subsystem, rated Critical by Chromium's internal severity scale and CVSS 8.8 by NVD. A remote attacker operating a malicious Bluetooth peripheral can trigger memory corruption to execute arbitrary code in the browser process after the victim performs minimal interaction. No public exploit identified at time of analysis, though Google has released a patched Stable channel build addressing the flaw.
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be triggered when a victim opens a crafted document. Successful exploitation grants the attacker the privileges of the current user with high impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The CVSS 3.1 base score of 7.8 reflects the requirement for user interaction but no prior authentication.
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthenticated attacker can trigger when a user opens a crafted document. The CVSS 3.1 base score of 7.8 reflects high impact to confidentiality, integrity, and availability, with required user interaction limiting mass exploitation. There is no public exploit identified at time of analysis and the issue is not currently listed on the CISA KEV catalog.
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.
Local code execution in Microsoft Office Word is possible through an untrusted pointer dereference (CWE-125 out-of-bounds read) that an attacker can trigger by convincing a user to open a malicious document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects high impact to confidentiality, integrity, and availability once the booby-trapped file is opened, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a user opens or previews a maliciously crafted document. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact in the context of the current user.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP server, allowing the server to corrupt heap memory and execute arbitrary code on the client endpoint. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and no public exploit is identified at time of analysis. The attack pivots the traditional RDP threat model - attackers compromise clients that initiate outbound connections rather than exposed servers.
Heap-based buffer overflow in Microsoft Remote Desktop Client enables remote code execution when a user connects to a malicious RDP server, with the attacker gaining the same privileges as the connecting user. The CVSS 8.8 score reflects network-reachable exploitation requiring only minimal user interaction (initiating an RDP session), and no public exploit has been identified at time of analysis. The flaw is reported by Microsoft Security Response Center (secure@microsoft.com) and is categorized as CWE-122 heap-based buffer overflow.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers to execute arbitrary code within the browser sandbox by luring users to a malicious HTML page that triggers a use-after-free in the WebCodecs component. Chromium rates this as High severity with a CVSS score of 8.8, and while a vendor patch is available, no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a crafted page), which moderates real-world risk somewhat but still places this in the high-priority browser-patching tier.
Heap corruption in Google Chrome on macOS prior to version 149.0.7827.103 can be triggered remotely through a crafted HTML page that exploits a use-after-free condition in the browser's Bluetooth component. Successful exploitation requires the victim to visit attacker-controlled content but no authentication, and Google has rated the underlying Chromium severity as High with no public exploit identified at time of analysis.
Heap corruption in Google Chrome on macOS prior to version 149.0.7827.103 allows remote attackers to potentially execute arbitrary code by luring a victim to a crafted HTML page that triggers a use-after-free in the browser's Bluetooth component. Google has released a patched stable channel update, and while no public exploit has been identified at time of analysis, the CVSS 8.8 score reflects the high impact achievable with only a single user click. CISA SSVC currently scores exploitation as 'none' but technical impact as 'total', consistent with a serious but not yet weaponized browser flaw.
Heap corruption in Google Chrome on macOS prior to 149.0.7827.103 enables remote attackers to potentially execute arbitrary code by luring a user to a crafted HTML page that exploits a use-after-free in the Dawn WebGPU implementation. The flaw carries a CVSS 8.8 (High) rating and Chromium rates it High severity; no public exploit has been identified at time of analysis, but Chrome browser bugs of this class are historically attractive targets for in-the-wild exploitation. Patch is available from Google.
Heap corruption in Google Chrome's Ozone component on Linux before version 149.0.7827.103 allows remote attackers to potentially achieve arbitrary code execution within the browser process when a victim visits a crafted HTML page. The flaw is a use-after-free rated High severity by Chromium, with CVSS 8.8 reflecting network-reachable exploitation requiring only minimal user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Heap corruption in Google Chrome's Payments component before 149.0.7827.103 allows remote attackers to exploit a use-after-free condition by enticing a victim to visit a crafted HTML page, potentially achieving arbitrary code execution within the renderer sandbox. Chromium rates the severity as High, and CVSS 8.8 reflects network-reachable exploitation with low complexity, though successful exploitation requires user interaction (visiting an attacker-controlled page). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap corruption via use-after-free in Google Chrome's FullScreen component on Windows prior to 149.0.7827.103 enables remote attackers to potentially achieve code execution when a victim visits a malicious HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 8.8 score reflects the network-reachable, low-complexity nature of the bug, tempered by required user interaction (UI:R).
Heap corruption in Google Chrome's File Input component before version 149.0.7827.103 allows a remote attacker to exploit a use-after-free condition by luring a user to a crafted HTML page, with Chromium rating the issue Critical. No public exploit identified at time of analysis, but the high CVSS 8.8 score and browser attack surface make this a priority patch for desktop fleets.
Heap corruption in Google Chrome's Ozone display server component prior to version 149.0.7827.103 allows remote attackers to exploit a use-after-free condition through a malicious web page, with Chromium rating this as Critical severity. Successful exploitation requires the victim to visit attacker-controlled HTML content, but yields high impact on confidentiality, integrity, and availability in the renderer process. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges through an improper authorization flaw (CWE-285). The vulnerability carries a CVSS 7.8 (High) rating with local attack vector and low complexity, and no public exploit identified at time of analysis. Tagged as an Authentication Bypass, it requires an existing foothold on the host but no user interaction once that foothold is established.
Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Out-of-bounds heap write in the Zephyr RTOS Bluetooth host allows a remote, unauthenticated BLE peer within radio range to corrupt memory during L2CAP LE Connection-oriented Channel (CoC) SDU reassembly. The flaw affects builds where the application enables SDU segmentation via chan_ops.alloc_buf and selects an RX net_buf pool whose user_data_size is smaller than 2 bytes, causing the reassembly segmentation counter in l2cap_chan_le_recv_seg() to be written past the allocated user_data region. There is no public exploit identified at time of analysis and EPSS probability is negligible (0.01%), so realistic impact is a triggered fatal error / heap corruption rather than demonstrated code execution.
Privilege escalation in Microsoft Dynamics 365 (on-premises) allows a remote authenticated attacker with low-level access to gain elevated privileges across the network due to improper handling of insufficient permissions. With a CVSS score of 8.8 and full impact on confidentiality, integrity, and availability, this issue is significant for organizations running on-premises Dynamics 365 deployments. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.
Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Hermes WebUI versions prior to 0.51.311 allows authenticated attackers to run arbitrary host commands by planting malicious Git configuration in a workspace repository's .git/config file. The Python backend in api/workspace_git.py invokes Git subprocesses (status, fetch) without hardening, so repo-local directives like core.fsmonitor, protocol.ext.allow, credential.helper, core.askPass, core.gitProxy, or inherited GIT_SSH_COMMAND turn read-only operations into command execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the vendor advisory and a VulnCheck disclosure (assigned via disclosure@vulncheck.com) confirm the bug and the corresponding fix.
Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.
Unauthorized data access and action execution in QNAP QuMagie versions prior to 2.9.0 allows remote attackers to bypass authorization checks over the network without authentication. The CVSS 4.0 score of 8.7 reflects high confidentiality impact with low attack complexity and no privileges required, though no public exploit identified at time of analysis and KEV listing is absent.
Denial of service in the npm image-size library (versions 1.1.0-1.2.0 and 2.0.0-2.0.1) lets remote unauthenticated attackers hang any application that parses untrusted JXL, HEIF, or JP2 images. By supplying a crafted file whose ISO-BMFF-style box declares a size of zero, the findBox routine never advances its offset and enters an infinite loop during validation. No public exploit identified at time of analysis, though the vendor advisory includes payload details that make weaponization straightforward.
Authorization bypass in QNAP QuMagie versions prior to 2.9.1 allows remote unauthenticated attackers to manipulate user-controlled keys (IDOR-class flaw) and gain unintended privileges on the photo management application. The QNAP-issued advisory QSA-26-35 confirms the issue and ships a fix in 2.9.1; no public exploit identified at time of analysis, and the flaw is not currently listed in CISA KEV.
Stack-based buffer overflows in SimpleBLE prior to version 0.14.0 allow remote attackers within Bluetooth range to crash applications by transmitting crafted BLE advertisements containing oversized manufacturer-specific data or service data, requiring no pairing or connection. A separate local overflow exists in the dongl backend's Protocol::simpleble_write function via caller-controlled input. No public exploit identified at time of analysis, but the patch diff and acknowledgement to researcher Mr-IoT confirm three tracked issues (EVE-2026-001/002/003).
Local privilege escalation in Siemens SINEC INS (versions prior to V1.0 SP2 Update 6) stems from a binary shipped with the Linux cap_dac_override capability, which bypasses filesystem discretionary access control checks. An authenticated local attacker can leverage this overly broad capability to read or modify any file on the system, ultimately obtaining root. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information disclosure in Pure Storage FlashArray Purity (versions 6.5.0-6.5.8 and 6.10.0-6.10.5) allows an authenticated low-privileged user to retrieve sensitive data via insufficiently filtered data paths. The flaw carries a CVSS 4.0 score of 8.7 with high confidentiality, integrity, and availability impact, but SSVC indicates no public exploitation and the attack is not automatable. No public exploit has been identified at the time of analysis.
Stored cross-site scripting in OpenEMR before 8.0.0.1 lets an authenticated patient portal user inject HTML/JavaScript into demographic fields via the PUT api/patient/:num endpoint, which fires later in a clinician's authenticated session when the prescription CSS/HTML multi-print feature renders the patient name and address without output encoding. Because the payload executes inside the main OpenEMR UI under the clinician's session, the attacker crosses the patient-to-clinician trust boundary and can steal CSRF tokens, exfiltrate session data, and perform privileged actions as the clinician. SSVC currently rates exploitation as POC, no public exploit identified at time of analysis, and EPSS is 0.03% (9th percentile), but the cross-tenant trust crossing in a healthcare app makes the issue material for any internet-exposed deployment.
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod process by sending a crafted message containing nested binary structures that trigger uncontrolled mutual recursion. The CVSS 4.0 score of 8.7 reflects high availability impact with network attack vector and no authentication required. No public exploit identified at time of analysis, but the low-complexity, no-auth profile makes this a priority patch for internet-reachable MongoDB deployments.
SQL injection and privilege escalation in TYPO3 CMS 14.0.0 through 14.3.3 allow authenticated backend users holding write permissions on the form_definition table to bypass the Form Framework's persistence validation by submitting form configurations directly through DataHandler. Successful exploitation re-opens the attack class originally fixed in TYPO3-CORE-SA-2018-003, enabling injection of arbitrary form configurations that yield SQLi and elevation of privileges. No public exploit identified at time of analysis; not listed in CISA KEV.
SQL injection in LimeSurvey's RemoteControl API (invite_participants and remind_participants methods) allows an authenticated attacker with tokens/update permission on a survey to execute arbitrary stacked SQL queries against the application database. Because PDO emulated prepared statements are enabled and MySQL multi-statements are not disabled, attackers can read administrator bcrypt hashes via time-based blind techniques or directly overwrite credentials for instant account takeover. No public exploit identified at time of analysis; the upstream fix is published as LimeSurvey PR #5031, which replaces unsafe string concatenation with parameterized addInCondition().
Account takeover in LimeSurvey is possible through host header injection in the forgotten-password workflow, where reset links are built from the client-supplied HTTP Host header without validation. Remote unauthenticated attackers who know a target's username and email can submit a password-reset request with a spoofed Host header, causing LimeSurvey to email the victim a reset link pointing to an attacker-controlled host while still embedding the valid reset token. Reported by VulnCheck with publicly available exploit code exists via the vendor PR diff, though no public exploit identified at time of analysis in CISA KEV.
Arbitrary file read, write, and delete in the Logseq Electron desktop knowledge-management application is possible when an attacker can execute JavaScript inside the renderer process, because the preload script exposes an IPC bridge method that omits path validation. Version 0.10.15 has been confirmed vulnerable by CERT-PL, and because no patch was released the status of other releases is unverified. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Logseq desktop application enables remote code execution via shell metacharacter abuse in IPC-exposed command arguments. An attacker with JavaScript execution in the renderer process (through XSS or a malicious plugin) can bypass the command allowlist because arguments are concatenated and passed to child_process.spawn with shell:true, granting arbitrary OS command execution at the privileges of the Logseq process. No public exploit identified at time of analysis, but the issue was reported by CERT-PL and remains unpatched in versions beyond the tested v0.10.15.
Privilege escalation in the Pure Storage FlashArray Purity management interface allows an authenticated low-privileged user to invoke functionality reserved for higher-privileged roles, yielding high confidentiality and integrity impact on managed storage. The CVSS 4.0 score of 8.6 reflects network reach with only low privileges required and no user interaction, though no public exploit identified at time of analysis and SSVC marks exploitation status as none.
Arbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive files outside the intended scope when a victim opens a crafted malicious file. The flaw stems from improper access control (CWE-284) and carries a CVSS 3.1 base score of 8.6 due to scope change, but no public exploit identified at time of analysis and EPSS is only 0.03% (8th percentile).
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Heap-based buffer overflow in SQLite's FTS5 full-text search extension (versions before 3.53.2) allows attackers to crash the process or execute arbitrary code by supplying a malicious database file that triggers an integer underflow in fts5ChunkIterate() during MATCH query processing. The flaw affects any application compiled with SQLITE_ENABLE_FTS5 that opens an attacker-supplied database and runs an FTS5 query against it; no public exploit identified at time of analysis, though VulnCheck has published an advisory.
Memory corruption in SQLite versions before 3.53.2 enables attackers to crash processes, exhaust memory, or potentially execute arbitrary code by supplying a crafted database that triggers flaws in the FTS5 full-text search extension when a MATCH query runs. The CVSS 4.0 vector indicates local attack vector with passive user interaction required, and no public exploit identified at time of analysis. Reported by VulnCheck with patches already merged upstream.
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Local code execution in Microsoft Office stems from a type confusion condition (CWE-122 heap-based memory corruption per tags) that allows an unauthorized attacker to run arbitrary code on the host. The CVSS 8.4 vector indicates local attack vector with no privileges or user interaction required, and no public exploit is identified at time of analysis. The flaw was reported by Microsoft's MSRC and disclosed via the official update guide.