Unauthorized information disclosure in Apache Answer through 2.0.0 allows authenticated users to bypass access restrictions on the 'unlisted question' feature by querying direct API endpoints. Rather than enforcing the same visibility controls applied at the UI layer, the underlying API routes expose unlisted questions along with their associated answers, comments, and full revision history to any authenticated user. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the straightforward nature of the bypass - direct API calls - lowers the practical bar for exploitation by any platform user.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
SQL injection in SAP S/4HANA (On-Premise) exposes sensitive ERP database content to authenticated network attackers via a vulnerable remote-enabled function module. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only a low-privilege SAP user account, with high confidentiality impact and no effect on data integrity or system availability. No public exploit or CISA KEV listing has been identified at time of analysis; SAP has issued a security note addressing the issue.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker with low privileges to inject malicious script content into web pages, enabling spoofing attacks against other users. All three active SharePoint server product lines - Server 2019, Enterprise Server 2016, and Subscription Edition - are affected across broad version ranges. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patches are available for all affected product lines.
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated attacker with low privileges to inject malicious script that, after victim interaction, results in spoofing and disclosure or alteration of sensitive content within a victim's browser session. The CVSS 7.3 (AV:N/AC:L/PR:L/UI:R) rating reflects network-reachable exploitation with low complexity but requires both a valid SharePoint account and user interaction. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated low-privileged attacker to inject script that executes in another user's browser session, enabling spoofing and high-impact disclosure or modification of data rendered in the victim's context. The CVSS 7.3 vector requires user interaction and existing access to the SharePoint site, and no public exploit identified at time of analysis. The flaw is consistent with the CWE-79 class of input neutralization failures during web page generation.
Cross-site scripting in Microsoft SharePoint Server enables network-based spoofing attacks by injecting malicious scripts into rendered web pages, requiring victim user interaction to trigger. Three SharePoint server product lines are affected across the 16.0.x code branch, with vendor-released patches available for all. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables network-based spoofing attacks against authenticated users who interact with attacker-controlled content. The vulnerability stems from insufficient input neutralization during web page generation (CWE-79), allowing injected script to execute in a victim's browser context. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via Microsoft's Security Response Center.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables network-based spoofing attacks by injecting malicious scripts into rendered web page output. The vulnerability carries a CVSS 5.4 (Medium) score with low attack complexity and no privilege requirement per the CVSS vector, but requires victim user interaction - a pattern consistent with reflected or stored XSS leading to in-browser script execution within a trusted SharePoint domain. No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad enterprise deployment footprint of SharePoint elevates real-world relevance beyond the moderate CVSS score.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables a network-based attacker to perform spoofing by injecting malicious script into web page generation, affecting the confidentiality and integrity of victim sessions. The attack requires user interaction - a victim must click or load attacker-controlled content - which limits opportunistic exploitation but makes it viable via phishing or social engineering. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis; however, vendor-released patches are confirmed across all three affected release lines.
Cross-site scripting in Microsoft SharePoint Server on-premises deployments (2016, 2019, and Subscription Edition) enables network-based spoofing attacks by injecting malicious script into pages rendered within victims' browser sessions. All three actively supported SharePoint on-premises product lines are affected across broad version ranges, with fixed releases confirmed in the June 2026 patch cycle. No public exploit code has been identified at time of analysis and the vulnerability is absent from the CISA KEV catalog, but low attack complexity and wide enterprise deployment footprint make prompt patching a reasonable priority.
Stored or reflected cross-site scripting in Microsoft SharePoint Server (the platform underlying Office Project Server) enables an authenticated low-privileged attacker to inject malicious script into web-rendered content, facilitating spoofing attacks against other users. The CVSS vector (PR:L/UI:R) confirms exploitation requires an authenticated account and victim interaction, constraining opportunistic use. No public exploit code has been identified at time of analysis, a vendor patch has been released, and no CISA KEV listing is present.
Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.
Stored or reflected cross-site scripting in Microsoft SharePoint on-premises deployments enables an authenticated attacker to perform spoofing attacks against other users over a network. Affected products span three major on-premises release lines: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The CVSS vector (PR:L, UI:R) confirms exploitation requires a low-privileged authenticated account and victim user interaction, meaningfully constraining opportunistic attack. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.
{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the WP ApplicantStack Jobs Display WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. Because the CVSS vector reflects Changed Scope (S:C), successful injection impacts the browsers of any user - including administrators - who subsequently load the affected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.
Stored Cross-Site Scripting in the WP GDPR Cookie Consent WordPress plugin (versions up to and including 1.0.0, by techjewel) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into pages served to all site visitors. The vulnerability chains three distinct weaknesses in the handleAjaxCalls() function: absent capability verification, missing nonce validation, and unsanitized gdprConfig values that are echoed verbatim by generateCSS() into a <style> block on wp_head. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber-level) and changed scope (S:C) make this a meaningful risk for multi-user WordPress sites.
Stored Cross-Site Scripting in the ePaperFlip Publisher WordPress plugin (all versions up to and including 1) permits authenticated Contributors to inject arbitrary JavaScript via the 'publicationid' attribute of the epaperflip_embed shortcode, which is written unsanitized directly into inline JavaScript on rendered pages. The CVSS Changed scope (S:C) reflects that the injected payload executes in the browser context of any visitor who loads the compromised page, crossing trust boundaries beyond the plugin itself. No public exploit code has been identified at time of analysis and this vulnerability is not currently listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the RomanCart Ecommerce WordPress plugin (versions ≤2.0.8) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'blclass' attribute - and other attributes - of the romancart_button shortcode. The injected payload executes in any visitor's browser upon page load, enabling session hijacking, credential theft, or administrative account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and changed scope (S:C) elevate real-world concern for multi-author WordPress deployments.
Stored Cross-Site Scripting in the TinyMCE Shortcode Addon WordPress plugin (all versions ≤ 1.0.0) allows authenticated attackers with contributor-level access or higher to inject persistent JavaScript via the unsanitized 'btnrel' shortcode attribute. The injected script is stored server-side and executes in the browser of every subsequent visitor to the affected page, including administrators - enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Stored Cross-Site Scripting in the Global Body Mass Index Calculator WordPress plugin (versions up to and including 1.2) allows authenticated contributors to persistently inject arbitrary JavaScript into any page rendering the 'gbmicalc' shortcode. The vulnerability arises from PHP's @extract() call on unsanitized shortcode attributes followed by unescaped output into both an HTML style attribute context and an HTML body context inside GBMI_Calc_Widget::widget(), enabling attribute-breakout payloads. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence-confirmed contributor-level requirement makes this a realistic risk for any multi-author WordPress installation.
Stored Cross-Site Scripting in the Extra Settings for RocketChat WordPress plugin (versions up to and including 0.1) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript via the 'title' attribute of the [rocketchat] shortcode. The injected script persists in the database and executes in the browser of any site visitor who loads an affected page, enabling session hijacking, credential theft, or further privilege escalation depending on victim role. No public exploit code identified at time of analysis, and this CVE does not appear on the CISA KEV catalog.
Stored Cross-Site Scripting in the Enable Media Replace WordPress plugin (all versions through 4.1.8) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts via the unsanitized 'location_dir' parameter. The injected payload executes in the browser of any user who accesses an affected page, with scope changed (S:C) indicating cross-boundary impact - most critically, a low-privileged Author can compromise higher-privileged sessions including administrators. No public exploit identified at time of analysis, and no CISA KEV listing, but the low attack complexity and broad WordPress install base elevate practical risk.
Stored Cross-Site Scripting in the Accordions plugin for WordPress (all versions through 2.3.23) enables authenticated attackers holding Custom-level roles or higher to permanently embed malicious JavaScript into Accordion body fields. The injected scripts execute in the browser of any user who subsequently visits an affected page, enabling session token theft, credential harvesting, or drive-by malware delivery within the WordPress site context. No public exploit has been identified at time of analysis, though an upstream fix commit is available in the plugin Trac repository.
PHP Object Injection in TYPO3 CMS's cache frontend (VariableFrontend) and persistent key-value store (Registry) exposes TYPO3 installations to potential Remote Code Execution when an attacker controls write access to the underlying storage layer. The root cause is bare PHP `unserialize()` calls on storage-retrieved data without HMAC integrity validation or class allowlists, meaning attacker-controlled data in the `sys_registry` table or cache backend can trigger deserialization of crafted PHP objects through a gadget chain. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the CVSS 4.0 Subsequent impact scores (SC:H/SI:H/SA:H) confirm that successful exploitation yields full system-level impact despite the local access prerequisite.
Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms and read application data when an authenticated user interacts with attacker-supplied content. The flaw carries a CVSS 4.0 score of 8.7 driven by network reachability, low attack complexity, no required privileges, and high impact across confidentiality, integrity, and availability of the NAS management surface. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Hermes WebUI's SSH/remote terminal workspace resolver exposes local server files to authenticated low-privilege attackers by accepting system directories as trusted workspace roots. The flaw in `_remote_terminal_workspace_candidate()` (`api/workspace.py`) causes an early return that bypasses the `_is_blocked_workspace_path()` guard, allowing an attacker-configured remote terminal working directory (e.g., `/etc`) to be registered as a trusted workspace - after which workspace file-read helpers treat it as a local path and return host file contents. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector scores SC:H (high subsequent-system confidentiality impact), confirming meaningful server-side file disclosure potential.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive files and directories outside the application's intended access scope by convincing a victim to open a specially crafted malicious file. The changed scope (S:C) in the CVSS vector confirms the impact extends beyond Dreamweaver's own security context - read access can reach OS-level files, credentials, or configuration data. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a targeted rather than opportunistic threat profile.
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the application's intended access scope when a victim opens a specially crafted malicious file. The vulnerability (CWE-863) results in a scope change - meaning access to files outside the component's normal boundary is achieved - with high confidentiality impact and no integrity or availability loss. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis, but the high confidentiality impact and low attack complexity make it a meaningful risk for environments where users routinely open externally sourced project files.
Arbitrary file write in Dell/Alienware Purchased Apps versions prior to 1.1.32.0 is achievable by a low-privileged local attacker through a link-following (CWE-59) flaw, enabling overwrite of files at elevated privilege levels and resulting in high integrity and availability impact. The CVSS vector (AV:L/AC:H/PR:L) confirms local access with high attack complexity is required, suggesting exploitation likely involves a race condition or carefully staged symlink placement. No active exploitation is confirmed (not in CISA KEV), and a vendor-released patch is available at version 1.1.32.0.
Arbitrary file write in Dell Inventory Collector Client versions prior to 13.8.0 allows a low-privileged local attacker to overwrite files outside the intended write path by exploiting improper symbolic or hard link resolution. The vulnerability (CWE-1386) arises when the client resolves a link to an unintended target before performing a file access operation, enabling an attacker to redirect writes to attacker-controlled locations. No public exploit has been identified at time of analysis and CISA KEV confirmation is absent, but the high integrity and availability impact (CVSS I:H/A:H) means successful exploitation could corrupt system files or cause denial of service.
Permission management bypass in HarmonyOS's network management module allows a locally present, low-privileged attacker - with user interaction - to read sensitive network data (C:H) and disrupt service availability (A:H) under high-complexity conditions. The CVSS 6.3 Medium score reflects meaningful impact tempered by stringent prerequisites: local access, an authenticated account, required victim interaction, and high attack complexity. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the confidentiality and availability impacts warrant patching per Huawei's June 2026 security bulletin.
Cross-site request forgery in SemCms 5.0 allows a remote attacker to perform unauthorized actions against the admin user management endpoint at /admin/semcms_user.php by tricking an authenticated administrator into triggering a crafted POST request. The affected product is a PHP-based CMS and the vulnerability stems from a missing or bypassable CSRF token on a privileged administrative function. Publicly available exploit code exists per SSVC data, though the vulnerability has not been added to the CISA KEV catalog and is not confirmed as actively exploited in the wild.
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a local attacker to crash the consuming application by supplying malformed input, resulting in a denial-of-service condition. No user interaction is required once the attacker can deliver crafted input to the locally running process. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the crash-based impact and low attack complexity make it straightforward to trigger.
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local attacker without privileges to exhaust system resources, resulting in a denial-of-service condition. The vulnerability requires no user interaction, meaning it can be triggered programmatically by any process with local access to a system running the affected SDK. No public exploit code or CISA KEV listing has been identified at time of analysis.
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and trigger an application-level denial-of-service condition. The CVSS vector confirms local attack vector with no privileges required and no user interaction, meaning any local process or user context capable of invoking the SDK can trigger the condition. No public exploit code or CISA KEV listing has been identified at time of analysis, and the availability impact is rated High with no confidentiality or integrity exposure.
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and crash the hosting application. The CVSS vector confirms local access is required, limiting exposure primarily to environments where untrusted users share process space with SDK-consuming applications, such as multi-tenant systems or services that process attacker-supplied C2PA credential data from disk or local input. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.