Denial of service in Elixir's standard library Version module (versions 1.5.0 through 1.20.0) allows any caller passing an attacker-controlled version string to exhaust CPU and memory or crash the calling BEAM process. The five public entry points - Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1 - pass numeric version components to :erlang.binary_to_integer/1 without length bounds, triggering super-linear arbitrary-precision integer conversion; a single ~1 MB all-digit component suffices. Applications routinely invoke these functions on untrusted input (HTTP parameters, package metadata), making the effective attack surface broader than the CVSS AV:L classification implies. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in TYPO3 CMS allows authenticated editors to embed raw HTML and JavaScript payloads into page titles that are written to the search index without sanitization. When the EXT:indexed_search (Indexed Search) plugin renders frontend search results, these unsanitized titles are output directly into the HTML response, executing attacker-controlled scripts in the browsers of any user who views those results. No public exploit or CISA KEV listing is identified at time of analysis, but the stored nature of the XSS - requiring only a single malicious edit to affect many users over time - elevates practical impact beyond what the medium CVSS 4.0 score of 5.1 might suggest.
Use-After-Free (UAF) in the HarmonyOS package management module allows a local attacker with high privileges to compromise service integrity. Successful exploitation requires high attack complexity and user interaction, limiting real-world exposure. The primary impact is integrity degradation (I:H), with minor confidentiality and availability effects; no public exploit or CISA KEV listing identified at time of analysis.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Uncontrolled CPU consumption in Red Hat 389 Directory Server's PBKDF2-SHA256 password storage plugin allows a highly privileged attacker who has write access to stored password hashes to craft a hash embedding an arbitrarily large iteration count, causing the LDAP server to exhaust CPU resources during any subsequent authentication attempt by the targeted user. Affected products span Red Hat Directory Server 11 through 13 and the 389-ds package as shipped across Red Hat Enterprise Linux 6 through 10. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Insufficient input validation across 30+ NETGEAR router, range extender, and mesh networking models enables local network-adjacent modification of router software and functionality. The CVSS 4.0 vector assigns PR:N (no privileges required) and AV:A (adjacent network), yet the CVE description scopes the vulnerability to 'authenticated administrators' - the 'Authentication Bypass' tag supplied by NETGEAR suggests the input validation flaw may itself circumvent authentication controls, reconciling this apparent conflict. Integrity impact is rated High (VI:H) against the vulnerable system, meaning successful exploitation allows unauthorized firmware or configuration modification. No public exploit is identified at time of analysis (E:U), and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.
Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA.
Stored Cross-Site Scripting in Adobe Experience Manager Forms JEE (versions LTS SP1 and 6.5.24.0 and earlier) permits a high-privileged attacker to inject persistent JavaScript into vulnerable form fields, which then executes in any victim's browser that renders the affected page. The CVSS Scope Change (S:C) signal confirms the injected script's impact crosses security boundaries beyond the AEM Forms application itself, enabling session hijacking or cross-origin actions against browsing victims. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, with the CVSS score of 5.9 (Medium) reflecting the high-privilege prerequisite that limits the attacker pool.
Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.
Reflected Cross-Site Scripting in Adobe Experience Manager Forms JEE (LTS SP1 and 6.5.24.0 and earlier) allows remote unauthenticated attackers to execute arbitrary script in a victim's browser session, potentially hijacking accounts or escalating privileges within the AEM Forms environment. The Scope:Changed flag in the CVSS vector indicates the impact extends beyond the vulnerable component, which combined with High confidentiality and integrity impacts yields a CVSS of 8.0. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Path traversal in awxkit's YAML !include directive exposes arbitrary local files when a user imports a crafted YAML file via the AWX CLI. Affecting Red Hat Ansible Automation Platform 2, the vulnerability (CWE-22) allows an unauthenticated attacker who can deliver a malicious YAML file to a victim to read arbitrary YAML-formatted files from that user's local filesystem - including potentially sensitive configuration, credential, or key material files - without any write or execution capability. No public exploit identified at time of analysis; CVSS 4.7 reflects the real-world constraints of local attack vector, high complexity, and mandatory user interaction.
Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.
TLS certificate validation failure in the ReadyCloud client app on multiple NETGEAR router models exposes confidential data to network interception. The app does not properly validate TLS certificates (CWE-325), enabling a network-positioned attacker to perform man-in-the-middle (MiTM) attacks against ReadyCloud communications. Affected models include the RAX35, RAX38, RAX40, RAX120v1, and RAX120v2 running firmware below the patched versions; no public exploit code exists and no active exploitation has been confirmed.
Logseq's plugin sandbox can be escaped by a malicious plugin that injects arbitrary HTML event handler attributes into its host DOM container element, executing JavaScript in the privileged Electron renderer context. The attack is enabled by a disabled Content Security Policy in the host context, which removes the browser-level barrier that would otherwise block inline event handler execution. Only v0.10.15 has been confirmed vulnerable by CERT-PL; no patch has been released, and the vulnerability status of all other versions remains unknown. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog.
Stored XSS in Logseq's plugin subsystem escalates to arbitrary code execution within the privileged Electron host context due to unsanitized innerHTML rendering of plugin metadata. When a user installs a malicious plugin whose package.json 'name' field contains a JavaScript payload, the payload executes with Electron's elevated privileges - a context in which Node.js APIs are accessible, making the effective impact closer to local code execution than a conventional browser-scoped XSS. Reported by CERT-PL, version v0.10.15 is confirmed vulnerable, no patch exists, and no public exploit has been identified at time of analysis.
OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation.
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
UI misrepresentation of critical information in Microsoft Bing Search for Android (versions below 33.3) enables unauthenticated network-based attackers to spoof content displayed to end users. The vulnerability (CWE-451) causes the application to render or present critical information-such as URLs, security indicators, or source attribution-in a misleading way, enabling deception attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the zero-privilege-required, low-complexity network vector makes it accessible to opportunistic attackers targeting users of the unpatched Android application.
Open redirect in Adobe Experience Manager (versions 6.5.24, LTS SP1, 2026.04 and earlier) enables network-based attackers to craft malicious URLs that silently redirect victims to attacker-controlled sites, with Adobe's own advisory citing account takeover as the potential outcome. The attack requires no privileges or authentication on the attacker's side (PR:N per CVSS) but depends entirely on a victim clicking a crafted link (UI:R). No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the account takeover potential meaningfully exceeds what the moderate CVSS 4.3 score alone conveys.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Integrity tampering in NETGEAR router and mesh network firmware allows authenticated administrators on the local network to submit insufficiently validated input, modifying the router's configuration or internal state in unintended ways. Affected devices span at least 27 product lines including MR/MS mesh units and R-series routers, all running firmware below specific patched versions identified by NETGEAR (EUVD-2026-35460). No public exploit has been identified at time of analysis, SSVC assigns no active exploitation and non-automatable status, and NETGEAR has released patched firmware across all affected product lines.
Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended privilege scope. Affected are all firmware versions prior to V7.2.8.5 on most Orbi models and prior to V9.12.4.9 on the RBE97x series. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; NETGEAR self-reported and has released patched firmware addressing the flaw.
Cross-origin data leakage in Google Chrome's Passwords feature (all versions prior to 149.0.7827.103) can be triggered by a remote unauthenticated attacker delivering a crafted HTML page to a victim. The flaw results from an inappropriate implementation classified under CWE-693 (Protection Mechanism Failure), meaning the browser's same-origin policy enforcement is bypassed specifically within the Passwords subsystem. With a CVSS score of 4.3 and no public exploit or CISA KEV listing identified at time of analysis, this is a medium-severity information disclosure risk requiring user interaction to exploit.
Improper input validation in NETGEAR RAXE450 and RAXE500 routers (firmware prior to V1.2.14.114) allows authenticated administrators on the local network to manipulate router functionality beyond the intended operational boundaries of the standard management interface. The vulnerability carries a CVSS 4.0 score of 4.3 (Medium), constrained by adjacent-network-only access and a high-privilege prerequisite. No public exploit has been identified and no active exploitation is reported (E:U); a vendor-released patch is available.
Insufficient input validation in the NETGEAR JR6150 AC750 router (firmware ≤1.0.1.26) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their intended authorization scope. The device reached End-of-Support in 2018 and will receive no security patches. No public exploit code exists and no active exploitation has been identified; however, the device's permanent unpatched status makes risk acceptance or replacement the only long-term posture. The vulnerability was identified through firmware emulation and has not been verified on production hardware.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.
System integrity tampering across a broad portfolio of NETGEAR home and small-business networking devices allows authenticated administrators on the local network to manipulate device configuration beyond intended boundaries, classified under CWE-15 (External Control of System or Configuration Setting). The CVSS 4.0 vector (AV:A/PR:H/VI:H) confirms that exploitation is constrained to adjacent network access with high-privilege credentials, yet the integrity impact on the vulnerable system is rated High. No public exploit code exists (SSVC: Exploitation none; CVSS E:U), and NETGEAR has released firmware patches for all affected product lines.
Cross-origin data leakage in Google Chrome's codec subsystem on Linux and ChromeOS (versions prior to 149.0.7827.103) enables remote unauthenticated attackers to exfiltrate sensitive data from other origins by delivering a specially crafted video file to a target user. The root cause is uninitialized memory use (CWE-457) within the codec pipeline, where memory contents from other origin contexts may be exposed during video processing. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation status as 'none'; however, the network-accessible attack surface and lack of authentication requirement make patching a prudent priority for Linux and ChromeOS deployments.
Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Cross-origin data leakage in Google Chrome's MediaCapture implementation on macOS allows a remote attacker to read data from other origins by enticing a user to visit a specially crafted HTML page. Affected versions are all Chrome releases on Mac prior to 149.0.7827.103. The flaw carries a CVSS score of 4.3 (Medium) with no authentication required, though user interaction is necessary; no public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.
Arbitrary file deletion in Hermes WebUI before v0.51.303 allows a low-privileged local attacker to remove files outside the configured workspace boundary by exploiting a TOCTOU race condition in the git_discard function of api/workspace_git.py. An attacker who controls a workspace path component can swap it for a symlink in the narrow window between safe_resolve_ws() validation and the raw shutil.rmtree or Path.unlink deletion call, causing the delete operation to follow the symlink and destroy arbitrary files on the host. No public exploit has been identified at time of analysis and active exploitation is not confirmed (not in CISA KEV); a vendor-released patch in v0.51.303 closes the validation-to-use window.
Unauthorized subscription cancellation in weDevs User Frontend WordPress plugin (all versions through 4.3.2) allows any authenticated subscriber to cancel any other user's subscription pack, including administrators. The flaw stems from a missing capability check on the user_subscription_cancel() function, meaning low-privileged users can invoke privileged actions. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity and broad attacker pool (any registered subscriber) make this a realistic insider or account-takeover amplification risk.
Denial-of-service in the HarmonyOS browser kernel component allows a remote unauthenticated attacker to degrade availability on affected Huawei devices by luring a user into visiting a malicious page or interacting with crafted content. Exploitation requires user interaction (UI:R per CVSS), limiting opportunistic reach, but the network-accessible attack vector (AV:N) and low complexity (AC:L) make delivery straightforward once a user is socially engineered. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in FastPicker (versions up to and including 1.0.2), a WooCommerce order management plugin for WordPress, allows unauthenticated remote attackers to modify the plugin's administrative settings by tricking a logged-in site administrator into clicking a crafted link. Specifically, the `settingsPage` function in `Admin.php` lacks proper nonce validation, enabling forged POST requests that can toggle the plugin's webhook integration and redirect FastPicker and KDZ API endpoint URLs to attacker-controlled infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the AJAX Report Comments WordPress plugin (≤2.0.4) allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into triggering a forged request. The rc_options_page function in report-comments.php performs missing or incorrect nonce validation, enabling an attacker to overwrite notification email addresses, comment thresholds, link text, and message bodies without any privileges of their own. No public exploit code or CISA KEV listing has been identified at time of analysis, but the notification email hijack vector makes this a meaningful integrity risk on affected sites.
Cross-Site Request Forgery combined with reflected XSS in the WpMobi WordPress plugin (all versions through 0.0.3) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by forging a settings-save request. The handleSaveGeneralSettings function performs no nonce validation, permitting any remote party to submit crafted plugin settings on behalf of an authenticated admin. A particularly notable aspect is that the injected script in the app_name parameter fires even when server-side validation rejects the value, because the view layer re-renders the form with the unsanitized in-memory value rather than a sanitized fallback - meaning the XSS trigger does not depend on successful data persistence. No public exploit code or CISA KEV listing has been identified at time of analysis.
Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.
Email spoofing in the SAP Business Objects Business Intelligence Platform allows authenticated network users to manipulate email sending parameters without sufficient server-side validation, enabling them to craft and dispatch emails with falsified sender or header fields. Affected users require only low-privilege authentication, and exploitation is network-accessible with no additional user interaction required. No public exploit code exists and this vulnerability is not listed in CISA KEV; the CVSS score of 4.3 (Medium) accurately reflects the limited, integrity-only impact scoped to the application.
Privilege escalation in SAP MDG's Review Match Groups Application exposes restricted actions to low-privileged authenticated users due to missing authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privileged account over the network with no additional interaction, enabling unauthorized data modification. Impact is scoped to low integrity degradation - confidentiality and availability are unaffected - making this a moderate business risk primarily for organizations where MDG data integrity is compliance-critical. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.