Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier is possible when a user opens a maliciously crafted document, triggering a heap-based buffer overflow. The flaw runs code in the context of the logged-in user and was reported by Adobe; no public exploit identified at time of analysis and EPSS data is not provided.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Omnissa Workspace ONE Assist for macOS allows an authenticated local user with low privileges to escalate to higher privileges through a path traversal weakness (CWE-22). The flaw carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The vulnerability is tracked under Omnissa advisory OMSA-2026-0001 and is specific to the macOS build of the Assist remote-support agent.
Arbitrary VQL execution in Rapid7 Velociraptor before 0.76.6 allows attackers to compromise analyst workstations by supplying a malicious collection ZIP whose client_info.json hostname field breaks out of a YAML template generated by the Windows.Collectors.Remapping artifact. Triggered when an analyst loads the resulting remapping file with --remap, the injected VQL runs under NullACLManager with full permissions and no sandbox. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Remote denial-of-service in Microsoft's HTTP/2 implementation allows unauthenticated network attackers to exhaust server resources and disrupt service availability. The flaw (CWE-400, uncontrolled resource consumption) was reported by Microsoft's MSRC and carries a CVSS 7.5 score driven entirely by availability impact, with no public exploit identified at time of analysis.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651 and earlier arises from an uncontrolled search path element (CWE-427), enabling a local attacker to run code in the current user's context when a victim opens a malicious file. No public exploit identified at time of analysis, EPSS is very low (0.03%), and CISA SSVC marks exploitation as 'none' with total technical impact. Adobe has released a fix via security bulletin APSB26-63.
Privilege escalation via UID confusion in the Linux kernel's 9p filesystem client allows local users mounting 9P2000.L shares with non-default access modes to be silently demoted to the INVALID_UID (nobody/65534) for all fid lookups, breaking root's ability to chown or perform privileged file operations over the mount. Introduced by commit 1f3e4142c0eb during the conversion of 9p to the new mount API, the bug causes v9fs_apply_options() to OR user-supplied access flags onto the default V9FS_ACCESS_CLIENT instead of replacing them. EPSS is 0.02% and the issue is not on CISA KEV; no public exploit identified at time of analysis.
Privilege escalation in TYPO3 CMS Form Framework allows authenticated backend users with file write permissions to bypass upload restrictions using mixed-case file extensions (e.g., .FORM.YAML), then execute arbitrary SQL via crafted form definition files to create administrative backend accounts. The flaw affects TYPO3 versions before 10.4.57, 11.5.50, 12.4.45, 13.4.30, and 14.3.2 across all supported branches. No public exploit identified at time of analysis, but the upstream fix is published with detailed commit-level test cases that effectively serve as a roadmap for exploit development.
Denial-of-service in Micrometer (micrometer-core, micrometer-jetty11, and micrometer-jetty12) allows remote unauthenticated attackers to exhaust resources by sending specially crafted HTTP requests against applications that expose Micrometer-instrumented endpoints. The flaw affects a wide swath of supported 1.9.x through 1.16.x release lines and carries a CVSS 7.5 (availability-only) impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Path traversal in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated low-privileged attacker to execute code over a network by escaping the intended directory scope. Affected builds span all three actively maintained SharePoint Server product lines, with vendor-confirmed patches available for each. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog; however, the low attack complexity (AC:L) and no user interaction requirement (UI:N) make it a credible target for exploitation once an attacker has any valid SharePoint credential.
Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by submitting malformed input that bypasses validation. The flaw carries a CVSS 7.5 rating driven entirely by availability impact, with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.
Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.
Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 through 10) allows unauthenticated network attackers to crash the LDAP daemon by exploiting an unchecked BER structure allocation in the dereference control plugin when the host is under memory pressure. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.09%, 25th percentile), but the unauthenticated network-reachable nature warrants prompt patching of internet-facing or business-critical directory services.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows remote unauthenticated attackers to read out-of-bounds memory over the network, potentially exposing sensitive data from the RDP service process. The flaw is reachable without authentication or user interaction across any exposed RDP endpoint, and no public exploit identified at time of analysis. Microsoft has assigned the issue a CVSS 3.1 score of 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows unauthenticated remote attackers to read out-of-bounds memory contents over the network, potentially leaking sensitive data from the RDP service process. The vulnerability requires no authentication or user interaction and is rated CVSS 7.5 with high confidentiality impact only. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers who have already compromised the renderer process to execute arbitrary code via a crafted HTML page that triggers a use-after-free in the ServiceWorker component. Rated High severity by Chromium with a CVSS 7.5, the flaw requires user interaction (visiting a malicious page) and a pre-existing renderer compromise, and no public exploit has been identified at time of analysis. The vendor has released a patched Stable channel update.
Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 can be triggered via a use-after-free flaw in the Bluetooth component, allowing a remote attacker to execute arbitrary code when a victim visits a crafted HTML page and performs specific UI gestures. Chromium rates the severity as Critical, though the CVSS 3.1 score of 7.5 reflects high attack complexity and required user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Google Chrome on macOS prior to version 149.0.7827.103 allows a remote attacker to exploit a use-after-free flaw in the Compositing component via a crafted HTML page. Google has rated the underlying Chromium security severity as Critical, and no public exploit identified at time of analysis, though the bug is patched in the latest stable channel. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, which moderates real-world risk despite the high impact.
Remote code execution in Google Chrome versions prior to 149.0.7827.103 stems from a use-after-free flaw in the TabStrip UI component, allowing remote attackers to execute arbitrary code when victims interact with a malicious HTML page via specific UI gestures. Google rates the Chromium severity as Critical, and a vendor-released patch is available; no public exploit has been identified at time of analysis. The high attack complexity (AC:H) and required user interaction (UI:R) constrain mass exploitation despite the severe technical impact.
Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.
Remote code execution in Microsoft Remote Desktop Client is possible via a heap-based buffer overflow that an unauthenticated remote attacker can trigger when a user is convinced to connect to a malicious RDP server. The flaw is rated CVSS 7.5 (High) with attack complexity High and required user interaction, and no public exploit identified at time of analysis. The CWE-416 classification combined with the vendor's tags points to a use-after-free condition reachable through crafted RDP server responses.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that leads to arbitrary code execution on the client machine. The flaw is unauthenticated from the server side but requires user interaction and high attack complexity, and no public exploit identified at time of analysis. CVSS is rated 7.5 (High) with confidentiality, integrity, and availability impact.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unauthenticated network attacker can trigger when a victim connects to or interacts with a malicious server. Microsoft (secure@microsoft.com) is the originating reporter and has published an advisory in the MSRC update guide, with no public exploit identified at time of analysis. The CVSS 7.5 (High) rating reflects high attack complexity and required user interaction, but successful exploitation yields full confidentiality, integrity, and availability impact on the client host.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is lured into connecting to an attacker-controlled RDP server, where a heap-based buffer overflow (CWE-122) can be triggered to run arbitrary code on the client machine. The flaw was reported by Microsoft (secure@microsoft.com) and carries a CVSS 3.1 score of 7.5, reflecting high attack complexity and the requirement for user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by triggering an integer overflow during C2PA content processing. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the bug carries pure availability impact - no data exposure or code execution - but is trivially reachable by anyone who can feed input to the library.
Heap corruption in Google Chrome's Autofill component on Windows versions prior to 149.0.7827.103 allows remote attackers to potentially achieve code execution by luring users to a malicious HTML page and convincing them to perform specific UI interactions. Chromium rates the underlying flaw as Critical severity, though CVSS scores it 7.5 due to required user interaction and high attack complexity. No public exploit identified at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.
Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Relative path traversal in Visual Studio Code versions prior to 1.123.1 enables unauthenticated remote attackers to tamper with files outside the intended directory boundary, producing a high integrity impact with no confidentiality or availability loss. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires no privileges and is low-complexity over a network, but depends on a victim interacting with attacker-controlled content. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.
Unauthenticated outbound bandwidth amplification in FreeSWITCH versions prior to 1.11.1 allows remote attackers to coerce the server into emitting roughly 20 GB of traffic per short request via the mod_verto WebSocket #SPU speed-test command. The pre-auth code path parses the requested payload size with atoi() and only rejects non-positive values, letting a peer ask for up to INT_MAX bytes and triggering a size*10 download. No public exploit is identified at time of analysis, but the high-severity CVSS (7.5, A:H) and trivial trigger make this a credible DDoS-as-a-service primitive.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Denial of service in OpenSSL 3.5.x, 3.6.x, and 4.0.0 stems from a NULL pointer dereference triggered during QUIC server initial packet handling, allowing remote unauthenticated attackers to crash affected servers by sending crafted QUIC traffic. The flaw was disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside multiple other CVEs; no public exploit identified at time of analysis and no CISA KEV listing. Patched versions are available from the upstream project and downstream distributions including Ubuntu (USN-8414-1).
Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in FreeSWITCH prior to version 1.11.1 allows remote unauthenticated attackers to crash the entire telephony process by sending a single WebSocket frame carrying a deeply nested JSON document. The recursive parsing exhausts the worker thread's stack and triggers SIGSEGV via the kernel stack guard page, terminating all active calls and sessions on the host. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the trivial network-reachable trigger and availability-only impact make it a credible service-disruption risk for exposed VoIP infrastructure.
Denial of service in FreeSWITCH versions prior to 1.11.0 allows unauthenticated remote attackers to exhaust CPU and memory by sending a single SIP PUBLISH request whose PIDF body contains a malicious DTD with nested entity declarations. The bundled XML parser expands these entities before any digest authentication check, making this a pre-auth resource exhaustion vector (CWE-776, classic 'billion laughs'). No public exploit identified at time of analysis, but the CVSS 7.5 availability-only impact reflects a high-confidence DoS condition against any exposed FreeSWITCH instance.
Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. Applications that evaluate untrusted SpEL input are at greatest risk.
Denial of service in Spring Framework's Spring MVC and WebFlux static resource resolution allows remote unauthenticated attackers to exhaust application resources, affecting versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. The CVSS 7.5 score reflects high-impact availability damage over the network with no privileges or user interaction, and at time of analysis no public exploit identified at time of analysis. The flaw was reported by VMware (Spring's maintainer) and is tracked under the official Spring Security advisory.
Denial-of-service in Micrometer (Spring observability library) versions 1.15.0-1.15.11 and 1.16.0-1.16.5 allows remote unauthenticated attackers to exhaust resources via specially crafted gRPC requests. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflecting availability-only impact, the issue is reachable over the network without credentials, though no public exploit identified at time of analysis. Applications embedding Micrometer's gRPC instrumentation are most exposed.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted HEVC Sequence Parameter Set (SPS), triggering a segmentation violation in the gf_hevc_read_sps_bs_internal function within media_tools/av_parsers.c. No public exploit identified at time of analysis, though the bug is reachable without authentication or user interaction per the CVSS vector. Real-world impact is limited to availability of the parsing process, with no integrity or confidentiality consequences.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted MP4 file that triggers a stack buffer overflow in the filein_process function. The flaw resides in in_file.c and impacts availability only, with no confirmed code-execution path; no public exploit identified at time of analysis, though POC details may surface via the linked infosec.exchange post.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a malicious MP4 file that triggers a NULL pointer dereference in the VVC (Versatile Video Coding) configuration writer. The flaw resides in gf_odf_vvc_cfg_write_bs within odf/descriptors.c and requires no authentication or user privileges beyond convincing the target to process the crafted file. No public exploit identified at time of analysis, and SSVC indicates exploitation has not been observed despite the issue being automatable.