WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.
Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthenticated attacker to redirect file operations to unintended targets, achieving high-integrity impact without requiring elevated privileges. The vulnerability stems from improper link resolution (CWE-59) before file access, enabling unauthorized modification of files the attacker would otherwise lack write access to. No public exploit identified at time of analysis and no CISA KEV listing, but the low attack complexity (AC:L) and absence of privilege requirements (PR:N) make exploitation straightforward for any actor with local access.
Denial-of-service in the Windows TCP/IP stack allows an authenticated attacker on an adjacent network to crash the networking subsystem of affected Windows hosts via an incorrect buffer size calculation. Affected systems span Windows 10 (21H2, 22H2), Windows 11 (23H2 through 26H1), Windows Server 2022, and Windows Server 2025 - all unpatched builds within Microsoft-documented version ranges. No public exploit identified at time of analysis, though Microsoft has released fixes addressable via Windows Update; the vulnerability is not listed in the CISA KEV catalog.
Windows Push Notifications on a broad range of Windows 10, Windows 11, and Windows Server editions leaks sensitive memory contents to locally authenticated low-privileged users through an uninitialized resource condition (CWE-908). The CVSS vector confirms local attack vector with low-privilege authentication requirement, no user interaction needed, and high confidentiality impact - meaning an attacker who has already obtained a standard user account can read residual memory data that could include tokens, credentials, or other sensitive artifacts. No public exploit code exists and no active exploitation has been identified at time of analysis; a vendor-released patch is available via Microsoft Security Response Center.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables a locally authenticated attacker to read sensitive information from memory without elevation of privilege. Affecting a wide range of Windows 10, Windows 11, and Windows Server builds, the vulnerability requires only low-privilege local access and no user interaction to trigger. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, placing this in a lower-urgency remediation band despite the High confidentiality rating in the CVSS vector.
Windows Push Notifications on multiple Windows 10, Windows 11, and Windows Server versions exposes sensitive memory contents through an uninitialized resource condition, allowing a low-privileged local user to read high-confidentiality data without any user interaction. The CVSS vector (AV:L/PR:L) confirms this is strictly a local privilege issue - no remote attack path exists - limiting its practical blast radius to insider threats and post-compromise lateral reconnaissance. No public exploit has been identified at time of analysis, and Microsoft has released patches addressing all listed affected versions.
Windows Push Notifications contains a use-of-uninitialized-resource flaw (CWE-200) that enables authenticated local attackers to disclose sensitive information across a wide breadth of Microsoft Windows desktop and server platforms. Spanning Windows 10 through Windows 11 25H2 and Windows Server 2012 through Server 2025, the vulnerability carries a CVSS 5.5 Medium score with high confidentiality impact (C:H) but no integrity or availability impact. Microsoft has released patches via the June 2026 Patch Tuesday cycle; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Mark of the Web (MOTW) protection mechanism failure across a broad range of Windows client and server releases allows unauthenticated network-based attackers to deliver files that evade the Zone.Identifier security tag, bypassing downstream defenses such as SmartScreen and Office Protected View that depend on MOTW presence. User interaction is required to trigger the bypass, limiting automated mass exploitation. No public exploit code exists and CISA has not listed this in KEV; however, the breadth of affected Windows versions - spanning Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through 2025 - gives this vulnerability significant surface area as a link in social-engineering attack chains.
BitLocker drive encryption on Windows can be bypassed by a physically present, unauthenticated attacker, exposing protected volume contents with high confidentiality impact. Classified as CWE-693 (Protection Mechanism Failure), the flaw undermines BitLocker's core threat model - data-at-rest protection - across a wide range of Windows 10, Windows 11, and Windows Server releases from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patches for all affected versions; however, the physical access requirement means organizations with mobile or physically accessible systems should treat this as a higher operational priority than the CVSS score alone implies.
Insufficient authorization in TYPO3 CMS's Recycler module allows authenticated backend users to restore soft-deleted records on pages or database tables they are not permitted to modify, resulting in unauthorized integrity impact across the content management system. Affected are TYPO3 CMS versions before 10.4.57 and multiple branches through 14.3.3, with fixes delivered via two upstream commits and documented under TYPO3-CORE-SA-2026-011. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is network-accessible and requires only low-privilege backend credentials.
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by embedding payloads in DICOM file metadata fields such as Study Description, which are reflected unsanitized through popup.jsp and archiving/uploadfiles_jsp.java. A publicly available proof-of-concept exists, and the researcher's published chain explicitly demonstrates escalation from this XSS primitive to remote code execution, materially elevating the real-world severity beyond the CVSS 5.3 score. No public exploit identified as confirmed actively exploited (CISA KEV) at time of analysis, but the healthcare context and documented RCE chain make this a high-priority finding for any OpenClinic GA deployment.
Reflected cross-site scripting in OSCAL-GUI allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payloads through the unsanitized `project` parameter in `oscal-forms.php`. The parameter is URL-decoded and passed without sanitization into an error message via the `Messages()` function in `oscal-functions.php`, which is then reflected directly into the HTML response body when the supplied project ID does not match any existing record. A publicly available proof-of-concept exploit exists; the vulnerability is not confirmed in CISA KEV, and real-world impact is constrained by the CVSS UI:A requirement for victim interaction, making targeted phishing the primary delivery mechanism.
Path traversal in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated low-privileged attacker to execute code over a network by escaping the intended directory scope. Affected builds span all three actively maintained SharePoint Server product lines, with vendor-confirmed patches available for each. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog; however, the low attack complexity (AC:L) and no user interaction requirement (UI:N) make it a credible target for exploitation once an attacker has any valid SharePoint credential.
Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Relative path traversal in Visual Studio Code versions prior to 1.123.1 enables unauthenticated remote attackers to tamper with files outside the intended directory boundary, producing a high integrity impact with no confidentiality or availability loss. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires no privileges and is low-complexity over a network, but depends on a victim interacting with attacker-controlled content. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.
Cross-site scripting in Microsoft SharePoint enables network-based spoofing attacks by injecting malicious scripts into web page output. The vulnerability (CWE-79) targets users of the SharePoint web interface and, when triggered via user interaction, allows an attacker to manipulate page content or impersonate legitimate UI elements - degrading both confidentiality and integrity. No public exploit or active exploitation has been identified at time of analysis, though the low-complexity network vector lowers the bar for opportunistic abuse.
Remote code execution affects NETGEAR gaming routers (XR1000, MR70, MS70, RAXE500) when an attacker holds an on-path man-in-the-middle position between the device and the internet. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) confirms no privileges are needed on the target device but requires both high attack complexity and a specific network prerequisite - the ability to intercept and tamper with upstream traffic. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Resource exhaustion in Hermes WebUI before v0.51.270 allows unauthenticated remote attackers to degrade service availability by abusing the WebAuthn passkey options endpoint without rate limiting or challenge lifecycle enforcement. Repeated POST requests to the authentication endpoint cause the server-side challenge store file to grow without bound, generating sustained CPU load and disk I/O pressure through continuous JSON file rewrites. No public exploit identified at time of analysis and not listed in CISA KEV; EPSS data was not available in provided intelligence. The fix is confirmed in the vendor-released v0.51.270.
Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.
Out-of-bounds read in Windows DHCP Server exposes adjacent memory contents and can crash the service, yielding both information disclosure and a high-severity denial-of-service condition on affected Windows systems. The flaw (CWE-125) is exploitable locally with low attack complexity and no user interaction, targeting systems where the DHCP Server role is installed across a broad range of Windows 10, 11, and Server editions from 2012 through 2025. No public exploit has been identified at time of analysis, and Microsoft has released patched builds via the MSRC update guide (CVE-2026-45608).
MongoDB Server leaks SASL authentication credentials into plaintext server logs when connection health metric logging is enabled, exposing database passwords to any local actor with log file read access. The flaw (CWE-532) affects all versions per the available CPE data and was self-disclosed by MongoDB, indicating a vendor-acknowledged issue without a confirmed patch version at time of analysis. A low-privileged local attacker who can read the MongoDB log directory can harvest credentials and authenticate directly to the database - no public exploit exists at time of analysis, and it is not listed in the CISA KEV catalog.
Unrestricted resource allocation in AMD µProf allows a local low-privileged user to consume excessive system resources, resulting in a loss of availability (denial of service). The CVSS 4.0 score of 6.8 reflects a locally exploitable, low-complexity attack requiring only low privileges with no user interaction needed. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; however, the straightforward nature of resource exhaustion attacks makes it a realistic local threat on systems where AMD µProf is deployed.
Improper access control in AMD µProf exposes a kernel-shared memory section to low-privileged local users, enabling writes that can crash the system or cause a denial of service. All AMD µProf versions prior to 5.3 are affected across supported platforms. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) indicates straightforward local exploitation requiring only basic user privileges with no additional complexity or user interaction.
Plaintext credential exposure in MongoDB Server allows a local authenticated attacker to retrieve the LDAP query password from log files. When an administrator uses the runtime setParameter command to configure the ldapQueryPassword parameter, MongoDB writes the new password value to mongod.log in cleartext. Any local user with read access to the log file - a broad class on many deployments - can silently capture these credentials and use them to authenticate against or query the connected LDAP directory. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Heap corruption via use-after-free in Chrome's Ozone display subsystem (versions prior to 149.0.7827.103) enables a local attacker with physical device access to achieve high-impact compromise across confidentiality, integrity, and availability. The CVSS vector (AV:P/AC:L/PR:N/UI:N) confirms physical presence is the primary prerequisite, with no authentication or user interaction required once access is obtained. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in Chrome 149.0.7827.103.
Fortinet FortiOS and FortiProxy expose an internal debug interface (CWE-1244) that allows authenticated administrators to execute arbitrary Lua scripts through crafted CLI commands, exceeding their intended administrative scope. The vulnerability spans broad version ranges of both products, including FortiOS 6.4 through 7.6.2 and FortiProxy 7.0 through 7.6.3. While exploitation requires existing high-privilege (admin) access - limiting opportunistic attack surface - the CVSS temporal vector (E:P) confirms a proof-of-concept exploit exists, and the official fix is available (RL:O). No public exploit identified at time of analysis beyond the proof-of-concept, and this vulnerability is not listed in CISA KEV.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Unintended data disclosure in SAP's Operational Data Provisioning RFC (ODP-RFC) modules stems from missing caller identification controls that fail to restrict invocation to permitted SAP-internal applications. Highly privileged customer or third-party applications can invoke these internal RFC modules outside their intended usage context, exposing sensitive operational data across a Changed scope boundary (S:C). No public exploit has been identified at time of analysis, and this is not listed in CISA KEV; however, the High confidentiality impact combined with scope change warrants attention in SAP environments where ODP is exposed to external RFC consumers.
Null pointer dereference in Windows Kerberos enables an authenticated network attacker to crash the Kerberos service, causing denial of service. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation is achievable over the network by any low-privilege authenticated user with no user interaction required, resulting in high availability impact (A:H) with no confidentiality or integrity consequences. No active exploitation confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Information disclosure in Windows Shell exposes sensitive data to authenticated low-privileged attackers, with a confirmed vendor patch available. The vulnerability stems from CWE-200 improper information exposure within the Windows Shell component, allowing confidentiality compromise with no integrity or availability impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact score (C:H) and low attack complexity elevate practical concern for environments where lateral movement or credential harvesting are threat vectors.
Security feature bypass in Microsoft Visual Studio Code allows a local unauthenticated attacker to circumvent a built-in protection mechanism through improper input validation, requiring user interaction to trigger. With CVSS 7.1 and scope-changed impact (S:C) yielding high confidentiality exposure, the flaw lets a crafted input cross VS Code's trust boundary on the local host. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
{id} endpoint. The root cause is an uncaught exception (CWE-400) that propagates unhandled through the job scheduling subsystem, making availability the sole impact with no confidentiality or integrity loss. A public vulnerability disclosure repository exists, lowering the bar for exploitation by any attacker who already holds the required permission.
Denial-of-service in FlashMQ MQTT broker prior to version 1.26.2 allows any authenticated (low-privilege) connected client to crash the entire broker process by deliberately exceeding the permitted write buffer over-commit threshold. The crash occurs because the resulting internal safeguard exception is raised in a C++ destructor code path during stack unwinding - a context where exceptions cannot be caught - forcing a call to std::terminate() and aborting the server. No public exploit has been identified at time of analysis, but exploitation requires only valid MQTT credentials, making this a realistic risk for any FlashMQ deployment with untrusted or semi-trusted client populations.
Denial-of-service in GPAC MP4Box v2.4 allows remote attackers to crash the multimedia tool via a crafted MP4 file that triggers a floating-point exception in the gf_opus_parse_packet_header function. No public exploit identified at time of analysis, and CISA has not listed this in KEV; SSVC scoring indicates exploitation has not been observed but the flaw is automatable with partial technical impact. CVSS 7.5 reflects high availability impact achievable without authentication or user interaction once a malicious file is processed.
NULL pointer dereference in GPAC MP4Box v2.4 allows unauthenticated remote attackers to crash the application by delivering a crafted MP4 file that a user opens. The vulnerable function ctts_box_write in isomedia/box_code_base.c fails to validate a pointer before dereferencing it when processing a malformed Composition Time to Sample (ctts) box, resulting in a denial-of-service condition. No public exploit code or active exploitation has been identified; SSVC rates exploitation status as none, though delivery is rated automatable.
Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.
Improper access control in Fortinet FortiPortal versions 7.0.x (all), 7.2.0-7.2.8, and 7.4.0-7.4.7 enables an authenticated low-privilege attacker to bypass authorization controls and gain unauthorized read access to sensitive data. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) indicates low-complexity network exploitation by any authenticated user, resulting in high confidentiality impact with no integrity or availability loss. No public exploit identified at time of analysis based on CISA KEV, though publicly available exploit code exists per the CVSS temporal E:P metric, and Fortinet has issued an official fix.
Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.
Site isolation bypass in Google Chrome's Extensions subsystem prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to defeat cross-origin security boundaries via a crafted HTML page requiring one user interaction. The root cause is CWE-20 (Improper Input Validation) in the Extensions layer, meaning the Extensions subsystem fails to adequately validate untrusted input before acting on it across site isolation boundaries. EPSS is low at 0.02% (6th percentile), no public exploit code or CISA KEV listing exists at time of analysis, and a vendor patch is confirmed at 149.0.7827.103.
Site isolation bypass in Google Chrome Extensions (versions prior to 149.0.7827.103) enables a remote attacker who has already compromised the renderer process to escape cross-origin content boundaries via a crafted HTML page. The vulnerability stems from improper input validation (CWE-20) in the Extensions subsystem, producing a high integrity impact (I:H) with no confidentiality or availability loss per the CVSS vector. No public exploit code exists and no active exploitation has been confirmed, with EPSS at 0.02% (6th percentile), consistent with a chained, high-complexity attack path.
Path traversal in Apache Airflow's Samba provider exposes Samba target file systems to arbitrary write operations when GCSToSambaOperator processes GCS object names containing directory traversal sequences. Disclosed on 2026-06-09 via the oss-security mailing list by Apache committer Jarek Potiuk as a pre-NVD disclosure, the vulnerability enables any party who can influence GCS object names in the source bucket to write files outside the intended destination directory on the Samba share. No public exploit code has been identified at time of analysis, and CVSS scoring is not yet available.
Denial-of-service via crafted TIFF image upload in Apache Answer through 2.0.0 allows an authenticated user to crash the server process by triggering excessive memory allocation during image decoding. The vulnerability stems from improper handling of specially crafted TIFF files in the file upload feature, where no bounds are placed on memory consumed during the decode phase. No public exploit code or active exploitation has been identified at time of analysis; however, the low technical barrier to trigger the crash once authenticated elevates its operational risk for community and enterprise deployments.
Insufficient validation of user-supplied avatar image URLs in Apache Answer through 2.0.0 allows authenticated users to set arbitrary external URLs as profile images, causing the platform or clients to issue outbound HTTP requests to attacker-controlled servers on page load. This exposes user IP addresses, HTTP headers, and browsing activity to third-party infrastructure whenever affected profiles are viewed. Rated moderate severity by Apache; no public exploit identified at time of analysis and not listed in CISA KEV.