Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies malformed distort arguments via a crafted image. Affected are all ImageMagick 6.x versions prior to 6.9.13-50 and all 7.x versions prior to 7.1.2-25. An unauthenticated remote attacker who can cause a target application to process a specially crafted image can trigger a DoS; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Open redirect in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) enables unauthenticated remote attackers to craft login URLs with a malicious external domain in the 'from' parameter under the 'Delegate to servlet container' security realm, silently redirecting authenticated users to attacker-controlled sites post-login for phishing purposes. The CVSS vector (PR:N, UI:R) confirms no attacker authentication is needed, but victim interaction is mandatory - the user must click a crafted link and complete a login. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; vendor-released patches are available as of 2026-06-10.
Open redirect in Jenkins login flow enables phishing attacks by exploiting improper redirect URL validation. Tab or newline characters injected between `//` in a post-login redirect URL bypass Jenkins' legitimacy check, redirecting authenticated victims to attacker-controlled sites. Affects Jenkins weekly 2.567 and earlier and LTS 2.555.2 and earlier; vendor-released patches are available. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the bypass technique is trivially derivable from the public advisory.
Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing `authorizationManager->check('create', $entityKey)` call in both the constructor and the `create` method of `ApiEntityListQuickCreationCommandController`, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.
Input validation bypass in Fission (Kubernetes-native serverless framework) prior to version 1.25.0 allows authenticated users with Kubernetes API access to create HTTPTrigger resources with malformed or unsafe URL paths, achieving low-integrity routing manipulation. The RelativeURL and Prefix fields in HTTPTriggerSpec were validated only at the Fission CLI layer; when the post-CRD-modernization admission webhook was retired in favor of API-server CEL, no CEL rules were authored for those two fields - leaving a complete gap exploitable via kubectl apply or direct Kubernetes REST API calls. No public exploit code exists and this CVE is not listed in CISA KEV, but the bypass is straightforward for any cluster user with HTTPTrigger create rights.
ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.
Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.
Missing authorization checks in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) expose user-specific configuration data to any authenticated user holding the Overall/Read permission. Authenticated low-privilege users can query the timezone setting of any Jenkins user account and enumerate the names of views configured within other users' 'My Views' personal dashboards, constituting an information disclosure weakness. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, placing real-world risk in the low-moderate tier primarily relevant to multi-tenant or shared Jenkins deployments.
Missing authorization enforcement in Jenkins allows low-privileged authenticated users to cancel build queue items they lack permission to view. Affecting Jenkins 2.567 and earlier (LTS 2.555.2 and earlier), this CWE-862 flaw breaks the expected access control invariant that Item/Cancel should be constrained by Item/Read visibility. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and network accessibility make it a realistic threat in multi-tenant Jenkins deployments where fine-grained RBAC is in use.
Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as `./` or `../`. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.
Improper certificate validation in Spring AMQP allows a network-positioned attacker to perform a man-in-the-middle attack against applications that configure broker connections via RabbitConnectionFactoryBean.setUri("amqps://...") without explicitly calling setUseSSL(true). Affected are Spring AMQP versions 2.4.0 through 4.0.3 across four release lines. Although TLS encryption is established, the absence of certificate chain validation and hostname verification means a rogue broker can impersonate the legitimate RabbitMQ instance, exposing message content in transit. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Memory leak in ImageMagick's wand option parser degrades availability when invalid options are supplied, affecting all versions prior to 7.1.2-25. The leak is described as small, meaning impact is limited to gradual memory exhaustion rather than immediate resource collapse. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and an EPSS score was not provided - consistent with a low-severity, locally-triggered defect. The 'Information Disclosure' tag in the source data is inconsistent with the CVSS C:N metric and the description; this discrepancy should be treated as a possible tagging error unless the vendor advisory clarifies memory-content exposure.
Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.
Nil-pointer dereference in Incus daemon (incusd) versions before 7.1.0 allows any authenticated API user holding the standard can_create permission on any project to crash the entire incusd process by uploading a crafted backup tarball, causing denial of service across all projects on the affected cluster member. The vulnerable path in internal/server/storage/backend.go:795 dereferences Config.Volume without a nil guard while adjacent fields received nil-checks in sibling patches (GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, GHSA-x5r6-jr56-89pv) released 2026-05-04. Publicly available exploit code exists in the form of a self-contained Go unit test and 2560-byte tarball builder included with the disclosure; no CISA KEV listing at time of analysis.
Session and OIDC state cookies in nebula-mesh up to v0.3.1 are transmitted without the Secure attribute, allowing a network-adjacent attacker who can observe a single plaintext HTTP request to recover the session cookie and fully impersonate the operator for up to 24 hours. The OIDC state cookie carries an additional CSRF risk during its 10-minute validity window, enabling an attacker to hijack the OIDC callback flow. A working reproducer is included in the GHSA advisory; no public exploit framework distribution is known and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Decrypted CA private keys in nebula-mesh linger in Go's process heap after signing operations complete, violating the keystore package's explicit zeroise contract. All versions through v0.3.6 are affected across three call sites - enroll.go:116, updates.go:297, and mobile_bundle.go:40 - each of which constructs a CAManager with a plaintext ed25519.PrivateKey and drops the reference without wiping the underlying slice. An attacker with local memory-read access can extract the plaintext CA private key from process heap, defeating the master-key envelope-encryption design's core security guarantee. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Silent security posture degradation in `@hulumi/baseline` (npm, versions < 1.4.0) allows AWS detective service configurations to appear active while being suspended, misconfigured, or inadvertently destroyed through normal Pulumi stack teardown operations. The `AccountFoundation` component's opt-in reuse mode for existing GuardDuty detectors and Security Hub configurations never validates imported resource state, meaning a suspended or slow-cadence GuardDuty detector silently passes deployment as healthy, and a routine `pulumi destroy` will call `BatchDisableStandards` to strip CIS/NIST compliance subscriptions from accounts that had those subscriptions before Hulumi was ever introduced. No public exploit identified at time of analysis; both failure modes are triggered by legitimate operator actions, not adversarial input.