Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.4.2604.3 and 10.2.2510.14) allows remote attackers to create or truncate files on the host via an unauthenticated PostgreSQL sidecar service endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects trivial network exploitation, and no public exploit identified at time of analysis, though the missing-auth root cause and Splunk's high-value position in enterprise SOCs makes prompt patching warranted.
Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.
Privilege escalation in Fission prior to version 1.24.0 allows a tenant holding environments.fission.io create/update RBAC to define Environment custom resources with privileged, allowPrivilegeEscalation, or dangerous Linux capabilities on the bare Runtime.Container or Builder.Container fields, which bypass the existing PodSpec safety validator and get scheduled under the executor's high-privilege service account. Successful abuse enables container-sandbox escape, host filesystem and network access, and node- or cluster-level compromise. No public exploit identified at time of analysis, but the upstream fix is published in v1.24.0.
Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Function CRUD permissions to supply an arbitrary Function.spec.podspec that the Container Executor merges into the executor-built podspec, resulting in a Deployment whose pods can break the container sandbox and reach node or cluster level. No public exploit identified at time of analysis, but the upstream fix (PR #3391) explicitly enumerates host namespaces, privileged contexts, hostPath mounts, service account overrides, and dangerous Linux capabilities as the abused fields. CVSS 9.9 with scope change (S:C) reflects that a low-privilege tenant can pivot beyond its own RBAC boundary.
Privilege escalation in Fission (Kubernetes-native serverless framework) prior to version 1.24.0 allows a tenant with Environment CRD write access to escape the container sandbox and reach node- or cluster-level privileges by setting unfiltered fields in spec.runtime.podSpec or spec.builder.podSpec. Because the fission-executor and fission-builder service accounts schedule pods on the tenant's behalf, attacker-controlled values for hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName are merged into pod specs without validation. No public exploit identified at time of analysis, but the patch's hardening scope (also closing GHSA-wmgg-3p4h-48x7 and GHSA-v455-mv2v-5g92) shows the issue is broader than a single field.
Privilege escalation in Fission prior to 1.24.0 allows an authenticated user with permission to create or modify Environment custom resources to abuse unvalidated podSpec passthrough fields (Environment.spec.runtime.podSpec and spec.builder.podSpec), causing MergePodSpec to propagate dangerous fields - notably AutomountServiceAccountToken - into the generated builder/runtime pods. Because the fission-builder ServiceAccount token then becomes accessible from a user-supplied container, an attacker can pivot from a Fission tenant into broader Kubernetes cluster privileges (CVSS 9.9, Scope:Changed). No public exploit identified at time of analysis.
Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.
Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled content to arbitrary absolute paths on managed load balancers via the WAF rule save endpoint. By dropping a malicious cron file (e.g., /etc/cron.d/nginx_cfg_evil), an attacker achieves root-level code execution on every load balancer in the caller's group. No public exploit identified at time of analysis, and no vendor-released patch is currently available, making this a high-priority issue for any exposed deployment.
Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the default guest role 4 - to install or reconfigure exporters, WAF, and GeoIP databases on every managed server regardless of tenant ownership. Because the affected installer endpoints lack role and group decorators, low-privilege users can pivot through stored SSH credentials with sudo to achieve root-level command execution on HAProxy/Nginx/Apache hosts belonging to other tenants. No public exploit identified at time of analysis, but the issue is unpatched and rated CVSS 9.9.
Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.
Arbitrary file write in kubev2v assisted-migration-agent allows an unauthenticated attacker on the same LAN to achieve code execution on the appliance by uploading a crafted gzipped tarball that bypasses path traversal checks via chained symlinks. The flaw resides in the VDDK tarball extraction routine (extractTarGz in internal/services/vddk.go) and has a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified at time of analysis.
{id}/image-url` endpoint to obtain presigned S3 download URLs for OVA images belonging to other users/organizations. The leaked OVA contains long-lived agent JWTs and source configuration, enabling cross-tenant takeover of victim sources. No public exploit identified at time of analysis, but the upstream fix in PR #1218 confirms the access-control gap.
Cross-tenant data tampering in kubev2v migration-planner allows an authenticated agent token holder to overwrite inventory and status data belonging to other tenants. The agent-API middleware accepts any valid JWT without verifying the token's source_id claim matches the source ID in the UpdateSourceInventory and UpdateAgentStatus request paths, enabling complete tenant isolation collapse. No public exploit identified at time of analysis, but the upstream fix in PR #1213 (kubev2v/migration-planner) confirms the issue is real and trivially exploitable given a low-privileged agent token.
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250913 allows remote unauthenticated attackers to obtain sensitive data over the network with low attack complexity, per CVSS v4.0 vector AV:N/AC:L/PR:N/UI:N rating 9.2. The vendor has released a fix, and notably QuTS hero is explicitly unaffected. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbitrary StatsD/DogStatsD metrics by smuggling newline characters through unsanitized metric names and tags. Because the StatsD protocol treats newlines as packet delimiters for multiple metrics, attacker-controlled values forwarded into the adapter can forge additional metrics or tag payloads on the wire, with no public exploit identified at time of analysis and an EPSS score of 0.03% indicating low near-term exploitation probability.
Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HTTP, TCP, Ping, and DNS monitoring checks belonging to other tenants by sending a crafted PUT /smon/check request with another tenant's smon_id. The flaw stems from missing user_group authorization on the UPDATE SQL path (CWE-639, IDOR), while the DELETE path is correctly filtered - confirming the maintainers knew the right pattern but failed to apply it on update. No public exploit identified at time of analysis, and no vendor-released patch is available, raising operational risk for multi-tenant deployments.
Mass data deletion in Red Hat's kubev2v migration-planner SaaS platform allows attackers to wipe all customer sources, agents, and assessments via an unprotected DELETE /api/v1/sources endpoint. The endpoint lacks both authorization checks and tenant filtering, so a single request destroys data across the entire multi-tenant deployment. No public exploit identified at time of analysis, but the upstream fix (PR #1227) removes the endpoint entirely, confirming the issue is real and trivially reachable.
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. No CISA KEV listing or EPSS data is provided, but the secret is trivially derivable from the public GitHub repository.
Message spoofing and app state corruption in Baileys WhatsApp library (versions < 6.7.22 and < 7.0.0-rc12) allow remote attackers to forge messages.upsert events, inject history sync data, and jam the app state sync system by sending crafted protocolMessage payloads via placeholderResendMessage. The flaw stems from missing self-origin checks on protocol message types that should only originate from the user's own device. No public exploit identified at time of analysis, but the upstream patch and detailed advisory provide enough information for exploit reconstruction.