Skip to main content
CVE-2025-55642 MEDIUM This Month

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared frame counts. Specifically, avidmx_process() in filters/dmx_avi.c:639 fails to validate the frame count before using it as a divisor during Dasher bitrate computation, triggering an uncaught floating-point exception (FPE) when DASH segmentation is invoked. A public proof-of-concept file exists; exploitation requires no authentication or special privileges beyond delivering a malformed AVI-like input to an affected MP4Box instance. EPSS data is not yet available, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Information Disclosure Gpac
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-11769 MEDIUM PATCH GHSA This Month

Privilege escalation in Grafana Operator (all versions ≤ 5.23) allows any user with Kubernetes RBAC permissions to create GrafanaDashboard or GrafanaLibraryPanel resources to steal the Kubernetes service account token of the operator manager pod. The jsonnet templating language, supported via spec.jsonnetLib, is evaluated unsandboxed inside the operator manager pod, enabling a path traversal payload to read sensitive files - including the mounted service account token - and exfiltrate it through the resulting dashboard output. No public exploit is identified at time of analysis, but successful exploitation yields cluster-level privilege escalation, reflected in the vendor-assigned CVSS 4.0 subsequent-system impact of SC:H/SI:H.

Grafana Path Traversal Kubernetes Privilege Escalation Grafana Operator
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-9629 MEDIUM This Month

Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.

WordPress XSS Canvas
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9134 MEDIUM This Month

Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS Photo Gallery By Foogallery
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3297 MEDIUM This Month

Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.

WordPress XSS Page Builder
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6428 MEDIUM PATCH This Month

SQL injection in Koha's reports/catalogue_out.pl grants authenticated staff with the Reports module flag full read access to the Koha MariaDB database, including borrower password hashes, 2FA secrets, API keys, session tokens, and patron PII. The vulnerability traces to a 2008 commit and was overlooked when CVE-2015-4633 patched the same injection class in sibling files. A working single-request proof-of-concept using EXTRACTVALUE error-based extraction has been publicly disclosed; no CISA KEV listing has been confirmed at time of analysis, but the low exploitation barrier for credentialed staff makes this a high-priority remediation.

SQLi Koha
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-55648 MEDIUM This Month

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) allows out-of-bounds heap READ when processing a crafted MP4 file containing corrupted stsz (sample-size box) data for an Opus audio track. When a user runs MP4Box with the -dxml flag against a malicious file, gf_opus_parse_packet_header() in av_parsers.c:11297 reads 1 byte beyond a 32-byte heap allocation, 1242 bytes past the base region allocated by Media_GetSample(), potentially leaking adjacent heap memory contents and crashing the process. A public proof-of-concept MP4 file is available; no active exploitation has been recorded in CISA KEV at time of analysis.

Buffer Overflow Denial Of Service Heap Overflow Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55649 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the application by supplying a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data. The function `gf_media_map_esd()` in `media_tools/isom_tools.c` at line 1359 calls `strlen()` on `esd->URLString` without verifying the pointer is non-NULL, triggering a SEGV when the ESD contains a missing or corrupted URLString field. A public proof-of-concept MP4 file exists; no active exploitation has been confirmed (not in CISA KEV). EPSS data is not available in the provided intelligence.

Denial Of Service Null Pointer Dereference Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55641 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata with an invalid sai_samples count. The function gf_isom_copy_sample_info() in isomedia/isom_write.c:8164 fails to validate pointers after SAI merge handling fails, resulting in a SEGV read at address 0x0 and an application crash. A publicly available proof-of-concept MP4 file exists on GitHub; however, this CVE is not in CISA KEV, and exploitation is constrained to a denial-of-service (process crash) with no code execution or data exposure demonstrated.

Denial Of Service Null Pointer Dereference Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55660 MEDIUM This Month

Stack-based buffer overflow in GPAC's MP4Box tool crashes the process when parsing a crafted MP4 file containing a malformed non-self-delimited Opus packet. The function gf_opus_read_length() in media_tools/av_parsers.c performs a 2-byte out-of-bounds write into a stack-allocated pckh structure at offset 568, confirmed by AddressSanitizer at line 11140. No active exploitation is confirmed in CISA KEV, but a public proof-of-concept MP4 file is available from the reporter, and the CVSS vector (PR:N, UI:R) indicates any user or automated pipeline invoking MP4Box on untrusted Opus-bearing MP4 files is at risk of a process crash.

Denial Of Service Stack Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55661 MEDIUM This Month

Heap-based buffer overflow in GPAC's MP4Box Opus packet parser exposes file-processing pipelines to heap memory disclosure and application crash when handling a crafted MP4 containing a malformed Opus audio track. Processing a specially constructed file via MP4Box's XML dump mode (-dxml) triggers an out-of-bounds READ of 1 byte beyond a 3-byte heap allocation inside gf_opus_parse_packet_header() at av_parsers.c:11326, with adjacent heap memory potentially leaked as a secondary consequence. No public exploitation has been confirmed (not in CISA KEV), but a functional PoC MP4 file is publicly available on GitHub, lowering the barrier for targeted abuse in automated media-ingestion workflows.

Buffer Overflow Denial Of Service Heap Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55663 MEDIUM This Month

NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55650 MEDIUM This Month

Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file with the -svg conversion flag. The flaw occurs in gf_svg_node_del() at svg_types.c:107, where an SVG node is freed and then read again during scene graph teardown via gf_sg_reset()/gf_node_unregister(), confirmed by AddressSanitizer. Impact is limited to availability (process crash/DoS); no confidentiality or integrity impact is demonstrated. A public proof-of-concept MP4 file exists on GitHub; no active exploitation has been confirmed by CISA KEV.

Denial Of Service Memory Corruption Use After Free Gpac
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55647 MEDIUM This Month

Integer overflow in GPAC's MP4Box causes an out-of-memory crash when processing crafted MP4 files with malformed Protection System Specific Header (PSSH) metadata during DASH segmentation. The function mp4_mux_cenc_insert_pssh() in filters/mux_isom.c fails to validate attacker-controlled kid_count and dataSize fields before using them in a buffer size calculation, causing realloc() to request approximately 61 GB (0xe40000100 bytes), which crashes the process. A public proof-of-concept MP4 file is available on GitHub; no active exploitation has been confirmed and no CISA KEV listing exists. The CVSS 3.1 score of 4.3 MEDIUM reflects the user-interaction requirement and limited availability impact.

Denial Of Service Integer Overflow Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55644 MEDIUM This Month

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containing an invalid BIFS GlobalQuantizer command. Any user or automated pipeline processing an attacker-supplied MP4 file with an affected GPAC build is exposed. Exploitation could yield arbitrary code execution or a reliable crash, depending on heap layout at the time of the free. No public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service Memory Corruption Use After Free Gpac
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-54231 MEDIUM This Month

Content injection in libreport's ABRT post-create event handler grants a low-privileged local user the ability to control file content that the root process writes into crash dump directories. When a monitored process crashes, the event handler script queries the systemd journal for matching log entries and writes the results directly to dump directory files without stripping embedded control characters - allowing an attacker who can write syslog messages to pre-position newline-delimited payloads that corrupt or inject arbitrary lines into those root-owned files. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to local access with low privileges.

Denial Of Service Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-12089 MEDIUM This Month

Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable `combine_current_css()` function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to `file_get_contents()` without enforcing a safe-directory boundary or a `.css` extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.

Path Traversal WordPress Lws Optimize All In One Speed Booster Cache Tools
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-1291 MEDIUM This Month

Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled `id` parameter. The endpoint `/wp-json/meow-gallery/v1/save_shortcode` performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.

Authentication Bypass WordPress Meow Gallery
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2470 MEDIUM This Month

Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.

Authentication Bypass WordPress Page Builder
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy