Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.
Cookie integrity failure in the Hono AWS Lambda adapter (npm/hono < 4.12.25) causes multiple Set-Cookie response headers to be merged into a single comma-separated value, violating RFC 6265 and producing unparseable cookie strings on ALB single-header mode (the default deployment) and VPC Lattice v2. Applications setting more than one cookie per response - including session tokens and CSRF cookies - will find those cookies silently dropped or misparsed by clients, potentially breaking authentication flows or defeating CSRF protections without any visible server-side error. No public exploit is identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the defect is deterministic and triggers automatically on any multi-cookie response in affected deployments.
WebSocket connections in Deno 2.8.0 and earlier silently bypass `--deny-net` network sandbox rules by exploiting a missing post-DNS-resolution IP check - the runtime validates the destination hostname but never validates the IP address that hostname resolves to, enabling a classic DNS-rebinding-style SSRF (CWE-918) within the permission system. Any script running under `deno run` with `--deny-net` restrictions can weaponize an attacker-controlled domain to reach blocked hosts such as localhost or cloud metadata endpoints (e.g., 169.254.169.254). No public exploit has been identified at time of analysis, and the issue is specific to the WebSocket API; `Deno.connect` and `fetch()` are addressed in a companion advisory.
Deno's fetch() API in versions through 2.8.0 fails to validate resolved IP addresses against --deny-net policy rules, enabling sandbox escape to network destinations explicitly blocked by operators. Scripts executing under a --deny-net restriction can craft or leverage attacker-controlled DNS entries that pass hostname-level checks but resolve to denied IPs such as localhost or internal RFC-1918 addresses, silently bypassing the network isolation boundary. No active exploitation is confirmed (not in CISA KEV), no public proof-of-concept code has been identified, and the vendor has released a confirmed patch in version 2.8.1.
Deno's `process.loadEnvFile()` Node.js compatibility API silently bypasses the runtime's capability-based `env` permission system, allowing environment variable injection into `process.env` without holding any `env` permission. Deno versions v2.3.0 through v2.8.0 are affected: a program (or any imported dependency) that calls `process.loadEnvFile()` while operating under `--deny-env` or a restricted `--allow-env=ALLOWLIST` can have its environment mutated by any party able to write or control a `.env` file covered by the program's `--allow-read` grant. No public exploit has been identified at time of analysis, and no CISA KEV listing was found in the provided data, but the advisory is fully public and the bypass mechanism is well-described.
Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.
Denial-of-service in the pypdf Python library allows an attacker to cause excessive CPU consumption by supplying a crafted PDF containing a FlateDecode stream with a PNG predictor filter. Any application using pypdf to parse untrusted PDFs is affected on versions prior to 6.12.2. No public exploit is identified at time of analysis, but the attack surface is broad given pypdf's use in document processing pipelines; no special authentication is required to exploit applications that accept user-supplied PDFs.
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.
Use-after-free in Zephyr RTOS's ICMPv4 echo handler allows any unauthenticated remote host to trigger memory corruption or a crash by sending a standard ICMP ping to an affected device. The defect exists in all versions from v1.14 (2019) through v4.4.0, where `icmpv4_handle_echo_request()` reads from a freed `net_pkt` struct after transferring packet ownership to the TX path - violating a contract explicitly documented in `net_core.c`. No public exploit code exists and this CVE does not appear in CISA KEV, but the zero-privilege, network-reachable attack surface makes it a meaningful risk for internet-exposed embedded and IoT deployments running Zephyr with ICMP statistics enabled.
Unauthenticated exploitation of Postiz's `/public/modify-subscription` endpoint allowed any caller in possession of a validly signed NowPayments callback token to trigger subscription enforcement side effects against their own organization - disabling team members, dropping integrations, and resetting the scheduled-post cron - without Postiz authentication. The flaw (CWE-345) stems from the NowPayments crypto payment integration: the endpoint verified the token's cryptographic signature but never validated its intended purpose or bound it to a specific subscription-modification context. Impact is strictly self-contained; the endpoint cannot be redirected at other tenants. No public exploit code and no CISA KEV listing have been identified at time of analysis. The issue is fixed in Postiz 2.21.8.
Header chain truncation in Hono's Lambda@Edge adapter silently discards all but the last value of repeated request headers, undermining IP-based access control and audit integrity for applications deployed on AWS Lambda@Edge. The adapter incorrectly uses `Headers.set` instead of `Headers.append` when converting CloudFront's multi-value header format, meaning headers such as `X-Forwarded-For`, `Forwarded`, and `Via` are reduced to a single entry before reaching application middleware. Affected deployments using Hono versions prior to 4.12.25 on Lambda@Edge may experience weakened IP restriction logic or loss of hop-chain audit data; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Heap corruption in fusesource Jansi's JNI native layer exposes Java applications to denial-of-service through application crashes. The JNI wrapper around the ioctl() system call omits array-size bounds checking before passing the argument array into native heap memory, enabling a heap buffer overflow condition reachable by any local actor who can influence that code path. No fix will be released - the project is confirmed unmaintained at the time CVE-2026-8484 was assigned, and all known versions carry this defect. No public exploit code or active KEV-confirmed exploitation has been identified at time of analysis.
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.
Sandbox escape with information disclosure in Mozilla Firefox's Process Sandboxing component allows a remote attacker to break out of the browser sandbox and read sensitive data from the host environment when a user visits attacker-controlled content. Affected versions span all Firefox releases prior to 152 and all Firefox ESR releases prior to 140.12, patched by Mozilla in mfsa2026-57 and mfsa2026-58. No public exploit identified at time of analysis and SSVC signals no current exploitation activity, keeping real-world urgency at moderate priority despite the scope-changing nature of the flaw.
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Missing repository-unit authorization on three Gitea API endpoints allows authenticated users with only non-Code unit access (e.g., an Issues-only organization team member) to read `.gitea/ISSUE_TEMPLATE/*` and `issue_config.yaml` files from the Code default branch of a private repository. The CVSS score of 4.3 (PR:L, C:L) accurately reflects the narrow scope: exploitation is limited to those specific configuration files, not arbitrary source code. A proof of concept is publicly documented in the vendor advisory (GHSA-3fwp-p5rj-2pxf); no active exploitation is confirmed in the CISA KEV catalog at time of analysis.
Public-only scoped API tokens in Gitea bypass their declared scope constraints and expose private organization membership data through two distinct code defects in `routers/api/v1/api.go`: the `/user/orgs` route omits the `checkTokenPublicOnly()` middleware entirely, and the `checkTokenPublicOnly` function contains a Go switch-case logic flaw that skips the user-visibility check on multi-category routes. This is an incomplete remediation of CVE-2025-68941 introduced by PR #32204, affecting all Gitea instances running version 1.26.1 and earlier. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the attack is trivially reproducible from the published advisory steps.
Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.
Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.
Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.
Information disclosure in the Password Manager component. This vulnerability was fixed in Firefox 152.
Out-of-bounds read in Firefox's WebGPU graphics component exposes browser memory contents to remote attackers who can lure a user to a malicious webpage. All Firefox versions prior to 152 are affected, with the vulnerability stemming from incorrect boundary conditions during GPU-accelerated rendering operations. No public exploit or active exploitation has been identified at time of analysis; exploitation requires user interaction, limiting opportunistic mass exploitation despite the zero-authentication requirement on the attacker side.
The `stripHTML` template function in Caddy web server can be bypassed with malformed HTML input such as `<<>img src=x onerror=alert()>`, allowing injected HTML tags to survive sanitization and reach the browser as executable markup, resulting in client-side XSS. Affected versions are Caddy v2 <= 2.11.3 and Caddy v1 <= 1.0.5; exploitation requires the templates middleware to be active and untrusted input to be processed via `stripHTML` and rendered without further escaping. A publicly available proof-of-concept exists per the GitHub security advisory GHSA-vcc4-2c75-vc9v; no active exploitation is confirmed in CISA KEV at time of analysis.
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a user clicks a crafted Markdown link. Affected npm packages (@mariozechner/pi-coding-agent 0.27.5–0.73.1 and @earendil-works/pi-coding-agent 0.74.0–0.78.0) either omitted URL scheme validation entirely or implemented a blocklist that could be defeated by prepending C0 control characters (bytes 0x00–0x1F), which browsers silently strip before navigation. No public exploit is identified at time of analysis and this vulnerability is not in CISA KEV; the CVSS score of 2.5 and local attack vector reflect the multi-step, user-dependent exploitation chain discovered and responsibly disclosed by CrowdStrike researchers.
OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.
Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.
Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.
Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.
Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.
In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtcpHeader::decodeRtcpHeader, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In ImsMediaBitReader::ReadByteBuffer, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.
In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In writeAocCommand of AocAudioCodec.cpp, there is a possible memory safety issue due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.