Unauthenticated file deletion in Rocket.Chat allows remote attackers to permanently delete arbitrary uploaded files from a target server via the deleteFileMessage Meteor method over a DDP WebSocket connection. The flaw stems from an authorization check that is silently skipped when Meteor.userId() returns null on unauthenticated DDP sessions, letting any internet-accessible attacker destroy attachments whose IDs are discoverable from public channel messages and download URLs. No public exploit identified at time of analysis, though a vendor patch and HackerOne disclosure (report 3611837) confirm the issue.
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.
Remote unauthenticated denial-of-service in Oracle MySQL Server and MySQL Cluster (8.0.x, 8.4.x, and 9.0.0-9.7.0) allows network attackers to trigger a hang or repeatable crash of the database via the Server Connection Handling component. Oracle rates the issue as easily exploitable over multiple protocols with no authentication or user interaction, producing a complete availability loss (CVSS 7.5, A:H only). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Universal cross-site scripting (UXSS) in Adobe Acrobat PDF Extension for Chrome (versions 26.5.2.2 and earlier) allows remote attackers to disclose cross-origin session data when a victim visits a malicious URL or interacts with a compromised page. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N indicates high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. The flaw is browser-extension scoped, so impact is limited to users who have installed this Chrome extension.
Arbitrary local file read in the Natural Language Toolkit (NLTK) Python library affects versions up to and including 3.9.4 via a decode-after-check flaw in nltk.data.load() when handling the nltk: URL scheme. Attackers who can influence resource identifiers passed to this function can bypass the _UNSAFE_NO_PROTOCOL_RE regex using URL-encoded separators (%2f) or traversal segments (%2e%2e), allowing reads of files such as /etc/passwd, /proc/self/environ, SSH keys, and application secrets. Publicly available exploit code exists via the GHSA-p4gq-832x-fm9v advisory, though no public exploit identified in CISA KEV at time of analysis.
Unauthorized data disclosure in Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows unauthenticated remote attackers to access all data accessible to the application via HTTP. The flaw carries a CVSS 3.1 base score of 7.5 with high confidentiality impact and no integrity or availability impact, and currently has no public exploit identified at time of analysis.
Denial of service in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 stems from a memory safety bug (CWE-119) that remote attackers can trigger via crafted web content. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, consistent with a browser crash rather than reliable code execution. No public exploit identified at time of analysis, and Mozilla has shipped fixes across multiple advisories (MFSA2026-57, -58, -60, -61).
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's `path` matcher and `file_server` handler, where the matcher treats `\` as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.
Unauthorized information disclosure in the Artbees JupiterX Core WordPress plugin (versions 4.14.1 and earlier) allows remote unauthenticated attackers to bypass access controls and read data that should require authentication. The flaw is classified as CWE-862 (Missing Authorization) and was disclosed via Patchstack; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Broken access control in the Arraytics WP Event Solution WordPress plugin through version 4.1.12 allows remote unauthenticated attackers to access protected functionality or data without authorization. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, exposing sensitive event-management capabilities or data to anyone who can reach the WordPress site. No public exploit identified at time of analysis, and the issue is not currently listed in the CISA KEV catalog.
Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.
Takeover of Oracle WebCenter Sites 12.2.1.4.0 and 14.1.2.0.0 is possible when a low-privileged attacker with HTTP network access successfully chains a high-complexity exploit path in the WebCenter Sites component, resulting in full confidentiality, integrity, and availability compromise. Oracle's June 2026 Critical Patch Update disclosure rates this CVSS 7.5 with AC:H/PR:L, meaning a valid (even low-tier) account plus non-trivial conditions are required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthorized data modification in Oracle Identity Manager (Fusion Middleware) versions 12.2.1.4.0 and 14.1.2.1.0 allows a remote unauthenticated attacker to create, delete, or modify critical identity data via the REST WebServices component over HTTP. Oracle rates the issue as easily exploitable with a CVSS 3.1 base score of 7.5 (integrity-only impact), and no public exploit has been identified at time of analysis.
Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Takeover of Oracle Universal Work Queue is possible in Oracle E-Business Suite versions 12.2.3 through 12.2.15 via the Work Provider Site Level Administration component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the module. Oracle classifies the issue as difficult to exploit (AC:H), and no public exploit identified at time of analysis. The flaw was disclosed in the Oracle Critical Patch Update of June 2026.
Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. Although the CVSS 3.1 base score is 7.5 with high impact across all three pillars, the AC:H rating signals non-trivial exploitation requirements, and there is no public exploit identified at time of analysis.
Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. No public exploit identified at time of analysis, and the issue is not listed on CISA KEV.
Takeover of Oracle iSupplier Portal (E-Business Suite versions 12.2.3 through 12.2.15) is achievable by a low-privileged remote attacker over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw is rated CVSS 7.5 with high confidentiality, integrity, and availability impact, but carries high attack complexity, suggesting non-trivial preconditions. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.
Full takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) versions 12.2.3 through 12.2.15 is possible by an authenticated low-privileged attacker over HTTP against the Internal Operations component. Successful exploitation yields high impact to confidentiality, integrity, and availability of the CMRO module, though Oracle rates the attack complexity as high. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to fully compromise the Internal Operations component. Oracle's June 2026 Critical Patch Update advisory documents the issue with a CVSS 3.1 base score of 7.5 and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is rated difficult to exploit due to high attack complexity.
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()` call `net_pkt_iface()` on a packet after transferring it to `net_try_send_data()`, which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. When `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale interface pointer is written through (`iface->stats.icmp.sent++`), escalating the read UAF into an attacker-influenced memory write; no public exploit has been identified at time of analysis, but the trigger is a universally available IPv6 primitive.
Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.
Memory corruption in Mozilla Firefox versions prior to 152 allows remote unauthenticated attackers to crash the browser by serving crafted web content, resulting in denial of service. The CVSS 3.1 base score of 7.5 reflects high availability impact without confidentiality or integrity loss, and no public exploit identified at time of analysis. Mozilla disclosed the issue via advisories MFSA2026-57 and MFSA2026-60 with a fix shipped in Firefox 152.
Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).
Memory corruption in Mozilla Firefox prior to version 152 and Firefox ESR prior to 140.12 allows remote attackers to compromise browser memory integrity through crafted web content, with confidentiality impact rated High per the CVSS vector. The flaw stems from a buffer-handling defect (CWE-119) reported by Mozilla itself and addressed across multiple security advisories (MFSA2026-57, -58, -60, -61). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.
Remote command injection in ServerCo getssl 2.49 and prior allows an attacker who controls or tampers with ACME challenge responses (a malicious/compromised CA endpoint or on-path adversary) to write attacker-chosen file paths via tokens that violate RFC 8555 base64url constraints, typically yielding code execution as the privileged user that renews certificates. The issue was reported by runZero, fixed upstream in v2.50, and at the time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Server-side request forgery in Astro SSR deployments (npm package astro < 6.4.6) allows remote unauthenticated attackers to coerce the runtime into fetching attacker-controlled URLs by spoofing the HTTP Host header when a prerendered /404 or /500 page is configured. The attacker-controlled response body is reflected back to the victim, enabling information disclosure from internal services reachable by the application. No public exploit identified at time of analysis; the issue was responsibly disclosed by Tarmo Technologies via GitHub Security Advisory GHSA-2pvr-wf23-7pc7.
Remote denial of service in Android (Pixel) RTP stack arises from a missing null check in checkSsrcCollisionOnRcv within RtpSession.cpp, allowing unauthenticated attackers to crash the affected media component over the network. The flaw carries CVSS 7.5 with availability-only impact, and at the time of analysis there is no public exploit identified and the EPSS exploitation probability is very low (0.14%, 4th percentile).
Privileged local compromise of Oracle VM VirtualBox 7.2.8 allows an attacker already authenticated to the host with high privileges to take over the VirtualBox installation and cross the hypervisor boundary into additional products (scope-changed). Oracle's CPU advisory rates this CVSS 3.1 7.5 with high attack complexity; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation and host takeover in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged local attacker to break out of the virtualization boundary and impact additional products beyond VirtualBox itself (scope change). The flaw carries a CVSS 3.1 base score of 7.5 with full confidentiality, integrity, and availability impact, but exploitation is rated high complexity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Confidentiality and integrity compromise in Oracle VM VirtualBox 7.2.8 (Shared Folders component) allows a low-privileged local attacker on the host to escape the guest/host boundary and access or modify critical data across the scope, including resources outside VirtualBox itself. The flaw is rated CVSS 3.1 7.5 with a scope change, but exploitation is rated High complexity by Oracle and there is no public exploit identified at time of analysis. Patch is available per Oracle's June 2026 Critical Patch Update advisory.
Unauthenticated information disclosure in the eyecix JobSearch (wp-jobsearch) WordPress plugin versions up to and including 3.2.7 allows remote attackers to bypass access controls and read sensitive data without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation with no preconditions, though no public exploit identified at time of analysis and no CISA KEV listing is present. Patchstack categorized the issue as a Broken Access Control / Authentication Bypass affecting confidentiality only.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Arbitrary content deletion in the Brikk WordPress theme (versions up to and including 3.0.0) allows low-privileged authenticated users to delete site content due to a missing authorization check. The flaw is tracked under Patchstack and ENISA EUVD-2025-210187 with no public exploit identified at time of analysis, and the CVSS 7.5 score reflects high availability impact through destruction of site data.
Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.
Cookie disclosure in yt-dlp (2023.09.24 through versions before 2026.06.09) lets a malicious website exfiltrate a victim's authenticated session cookies when the curl external downloader is in use. Because yt-dlp passes cookies to curl via inline --cookie without activating curl's cookie-scoping engine, curl forwards those cookies across HTTP redirects and to fragment hosts that differ from their parent manifest, so an attacker who lures the user into extracting a crafted URL that redirects to attacker infrastructure receives cookies scoped to a trusted site. This is the curl-downloader counterpart to GHSA-v8mc-9377-rwjj. There is no public exploit identified at time of analysis, though the vendor commit includes a regression test proving the leak; EPSS is low (0.27%, 18th percentile) and it is not in CISA KEV.
Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin testing when `crypto.checkPrime`/`checkPrimeSync` is called with default options, causing crafted composites whose smallest prime factor exceeds 17,863 (e.g. 17,881 × 17,891) to be reported as prime. Remote attackers who control bignums fed into a victim Deno application can therefore smuggle composite values past validation, with no public exploit identified at time of analysis beyond the vendor-published reproducer.
update_disk_psu_baseline.sh requires password in plain text. Rated high severity (CVSS 7.4).
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. Reported by Mozilla with low complexity and no authentication required (CVSS 7.3).
Memory corruption in the NSS (Network Security Services) Libraries component shipped with Mozilla Firefox allows remote attackers to trigger out-of-bounds memory access via incorrect boundary condition handling, with low impact across confidentiality, integrity, and availability. Mozilla addressed the issue in Firefox 152, with associated advisories MFSA2026-57 and MFSA2026-60. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged user over the network via HTTP, leading to takeover of the HR Intelligence module with full confidentiality, integrity, and availability impact. The flaw was reported by Oracle and disclosed in the June 2026 Critical Patch Update; there is no public exploit identified at time of analysis and the issue is not on CISA KEV. CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting easy exploitation once the high privilege precondition is met.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Full takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible when a high-privileged attacker reaches the Content Server over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw yields complete confidentiality, integrity, and availability compromise (CVSS 7.2) but requires existing elevated privileges, and no public exploit identified at time of analysis. Exploitation is rated easy once the privilege bar is met, making this a priority for environments where many users hold administrative roles in Content Server.