Open redirect in Gitea's login flow allows external domain hijacking by bypassing the `urlIsRelative` validation in `modules/httplib/url.go` through a combination of directory traversal sequences and a backslash in the `redirect_to` parameter. All Gitea instances running version 1.25.4 and below are affected; a working proof-of-concept is publicly available in the GitHub Security Advisory. Exploitation enables phishing via trusted Gitea domains, OAuth/SSO authorization code theft, Referer-header leakage of sensitive parameters, and potential cache poisoning — no public exploit identified as confirmed actively exploited (CISA KEV absent).
Symlink-following in chrome-devtools-mcp (npm, versions 0.20.0 through 1.0.1) allows any local user on the same POSIX host to truncate and overwrite arbitrary files owned by a victim user by pre-placing a symlink at the daemon's deterministic PID file path under /tmp. The attack targets macOS unconditionally and Linux sessions where $XDG_RUNTIME_DIR is unset, because the runtime path falls back to world-accessible /tmp. A detailed proof-of-concept demonstrating SSH key destruction is published in the GitHub Security Advisory; no confirmed active exploitation or CISA KEV listing exists at time of analysis, but the attack requires only a local account and trivial setup.
Out-of-band data exfiltration in Claude Code (npm/@anthropic-ai/claude-code versions 0.2.54 through 2.1.162) allows a prompt-injection attacker to silently exfiltrate files, environment variables, and command output by exploiting a pre-approved bare hostname bypass in the WebFetch tool. Because huggingface.co was whitelisted at the hostname level only, any path on that domain - including attacker-controlled model repository paths - was auto-approved without triggering a permission prompt and without being constrained by --allowedTools restrictions. The prerequisite is the ability to inject untrusted content into a Claude Code context window (e.g., via a malicious README, dependency file, or data file read during a session); no public exploit code has been identified at time of analysis, and the vulnerability has been patched in version 2.1.163.
Traefik's Kubernetes Gateway provider exposes internal services (`api@internal`, `dashboard@internal`, `rest@internal`) on the data plane due to a namespace allowlist check evaluated against the wrong variable in multi-backendRef (WRR) HTTPRoute rules. Operators who configured `crossProviderNamespaces` to restrict which namespaces may reference cross-provider `TraefikService` backends find that restriction entirely bypassed for routes with two or more backendRefs, allowing an unprivileged route namespace to expose the Traefik API unauthenticated on the normal web entrypoint. A fully functional end-to-end proof-of-concept was included in the disclosure; no public exploit identifier at time of analysis, and the vulnerability is not listed in CISA KEV.
RTI Connext Professional's Security Plugins component allows authenticated network participants to spoof the source identity of DDS (Data Distribution Service) messages due to missing authentication on a critical data-origin verification function (CWE-306). The flaw affects versions spanning 5.3.x through 7.6.x, with a patched release available at 7.7.0 and 7.3.1.3 for the respective branches. An attacker with low-privilege access to the DDS network can falsify the apparent publisher identity of data streams, directly undermining data integrity in safety-critical deployments such as autonomous systems, industrial control, and defense applications where Connext is widely used. No public exploit code has been identified at time of analysis, and it is not listed in the CISA KEV catalog.
Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. No public exploit code has been identified and the CVE is not listed in the CISA KEV catalog at time of analysis; the CVSS 6.0 Medium score reflects the high-privilege prerequisite that meaningfully constrains the realistic attacker pool.
OpenStack Horizon before 25.7.4 embeds project names unsanitized into generated OpenStack RC shell scripts, enabling OS command injection when a victim user downloads and sources that script locally. An attacker with sufficient privileges to create or control a project name can insert shell metacharacters (e.g., backtick sequences, command substitution syntax) that execute arbitrary commands in the victim's local shell environment upon RC file execution. No public exploit code or CISA KEV listing exists at time of analysis, though the underlying CWE-78 class is well-understood; notably, the OpenStack project itself characterizes this as a security hardening opportunity rather than a traditional vulnerability, reflecting a disputed severity framing.
Cross-authority JWT signing key confusion in Steeltoe authentication libraries allows tokens issued by one identity provider to be accepted by application schemes configured for a different authority. Affected are CloudFoundryBase prior to 3.4.0, JwtBearer prior to 4.2.0, and OpenIdConnect prior to 4.2.0 when deployed in multi-scheme configurations. No public exploit has been identified at time of analysis; vendor patches are available and no CISA KEV listing exists.
Incorrect authorization in Sonatype Nexus Repository Manager before 3.93.0 permits a delegated repository administrator to read stored upstream proxy credentials beyond their intended authorization scope. The flaw resides in the proxy repository configuration pathway, where role-scoped administrators can retrieve credentials that should be restricted to higher-privilege system-level accounts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though the high confidentiality impact on stored upstream credentials is notable given that exposure enables potential unauthorized access to private upstream artifact repositories.
Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response to be served to a subsequent, potentially unauthenticated, caller. Applications using Undici's explicit `interceptors.cache()` in shared mode that forward Authorization headers to an upstream which returns Cache-Control headers with whitespace-padded qualified directives (e.g., `private=" authorization"`) are affected across all v7 versions prior to 7.28.0 and all v8 versions prior to 8.5.0. No public exploit has been identified at time of analysis; exploitation is bounded by high attack complexity (CVSS AC:H, score 5.9), but when conditions align, the confidentiality impact is complete.
HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to session fixation, open redirect, and cache poisoning. The `parseSetCookie`, `parseCookie`, and `getSetCookies` functions incorrectly percent-decode cookie values using `qsUnescape`, converting encoded sequences such as `%0D%0A` into literal CRLF bytes in violation of RFC 6265 §5.4, which prescribes no such decoding. Any application that fetches from an attacker-controlled upstream and forwards the parsed cookie value into a downstream response header is exploitable; no public exploit has been identified at time of analysis, and patched releases v6.26.0, v7.28.0, and v8.5.0 are available.
DOM-based XSS in Shaarli's Thumbnail Synchronizer allows stored malicious bookmark titles to execute arbitrary JavaScript in an administrator's browser session when thumbnail synchronization is triggered. Versions 0.16.1 and prior are affected; the root cause is unsanitized innerHTML injection in thumbnails-update.js after the backend's ThumbnailsController::ajaxUpdate returns raw, unescaped bookmark titles via AJAX. Successful exploitation can lead to session hijacking, privilege escalation, and backdoor injection against administrator accounts. No public exploit or KEV listing is confirmed at time of analysis; a vendor patch is available in v0.16.2.
Stored XSS in Shaarli's Markdown rendering pipeline (versions 0.16.1 and prior) allows an authenticated user to inject malicious javascript: URIs via Markdown reference-style links in bookmark descriptions, bypassing the filterProtocols sanitization method in BookmarkMarkdownFormatter.php. When any user or guest visitor views the crafted bookmark, arbitrary JavaScript executes in their browser context, enabling session theft or unauthorized actions. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; vendor-released patch v0.16.2 is available as of 2026-05-23.
SQL injection in Dell PowerFlex Manager exposes database contents to low-privileged adjacent-network attackers via insufficiently sanitized SQL command input. The vulnerability requires both network adjacency and existing low-level credentials, limiting its reach considerably from an opportunistic threat standpoint. No active exploitation has been confirmed by CISA KEV, and no public exploit code is known at time of analysis; the CVSS score of 3.5 (Low) reflects the constrained attack surface.
Namespace tenant-label hijack in Capsule v0.13.0-0.13.5 allows an authenticated Kubernetes user with namespaces/finalize RBAC permission to bypass the validating admission webhook and overwrite tenant isolation labels via the finalize subresource. The root cause is a one-character typo in the Helm chart configuration - `namespace/finalize` (singular) instead of `namespaces/finalize` (plural) - rendering the CVE-2026-30963 patch in v0.13.2 entirely ineffective. Publicly available exploit code (PoC) exists and has been confirmed on a kind cluster running Capsule v0.13.2; no active exploitation has been confirmed by CISA KEV.
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
NULL pointer dereference in Autodesk Revit's 'Convert RFA to FormIt' feature causes the application to crash when processing a specially crafted RFA file, resulting in a denial-of-service condition. All tracked versions of Autodesk Revit are affected per CPE data, with the attack requiring local file access and deliberate user interaction to trigger the vulnerable conversion workflow. No public exploit code and no CISA KEV listing exist at time of analysis; a vendor-released patch is available through Autodesk Access.
Missing authorization controls in Yoast SEO Premium (WordPress plugin by Yoast BV) allow a network-accessible, highly privileged authenticated user to exploit incorrectly configured access control levels, yielding low-severity integrity and availability impact with a scope change that extends beyond the plugin itself into the broader WordPress environment. Affecting all versions through 26.6, this is a CWE-862 (Missing Authorization) flaw reported by Patchstack. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis.
Stored cross-site scripting in Open WebUI up to and including v0.9.5 allows authenticated users to execute arbitrary JavaScript in another user's browser under the application origin by uploading a malicious Markdown file containing a crafted Mermaid diagram. The flaw stems from Mermaid being initialized with securityLevel:'loose' and its SVG output being injected via innerHTML in the file preview panel. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis beyond the PoC, and the issue is not listed in CISA KEV.
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to the `aci` attribute to silently corrupt heap memory in the directory server process by submitting a malformed Access Control Instruction string. The `__aclp__normalize_acltxt()` function in `aclparse.c` performs pointer arithmetic on the keyword portion of an ACI string without validating minimum remaining buffer length after whitespace stripping, resulting in a 1-byte out-of-bounds write followed by out-of-bounds reads (CWE-787). No public exploit or CISA KEV listing has been identified at time of analysis; an upstream fix is available via GitHub PR #7542 but a released patched version has not been independently confirmed.
Integer truncation in vLLM's GGUF dequantize CUDA kernels (csrc/quantization/gguf/gguf_kernel.cu) silently corrupts tensor dequantization for large weight matrices in multi-tenant inference deployments, enabling cross-tenant GPU memory disclosure. When a GGUF model's weight tensor dimensions have a product exceeding INT_MAX (2,147,483,647), the int64_t element count is silently truncated to a 32-bit int at the to_cuda_ggml_t call site, causing CUDA kernels to process only a subset of the allocated output tensor. The unprocessed remainder, allocated via torch::empty (uninitialized), retains stale GPU memory contents from prior operations that may include tensor data from other users' inference requests - with no error, warning, or signal generated. No public exploit code or CISA KEV listing has been identified at time of analysis, though the advisory provides sufficient technical detail to facilitate reproduction.
Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels.5.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Private note disclosure in Open WebUI (≤0.8.10) allows any authenticated user to read the full contents of another user's private notes by exploiting a namespace collision in the Socket.IO collaborative editing subsystem. The ydoc:document:join handler enforces authorization only for document IDs prefixed with 'note:' (colon), but the YdocManager storage layer normalizes all IDs by substituting underscores for colons - making 'note:abc' and 'note_abc' identical storage keys. A fully functional public PoC exploit script is included in the GitHub Security Advisory. No KEV listing; fix is available in version 0.8.11.
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session tokens valid indefinitely until explicit logout. An attacker who obtains a valid session token - through interception or unattended browser access - can reuse it to access the application and read data. CVSS rates this Low (3.1) reflecting high attack complexity and limited confidentiality impact; no public exploit exists and the vulnerability is not listed in CISA KEV.
Resource exhaustion in joserfc (versions 1.3.4-1.6.5) is possible because the RFC7797 unencoded-payload (b64=false) JWS code path skips the configured JWSRegistry.max_payload_length check, while the standard compact and flattened JSON paths correctly raise ExceededSizeError. Remotely submitted, cryptographically valid b64=false JWS tokens with arbitrarily large payloads are deserialized without size enforcement, consuming memory or CPU on the verifying server. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; a vendor-released fix is available in version 1.6.7.
Overly permissive access control on the SignalRGB kernel driver's device object exposes privileged IOCTL operations to any authenticated local user on Windows systems running versions prior to 1.3.7.0. The root cause is that the `\\.\SignalIo` device object is created without an explicit SDDL security descriptor and without the `FILE_DEVICE_SECURE_OPEN` flag, causing Windows to apply insecure default access controls. No public exploit or active exploitation has been identified at time of analysis; the EPSS score of 0.13% at the 3rd percentile reflects very low observed exploitation probability.
Unauthenticated Insecure Direct Object Reference (IDOR) in the Mojoomla School Management WordPress plugin (versions <= 93.1.0) allows remote attackers to access restricted school records by manipulating user-controlled object identifiers without any authorization check. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network exploitability with no authentication required, exposing student, staff, or institutional data to unauthorized disclosure. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Open redirect in CakePHP Authentication's `getLoginRedirect()` method exposes users of affected applications to attacker-controlled redirects via backslash character bypass of hostname validation logic. Applications running `cakephp/authentication` below 3.3.6 (3.x branch) or between 4.0.0 and 4.1.1 (4.x branch) are vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis, though the backslash bypass technique is well-understood and lowers the bar for exploitation against unpatched deployments.
Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. Exploitation is constrained to principals holding the workspace owner role, but within that privilege tier no additional conditions are required to trigger the vulnerability. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Stored Cross-Site Scripting in NocoDB (npm package, versions <= 0.301.3) allows an authenticated user with upload permissions to deliver malicious `.html` or `.svg` attachments that the victim's browser renders inline from the NocoDB origin, bypassing the intended forced-download behavior. The root cause is a header-key case mismatch in the secure attachment handler: the signed URL generator wrote overrides as PascalCase keys while the Express controller read them as lowercase-hyphen keys, silently dropping `Content-Disposition: attachment` and enabling inline rendering. When exploited, script executing in the victim's browser can exfiltrate the auth JWT stored in `localStorage`, leading to full session compromise. No public exploit code has been identified at time of analysis, and no patched version has been confirmed released.
Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (`axiosRequestMake`) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at `169.254.169.254`) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted `.xlsx` anywhere in the URL path, and a hand-rolled IP blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`. On cloud-hosted deployments, this functions as a credential-exfiltration primitive. No public exploit has been identified at time of analysis, but the attack pattern is trivially reproducible from the advisory text alone.
Reflected XSS in the marimo notebook server before version 0.23.9 enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in the origin of a victim's marimo server by supplying a crafted `file` query parameter. The flaw stems from improper single-quote escaping in assets.py when reflecting the parameter into an inline JavaScript string literal; attackers bypass the server's 404 check by prefixing payloads with `__new__`, and execution occurs without Content-Security-Policy restrictions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the attack mechanism is straightforward for a motivated attacker targeting shared or collaborative marimo deployments.
Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to manipulate the X-Forwarded-Host HTTP header to redirect authenticated users to attacker-controlled sites immediately following login or interface interaction. The vulnerability is particularly hazardous in the context of a credential store application, where a convincing post-login redirect to a cloned phishing interface could yield an attacker's full access to a victim's stored password vault. No public exploit code has been identified at time of analysis, and a vendor-released patch is available per the INCIBE advisory.
Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP header before using it to construct redirect URLs. Unauthenticated remote attackers can craft malicious links that, when clicked by a victim, silently redirect them to an attacker-controlled domain - a particularly dangerous vector given that the target application manages credentials. Reported by INCIBE, a vendor patch is available; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
Host Header Injection in Password Manager (all versions per CPE) enables remote unauthenticated attackers to manipulate the HTTP Host header, causing the application to generate crafted links or responses that reference an attacker-controlled domain. Exploitation requires active user interaction (UI:A per CVSS 4.0 vector), limiting mass exploitation but enabling targeted phishing, password-reset link hijacking, or cache poisoning affecting dependent services. No public exploit code has been identified, and INCIBE has confirmed a vendor patch is available. This vulnerability is part of a broader set of issues disclosed simultaneously in the same INCIBE advisory.
Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.
Incorrect Authorization in Apache DolphinScheduler's API module (versions prior to 3.4.2) allows any authenticated user holding basic system login privileges to delete task definitions belonging to projects outside their authorized scope. The flaw bypasses project-level access controls server-side, enabling cross-project destructive operations without requiring elevated roles. No public exploit has been identified at time of analysis, and no KEV listing exists; moderate severity reflects the authentication prerequisite and the impact being limited to data destruction rather than exfiltration or code execution.
Image input manipulation in vLLM's multimodal preprocessing pipeline allows remote, unauthenticated network attackers to craft images with specific EXIF orientation or PNG tRNS transparency metadata that, when converted to RGB by vLLM, produces semantically altered image content fed to the LLM - affecting the integrity of inference outputs and potentially the reliability of the inference service. Affected deployments include Red Hat AI Inference Server across RHEL AI 3 and Red Hat OpenShift AI (RHOAI) environments. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, sensitive inference workloads processing user-supplied images (e.g., document classification, content moderation) face a higher practical risk from subtle input distortion attacks.
Stored cross-site scripting in earmark (the Elixir Markdown-to-HTML library by pragdave) allows any attacker who can submit markdown content to inject arbitrary JavaScript that executes in the browsers of users who view the rendered output. The root cause is a code path in `_make_att1/2` (`lib/earmark/transform.ex`) that splices HTML attribute values verbatim without encoding double-quote characters, enabling a crafted link URL or title to break out of the `href` attribute and inject additional HTML event handlers. Critically, no patched version will be released - the library has been officially retired from Hex - making migration to a maintained alternative the only complete fix. No public exploit identified at time of analysis, though the CVE description itself contains a working proof-of-concept payload.
Stored XSS in Shaarli's tag filtering functionality permits an authenticated user to inject persistent JavaScript payloads via the bookmark tags field, which execute in the browsers of any user who subsequently interacts with the 'Filter by tag' search feature on the homepage. All Shaarli deployments running version 0.16.1 or earlier are affected, including instances where administrators use the tag-filter feature. The vulnerability enables session hijacking or credential exfiltration against any user who triggers the tag search, with no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch v0.16.2 (2026-05-23) resolves the issue.
Out-of-bounds write conditions in RTI Connext Professional affect three distinct components - Queueing Service, Core Libraries, and Persistence Service - enabling a locally authenticated low-privileged user to corrupt memory and produce limited integrity and availability impacts on the vulnerable system. The vulnerability spans multiple release branches (6.1.x, 7.0.x-7.3.x, and 7.4.x-7.6.x) and is resolved in versions 7.7.0 and 7.3.1.3 per vendor guidance. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog.
Broken or risky cryptographic algorithm use in Dell PowerFlex Manager 4.6.0.1 exposes network-accessible infrastructure management communications to potential interception and modification. Remote unauthenticated attackers who achieve the requisite network positioning - consistent with the CVSS AC:H rating - could exploit weak or deprecated cryptographic primitives to partially disclose sensitive management data (C:L) or tamper with communications in transit (I:L). Dell has published advisory DSA-2026-066 under the multi-CVE release DSA-2026-066; no public exploit code and no active exploitation (CISA KEV absent) have been identified at time of analysis.
Universal Cross-Site Scripting (UXSS) in the Views component of Google Chrome on Linux (prior to 149.0.7827.155) enables an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, breaking Chrome's same-origin policy isolation. This is a post-renderer-compromise escalation step in a multi-stage attack chain, Linux-platform specific, requiring prior renderer RCE as a prerequisite. No public exploit code has been identified at time of analysis; EPSS sits at 0.29% (21st percentile), and CISA SSVC assesses exploitation status as none with partial technical impact.
Steeltoe.Configuration.Abstractions 4.0.0-4.1.0 permanently exposes TLS client private key material to world-readable temporary files on Linux when Cloud Foundry MySQL or PostgreSQL service bindings supply SSL credentials via VCAP_SERVICES. The Connectors library writes SSL certificate, private key, and CA files to Path.GetTempPath() using File.CreateText, which on Linux creates files at mode 0644 (owner read/write, group read, world read) with no cleanup mechanism, leaving key material readable by any co-located process for the container's lifetime. Vendor-released patch 4.2.0 resolves both the permission issue (restricting new temp files to mode 0600) and the missing cleanup via IDisposable; no public exploit has been identified at time of analysis.
W3 Total Cache for WordPress (versions through 2.9.1) exposes Author-role users to administrative plugin functions due to missing authorization checks (CWE-862), enabling unintended read, write, and availability impacts against the caching layer. The CVSS vector confirms a network-accessible, low-complexity exploit requiring Author-level authentication (PR:H), with low but confirmed impact across all three CIA dimensions. No public exploit code or active exploitation via CISA KEV has been identified at the time of analysis.
Implicit execution of untrusted repository-controlled TypeScript/JavaScript extensions in Pi coding agent (npm package @earendil-works/pi-coding-agent) before 0.79.0 allows an attacker who controls a repository to execute arbitrary code with the victim user's full process privileges. Pi's startup path auto-loaded project-local extensions from a repository's .pi directory - including executable TypeScript/JavaScript modules - without any trust gate or user prompt, meaning a developer who cloned and ran Pi in a malicious repository would silently execute attacker-supplied extension code. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack class (supply-chain / repository-as-malware-delivery) is highly relevant to developer tooling security.
Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Sibling-prefix path traversal in open-webui 0.9.5 and earlier allows any authenticated user to read arbitrary files from directories adjacent to the configured cache directory, provided those directories share the string prefix 'cache' (e.g., cache_backup, cached_models). The flaw exists in serve_cache_file() at main.py:2914, where a missing trailing path separator in the startswith boundary check causes os.path.abspath() to validate resolved sibling paths as if they were within the cache root. Publicly available exploit code exists in the GHSA advisory (PoC confirmed against open-webui 0.9.5 via raw ASGI delivery); no confirmed active exploitation (not in CISA KEV) at time of analysis.