Broken Object Level Authorization in Open WebUI's `search_knowledge_files` builtin tool (versions ≤ 0.9.5) allows any authenticated user to enumerate file metadata from private or restricted knowledge bases they do not own or have permission to access. By sending a crafted chat completion request with native function calling enabled and supplying an arbitrary `knowledge_id`, an attacker bypasses the `AccessGrants` permission model entirely, receiving file IDs, filenames, knowledge base names, and timestamps. No KEV listing exists at time of analysis, but a detailed proof-of-concept with full reproduction steps is publicly documented in GitHub Security Advisory GHSA-cx9v-4qj2-jrw6, and a vendor-released patch is available in version 0.9.6.
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.3.7. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
: Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels.8.6. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open redirect in the browser-based Cisco Webex App allowed unauthenticated remote attackers to redirect users to attacker-controlled websites by crafting malicious URLs with manipulated parameters. The vulnerability (CWE-601) stems from improper input validation of URL parameters in HTTP requests and scores CVSS 4.3 Medium (AV:N/AC:L/PR:N/UI:R). Cisco has fully remediated this server-side with no customer action required; no public exploit or CISA KEV listing exists at time of analysis.
Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier makes it broadly relevant in enterprise Splunk deployments with many standard users.
Insufficient authorization in the Katello ContentUploadsController within Red Hat Satellite 6 permits authenticated users holding only the edit_products permission to query content metadata for repositories belonging to products they have no rights to manage. The flaw, rooted in a missing ActiveRecord scope on repository lookup, allows cross-product content-existence enumeration via the content-upload API - but explicitly does not permit modification, import, or publication of content. No public exploit exists and the vulnerability is not listed in CISA KEV; risk is bounded by the authentication requirement and the limited read-only impact.
Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels.7.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.
Process-terminating denial of service in Deno's WebSocket client (versions <= 2.7.4) allows any server - or a network man-in-the-middle on an unencrypted ws:// connection - to crash a Deno application by returning non-visible-ASCII bytes (0x80-0xFF) in the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions handshake response headers. The root cause is an unhandled Rust panic in the HTTP upgrade path: HeaderValue::to_str() returns an error for out-of-range bytes, and that error path was not caught, causing the entire Deno process to abort. No public exploit has been identified at time of analysis and this is not listed in the CISA KEV catalog; impact is strictly availability - the advisory explicitly states there is no information disclosure or memory-safety consequence.
Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site request forgery (CSRF) vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Broken Access Control in Bricks Builder for WordPress (versions up to and including 2.1.4) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privilege roles such as editor or administrator. Rooted in CWE-862 (Missing Authorization), the flaw means certain builder endpoints or AJAX actions execute without verifying whether the requesting user holds sufficient capabilities. No public exploit code identified at time of analysis, and this CVE is not listed in CISA KEV; however, the low authentication barrier (any registered subscriber) on sites with open registration increases realistic exposure.
Broken Access Control in MetForm Pro WordPress plugin (versions <= 3.9.1) permits subscriber-level authenticated users to perform actions restricted to higher-privileged roles, resulting in unauthorized low-level integrity modifications. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers accessible to the lowest standard WordPress role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the low attack complexity and network accessibility make this exploitable by any user with a valid WordPress subscriber account on an affected site.
Broken access control in WishList Member X WordPress plugin (versions ≤ 3.29.0) permits authenticated subscriber-level users to access membership-restricted content without holding the required membership tier. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce authorization checks on protected content access paths, exposing paid or restricted resources to the lowest WordPress authenticated role. No public exploit has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)