Response queue poisoning in Node.js http.Agent allows network-accessible attackers to corrupt the HTTP keep-alive connection pool via a TOCTOU race condition, causing responses to be delivered to the wrong request handler. Affected is Node.js v26.x prior to v26.3.1, as disclosed in the June 2026 security release. Exploitation requires high attack complexity due to the race window, and no public exploit has been identified at time of analysis; this is rated Low severity (CVSS 3.7) by the Node.js team.
Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.
Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.
Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.
Hardcoded static credentials in Chef 360 prior to v1.7.0 exposed internal message queue infrastructure to unauthorized network access, disclosing tenant-specific identifiers across the multi-tenant platform. The credential was embedded in the product itself, making it accessible to any party with possession of the software. Progress Chef confirmed the issue and eliminated the static credential entirely in v1.7.0 by replacing it with per-tenant access controls. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental vector flags this as automatable (AU:Y) with proof-of-concept exploit maturity (E:P), elevating its realistic urgency beyond the low base score of 2.3.
Cross-tenant user record leakage in ZITADEL versions 4.0.0-4.15.1 and 3.0.0-3.4.11 allows an organization administrator to inadvertently gain full access to a user record provisioned in a different tenant due to stale aggregate-ID ownership mappings persisting in the event store after user deletion. When a new user is later provisioned in a separate organization using the same ID as a previously deleted user, the event store's owner-resolution logic retrieves the original organization's mapping and incorrectly routes all new provisioning events there. No public exploit has been identified, CISA KEV listing is absent, and the vendor explicitly characterizes this as a non-targetable, low-practical-risk multi-tenancy isolation anomaly that cannot be forced or automated by a malicious actor.
OpenFGA's authorization Check API returns incorrect results when MySQL is configured as the datastore and authorization policies depend on case-sensitive user string differentiation. MySQL's default case-insensitive collations cause two distinct user identifiers - identical except for letter casing - to match the same stored authorization tuple, producing an 'allowed' response for a user identity that should be denied. This constitutes an improper policy enforcement flaw (GHSA-cf98-j28v-49v6) that can silently bypass fine-grained access controls in any deployment meeting the two required preconditions. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitrary JavaScript into the browsers of authenticated LMS users by crafting malicious links targeting the `dbrecover.php` and `netremap.php` modules. The `db`, `id`, and `mapto` GET parameters were directly concatenated into HTML anchor elements without sanitization, as confirmed by the upstream commit diff. No public exploit has been identified at time of analysis, exploitation is not confirmed in CISA KEV, and the CVSS 4.0 score of 2.1 reflects genuinely constrained impact due to the required victim interaction and specific attack preconditions.
Pre-NVD disclosure via GitHub release '2026-06-18, Version 26.3.1 (Current), @aduh95' (nodejs/node). This is a security release. * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching
Credential exposure in pghoard (Aiven's PostgreSQL backup tool) causes database usernames and passwords sourced from .pgpass files to be written in plaintext to debug-level logs. Versions up to and including 2.1.0 are affected per CPE data, though the vendor advisory specifies the fix lands in 2.7.1. Any party with read access to debug log output - including operators, centralized log aggregation systems, or co-tenants in shared logging pipelines - can recover full database credentials. No public exploit code or CISA KEV listing exists at time of analysis, but the straightforward nature of the disclosure (passive credential leakage) makes exploitation trivially easy once log access is obtained.