Uncaught Exception in ts-deepmerge before 8.0.0 allows unauthenticated remote attackers to crash Node.js applications by supplying JSON payloads that contain Object.prototype method names (e.g., toString, valueOf) mapped to non-function values, causing any subsequent string-context operation on the merged object to throw a TypeError. The vulnerability is distinct from classic prototype pollution - it does not escalate privileges or leak data, but reliably corrupts the merged object's callable methods, making DoS trivially achievable against any network-exposed merge endpoint that accepts untrusted input. A public proof-of-concept exists (GitHub Gist, Snyk SNYK-JS-TSDEEPMERGE-17339141), and the CVSS 4.0 E:P supplemental metric confirms exploit code is available; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Integer overflow in QEMU's virtio-snd virtual sound device allows a malicious guest VM to trigger unbounded host memory allocation by supplying out-of-bounds stream counts via PCM_INFO requests, resulting in a host-side denial of service. Affected deployments are those where QEMU exposes the virtio-snd device to guest VMs - particularly relevant in multi-tenant or cloud virtualization environments where guest workloads may be untrusted. No public exploit code and no active exploitation (CISA KEV) has been identified at the time of this analysis; the CVSS 5.5 Medium score reflects the constrained local attack vector.
Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.
Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, rendering the container runtime API unavailable and disrupting orchestration layers including Docker Engine and Kubernetes control-plane components. CVE-2026-47262 is rated Moderate by the containerd project - lower than the four co-patched Critical/High CVEs - and is fixed across the full active supported release tree in versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, and 1.7.33. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Authentication bypass in Apache APISIX 3.0.0 through 3.16.0 allows a network-accessible attacker holding valid credentials from an alternate CAS (Central Authentication Service) source to authenticate against routes protected by the cas-auth plugin, circumventing intended access controls on protected backend APIs. The flaw, rooted in insufficient credential-origin validation within the cas-auth plugin (CWE-287), enables a credential confusion attack across identity sources - potentially granting unauthorized access to downstream systems the gateway is meant to protect. No public exploit code or CISA KEV listing exists at time of analysis; Apache has released version 3.17.0 as the confirmed fix.
Path traversal in the YARD Ruby documentation server (prior to 0.9.44) allows unauthenticated remote attackers to read arbitrary `.html` files from directories outside the configured document root by supplying crafted `../`-containing request paths such as `/../yard-cache-secret.html`. The flaw exists because the static cache lookup in `StaticCaching#check_static_cache` constructs a filesystem path from the raw `request.path` before the router's own path-sanitization logic runs, enabling traversal to sibling directories. No active exploitation has been identified (not in CISA KEV) and no public POC exists at time of analysis; the vendor-released fix is version 0.9.44.
Incorrect authorization in the Apache APISIX authz-casdoor plugin allows a network-authenticated attacker to cross-authenticate using credentials from a different identity source, effectively bypassing the intended authorization boundary. Affected versions span 2.14.1 through 3.16.0, covering a wide deployment surface for this popular open-source API gateway. The CVSS 4.0 vector signals no direct impact to APISIX itself but high confidentiality and integrity impact on subsequent systems - the upstream APIs and services the gateway is meant to protect. No public exploit code or CISA KEV listing has been identified at time of analysis.
DOM-based cross-site scripting in Microchip's GridTime 3000 GNSS Time Server allows an authenticated attacker to inject malicious JavaScript through the device's password reset form, executing arbitrary script in the browser context of any user who subsequently loads the affected page. The vulnerability spans versions 1.0r0.03 through all releases before 1.2r0.0. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; however, the network-accessible web interface and low-privilege authentication requirement make this exploitable in typical enterprise or utility network deployments where the device's management UI is reachable.
Open redirect in Microchip's GridTime 3000 GNSS Time Server allows authenticated low-privilege users to manipulate the post-submission redirect destination of the password change form, enabling phishing and credential harvesting attacks against administrators. All firmware versions from 1.0r0.03 through 1.1r0.0 are confirmed affected per vendor self-disclosure. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated network vector and low attack complexity make it trivially abusable against the wide WordPress install base.
Stack memory disclosure in the Oj RubyGem (all versions before 3.17.3) allows remote unauthenticated callers to recover uninitialized process stack contents by supplying a JSON object with keys of 254 bytes or longer to `Oj.load` in `:object` mode. The root cause is a copy-paste defect in `ext/oj/intern.c` where `form_attr()` allocates and fills a correct heap buffer `b` but then erroneously passes the uninitialized 256-byte stack buffer `buf` to `rb_intern3()`, causing leaked bytes to surface in the returned Symbol or an `EncodingError` message. A proof-of-concept is publicly available in the GHSA advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Identity header spoofing in Apache APISIX's openid-connect plugin (versions 2.3 through 3.16.0) enables low-privileged network attackers to bypass authentication controls and gain unauthorized access to protected upstream resources. The plugin, under its default configuration, fails to strip or validate incoming identity-bearing HTTP headers presented by clients before forwarding requests to backend services, allowing an attacker to inject arbitrary identity claims. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis, but the network-exploitable nature and high impact on subsequent systems (SC:H/SI:H in CVSS 4.0) elevate this beyond its moderate overall score.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
OAuth2 credential exposure in the jleehr/canto-saas-api PHP Composer library (versions ≤ 2.0.0) allows any party with read access to web server logs, proxy logs, APM traces, or error tracking platforms to harvest Canto app_secret, refresh_token, and authorization code values in plaintext. The library violates RFC 6749 §2.3.1 by transmitting these credentials as URL query parameters on POST requests to the Canto OAuth token endpoint, rather than in the form-encoded POST body - causing them to be recorded by default in virtually every HTTP logging layer. A second exposure path exists through failed token requests: Guzzle exception messages containing the full credential-laden URI were propagated unmodified into AuthorizationFailedException, meaning error trackers such as Sentry may also have captured these secrets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Path traversal in AIL Framework's `/objects/item/diff` endpoint exposes gzip-compressed server-side files to authenticated users. The Flask blueprint route in `var/www/blueprints/objects_item.py` accepted arbitrary item identifiers via `s1` and `s2` query parameters and attempted to read and compare their contents without first verifying they resolved to legitimate AIL objects, enabling directory traversal sequences to escape the items directory. No active exploitation has been identified at time of analysis; CIRCL reported the issue and an upstream fix is available via a GitHub commit.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.
Cross-site scripting in Microchip GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) permits authenticated low-privilege attackers to inject and execute malicious scripts in the browser sessions of higher-privileged users via a CSRF-to-XSS attack chain. The CVSS 4.0 Threat metric E:A signals active exploitation has been reported by the vendor, elevating urgency beyond what the 5.1 base score alone implies. Despite limited per-impact ratings, compromise of the web management interface of a critical time-synchronization appliance carries downstream risk to time-dependent infrastructure.
Path traversal in MicroCeph's remote-import API allows enrolled cluster members or join token holders to manipulate files within the `/var/snap/microceph` snap confinement boundary, enabling daemon disruption and cluster state pollution across the squid and tentacle release tracks. The root cause is missing input validation on `name` and `LocalName` parameters in `cmdRemotePut`, permitting `..` sequences to reach unintended directories. No public exploit has been identified at time of analysis; an upstream fix exists as GitHub PR #758 with no confirmed tagged snap release.
Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.
Use-after-free in libexpat before 2.8.2 allows memory corruption when XML_ResumeParser is called from within a handler callback during a policy-violation scenario. The missing call-depth guard permits re-entrant parser invocation, leaving dangling pointers in the parser's internal heap state and enabling potential information disclosure or memory corruption with low confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and the high attack complexity (AC:H) reflects the specific re-entrant handler pattern required to trigger the flaw.
CRLF injection in guzzlehttp/psr7 (all versions prior to 2.12.1) enables header injection, response splitting, request smuggling, or cache poisoning when attacker-controlled data reaches the HTTP start-line fields - request method, protocol version, or response reason phrase - and the resulting PSR-7 object is serialized to raw HTTP/1.x. The vulnerability is confined to the serialization pathway: standard Guzzle HTTP client usage is explicitly not affected, but proxies, crawlers, webhook delivery systems, and custom transports that call `Message::toString()`, `Message::parseRequest()`, or `Message::parseResponse()` and re-emit the raw bytes are at direct risk. No public exploit has been identified at time of analysis, and the vendor has released a confirmed patch in version 2.12.1.
Unencoded path variable injection in `jleehr/canto-saas-api` (versions ≤ 2.0.0) allows URL path traversal sequences and delimiter characters to alter the destination endpoint of outbound API requests constructed by `Request::buildRequestUrl()`. When a consuming PHP application passes untrusted user input directly as path variables - such as `scheme` or `contentId` in `GetContentDetailsRequest` - characters including `../`, `?`, and `#` are inserted verbatim, silently redirecting the request to an unintended Canto API endpoint. Because the Bearer access token is unconditionally appended in `AbstractEndpoint::sendRequest()`, every such redirected request carries full application credentials, enabling unintended reads or writes scoped to the configured app's privileges. No public exploit has been identified at time of analysis, and exploitation is conditional on the consuming application's input-handling design.
Access token exposure in Microchip's GridTime 3000 GNSS Time Server (versions 1.0r0.03 through 1.1r0.0) leaks authentication credentials via URL query parameters on certain management endpoints. Any party capable of observing network traffic, server access logs, HTTP Referer headers, or browser history during a high-privilege administrator session can harvest the exposed token and subsequently impersonate that session. The vendor-supplied CVSS 4.0 vector includes E:A (Exploit Maturity: Attacked), indicating that exploitation activity has been observed in the field, elevating practical urgency beyond what the moderate base score alone implies.
Authentication bypass in CoreWCF.UnixDomainSocket (NuGet) allows local OS users to invoke service operations without completing the required POSIX identity security upgrade, rendering framing-layer identity checks ineffective. Services using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and ClientCredentialType = PosixIdentity are affected - the server dispatches messages before the application/unixposix stream upgrade is performed, meaning the caller's identity resolves as anonymous or unintended. No public exploit code has been identified and this is not listed in CISA KEV; however, the flaw is a complete bypass of the sole authentication mechanism for this binding configuration.
Stored XSS in Outerbase Studio's Text Widget (npm/@outerbase/studio <= 0.10.2) allowed arbitrary HTML injection through React's dangerouslySetInnerHTML, enabling script execution in any user who viewed a malicious dashboard. The real-world severity is substantially reduced from legacy disclosures: Outerbase Cloud was discontinued in 2025, leaving the application as a purely client-side tool with no backend, no shared sessions, and no persistent authentication tokens - eliminating the originally described token-theft and account-takeover scenarios. No public exploit identified at time of analysis, though the advisory itself contains a functional reproduction payload.
Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.
Unbounded heap growth in libde265 prior to version 1.0.20 allows remote attackers to exhaust process memory by delivering a crafted H.265 bitstream, resulting in denial of service. The flaw in `decoder_context::read_slice_NAL()` (decctx.cc:481) unconditionally attaches slice segment headers to finished picture objects regardless of whether an active image unit exists; in continuous streaming contexts these headers are never freed, enabling attacker-controlled memory accumulation without bound. No active exploitation is confirmed (not listed in CISA KEV) and no public POC has been identified at time of analysis, but the network-accessible, no-privileges-required vector makes any application consuming untrusted H.265 content an exposure surface.
Unauthorized resource disclosure in Statamic CMS allows any authenticated Control Panel user to read metadata and content for entries, assets, users, roles, and groups beyond their assigned permissions. All v5 releases prior to 5.73.23 and all v6 releases prior to 6.20.0 are affected. Exploitation is read-only - no data can be modified - and no public exploit has been identified at time of analysis, but the flaw is significant for multi-tenant deployments relying on Statamic's role-based access controls to segregate content.
Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.
Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.
Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.
Symlink-chain path traversal in the go.qbee.io/transport library's extractTar routine allows a crafted tar archive to write or overwrite files one directory level above the intended extraction path. Applications using this library with elevated privileges - specifically qbee-agent, which runs as root - face the most severe impact, as exploitation enables root-privileged arbitrary file writes outside the extraction sandbox. No public exploit is identified at time of analysis; vendor-released patch v1.26.25 resolves the issue.
Craft Commerce's CartController exposes a coupon code brute-force vector by conditionally applying rate limiting only when the 'number' parameter is present in a request. Unauthenticated attackers targeting the session-based cart endpoint can omit the 'number' parameter entirely, bypassing IP-based rate limiting and submitting unlimited coupon code guesses via automated requests. Affected versions span the entire 4.x line through 4.11.1 and the 5.x line through 5.6.4; a proof-of-concept is referenced in the advisory, and no public exploit identified at time of analysis beyond the disclosed PoC reproduction steps.
Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's `_createAutocompleteWithRemoteData()` function interpolates the `text` field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. The vulnerability affects composer package versions 2.2.0-2.36.0 and 3.0.0-3.1.0; a vendor-released patch is available, and no active exploitation has been confirmed (not in CISA KEV).
Unescaped SQL LIKE wildcards in symfony/ux-autocomplete allow unauthenticated network attackers to turn the autocomplete endpoint into a broad data matcher or blind boolean oracle against all entity columns. Because BaseEntityAutocompleteType defaults to security => false and searchable_fields defaults to all entity properties, versions >= 2.2.0 < 2.36.0 and >= 3.0.0 < 3.1.0 expose potentially sensitive entity data to any caller who sends % or _ as the query parameter. No public exploit has been identified at time of analysis, but the attack requires only standard HTTP tooling; patches are available in 2.36.0 and 3.1.0.
Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. Direct exploitation is constrained to applications with permissive CORS or same-origin pivot contexts; under default configuration the required Accept header provides partial protection that makes this a defense-in-depth gap rather than an immediately weaponizable internet-wide threat. No public exploit and no CISA KEV listing are confirmed at time of analysis.
Business logic bypass in Symfony UX LiveComponent (symfony/ux-live-component) allows any client to manipulate writable `#[LiveProp]` date fields to arbitrary points in time by submitting relative PHP date strings such as '+10 years' or 'tomorrow' - inputs the application would never generate legitimately. Applications that gate time-sensitive features (trial periods, discount windows, scheduling logic, subscription expiry) on these date props are exposed to unauthorized temporal state manipulation. No public exploit has been identified and no CVSS has been assigned by the vendor, but the attack surface exists wherever writable format-less DateTimeInterface props are present in security-relevant components.