Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.50%), with CISA SSVC marking exploitation status as 'none.'
Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-601) to coerce a victim into following a crafted link that lands on an attacker-controlled site. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation lets an unauthorized remote attacker elevate privileges over the network after user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429) allows an authenticated attacker to attach additional authentication details to existing accounts, enabling unauthorized access and elevation of privileges. The flaw, self-reported by JetBrains and patched, carries a CVSS 8.8 with high impact to confidentiality, integrity, and availability; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.41%).
Missing authentication in line-desktop-mcp prior to 1.1.2 lets any network-reachable client invoke MCP tools that read LINE chat history and send messages through the logged-in LINE Desktop application. When started with --http-mode, the server binds 0.0.0.0 and exposes /mcp without an MCP-layer auth check, enabling unauthenticated remote abuse. No public exploit identified at time of analysis, but the fix (1.1.2) and commit are public, making reconstruction trivial.
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. No public exploit identified at time of analysis, but the integrity impact is severe because injected fragments like '|| true' can neutralize permit/forbid logic in fine-grained authorization decisions.
Remote code execution in JetBrains GoLand before 2026.1.3 lets an attacker run arbitrary code on a developer's machine when the victim opens a maliciously crafted project whose configuration is untrusted. The flaw, reported by JetBrains itself and assigned CVSS 8.8 with high confidentiality, integrity, and availability impact, requires the user to open the booby-trapped project (UI:R) but no prior authentication on the IDE. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.21% (11th percentile).
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate authorization decisions by injecting reserved JSON keys (`__entity` or `__extn`) into CedarMap objects built from attacker-controlled input. When an integrating service constructs a CedarMap from caller-supplied data such as headers, metadata, or resource tags, the Rust cedar-policy evaluator can be tricked into interpreting a record as an entity reference, undermining fine-grained authorization. No public exploit identified at time of analysis, but the CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability of authorization outcomes.
Denial of service in NI grpc-device 2.17.0 and prior allows remote unauthenticated attackers to crash the data moniker service by submitting an unknown value that triggers a NULL pointer dereference. The flaw also impacts deployments embedding the server via NI InstrumentStudio. No public exploit is identified at time of analysis, though the CVSS 4.0 base score of 8.7 reflects high availability impact reachable over the network without privileges.
Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in py7zr (a pure-Python 7-Zip library) versions 1.1.2 and earlier lets a remote, unauthenticated attacker exhaust CPU with a tiny crafted .7z archive. The flaw is in header parsing (PackInfo._read), so merely opening the archive with SevenZipFile() - no extraction - triggers the cost; a ~50 KB file consumes roughly 7 seconds of CPU. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no active exploitation identified and it is not listed in CISA KEV.
Denial-of-service via decompression bomb in py7zr, the pure-Python 7-Zip library, affects all versions up to and including 1.1.2. The library's Worker.decompress() writes extracted data to disk or memory without tracking cumulative decompressed size, so a tiny crafted .7z (demonstrated at a 6,556:1 ratio - 15.6 KB expanding to 100 MB) can exhaust disk or RAM on any application that extracts untrusted archives. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but the issue is not listed in CISA KEV; CVSS 4.0 rates it 8.7 (High) with pure availability impact.
Cross-tenant billing log tampering in Capgo (Cap-go/capgo) before 12.128.2 allows unauthenticated attackers holding only the public Supabase publishable anon key to insert or overwrite build_logs rows for arbitrary organizations via the SECURITY DEFINER PostgREST RPC public.record_build_time. Because the function is granted to the anon role and uses ON CONFLICT (build_id, org_id) DO UPDATE, attackers can inflate or alter another tenant's billable build time, producing financial-impact denial of service. No public exploit identified at time of analysis, though the vendor advisory (GHSA-42xj-3h9w-26h5) and a VulnCheck write-up describe the attack path in detail.
Privilege escalation in Flexera FlexNet Manager Suite 2025 R1 allows an authenticated user holding only read-only access to account settings to elevate themselves to full Administrator. The flaw is a server-side access-control failure (CWE-284) reachable over the network with low privileges and no user interaction, scoring CVSS 4.0 8.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any wiki user to inject arbitrary HTML and JavaScript into rendered pages by abusing the unsanitized class attribute on embed tags such as <youtube>. Because the user-supplied class is concatenated into an HTML template via sprintf without escaping, an attacker can break out of the class attribute and execute script in the context of every visitor that views the page. No public exploit identified at time of analysis beyond the advisory's own PoC, and the issue is not listed in CISA KEV.
Authenticated OS command injection in SIMA GmbH Bondix Server through 1.25.7.5 on Linux allows an attacker with configuration write privileges to execute arbitrary operating-system commands by supplying crafted values in the environment and tunnel configuration that are passed unsanitized to server-side scripts. The flaw was reported by NCSC.ch and carries a CVSS 4.0 base score of 8.6 (High); no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Remote denial-of-service in Hitachi Virtual Storage Platform (VSP) enterprise storage arrays allows unauthenticated network attackers to disrupt availability through the 10G iSCSI interface across a wide swath of VSP families including E-series, G/F-series, 5000-series, and legacy G1000/G1500/F1500 platforms. The flaw maps to CWE-770 (uncontrolled resource consumption) and carries a CVSS 3.1 base score of 8.6 with a scope-change indicator, meaning impact extends beyond the iSCSI front-end channel to dependent storage services. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in the @cyclonedx/cyclonedx-npm SBOM generator (versions >= 2.1.0, < 5.0.0) lets an attacker who controls the value passed to the --workspace CLI option execute arbitrary OS commands when the npm_execpath environment variable is unset or empty. In that fallback path the tool spawns a subshell and interpolates the workspace value into a command string without escaping, so shell metacharacters break out of the intended context and run with the invoking user's privileges. No public exploit identified at time of analysis, though the vendor fix PR ships a proof-of-concept-style regression test; the issue is not listed in CISA KEV and no EPSS score was provided.
Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sensitive information disclosure in the Tilt HUD server (Go package github.com/tilt-dev/tilt, versions >= 0.19.5 through <= 0.37.3) lets an unauthenticated network caller read live process memory via unprotected net/http/pprof endpoints mounted under /debug, harvesting the session token (Tilt-Token cookie) and the apiserver loopback bearer token, and hold the process under CPU profiling or tracing to degrade performance. Exploitation requires the HUD or apiserver listener to be bound to a non-loopback address (tilt up --host 0.0.0.0 or TILT_HOST set); the default loopback-only bind is not remotely reachable. No public exploit identified at time of analysis, and this is not in CISA KEV; a vendor patch (v0.37.4) is available.
Cross-site WebSocket hijacking in Tilt (the tilt-dev Kubernetes development tool) versions 0.24.0 through 0.37.3 lets a network-adjacent attacker read the developer's entire HUD view stream when the HUD is bound to a non-loopback address. The intended anti-CSWSH protection fails because the gating CSRF token is served by an unauthenticated endpoint and the WebSocket upgrader also accepts any client that omits an Origin header. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exposure is limited to non-default deployments that bind the listener beyond localhost.
Denial of service in the concurrent-ruby gem (versions through 1.3.6) allows attackers to cause CPU exhaustion and permanent thread hangs by forcing an externally-derived numeric value stored in a Concurrent::AtomicReference to become Float::NAN. Because Ruby evaluates Float::NAN == Float::NAN as false, any subsequent call to AtomicReference#update livelocks - endlessly re-running the caller's block and pinning a CPU core, as the included reporter PoC demonstrates (over 1.9 million spin iterations in 250 ms). Publicly available exploit code exists; there is no public exploit identified as being used in active attacks, and the issue is not listed in CISA KEV.
Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.
Shell command injection in pontedilana/php-weasyprint prior to 2.5.1 allows code execution as the PHP process when the WeasyPrint binary path is sourced from configuration, environment variables, or per-tenant settings. The library's buildCommand() inverted the order of escapeshellarg() and is_executable(), turning the 'safe' branch into dead code and passing the raw binary string into Symfony Process::fromShellCommandline(). No public exploit identified at time of analysis, but a PoC for the identical KnpLabs/snappy precursor flaw (GHSA-vpr4-p6fq-85jc) is published and directly applicable.
Authentication bypass in OpenFGA versions 1.17.1 and earlier allows a validly-signed JWT issued for an unrelated service to authenticate to OpenFGA, because the OIDC authenticator silently skipped JWT audience (aud) validation whenever authn.oidc.audience was left unset. Any deployment using authn.method=oidc with a configured issuer but no configured audience trusts every token minted by that issuer, so an attacker holding a legitimate token for a different service behind the same identity provider gains full access to OpenFGA's authorization data. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), but the CVSS 8.1 rating reflects the high confidentiality and integrity impact on a system that governs fine-grained authorization decisions.
Arbitrary file write in gonic music streaming server prior to v0.21.0 allows any authenticated Subsonic user - including non-admin accounts - to write attacker-controlled M3U playlist content to any absolute filesystem path on the host, while also creating intermediate directories with world-writable 0o777 permissions. The flaw stems from an unreachable guard clause in ServeCreateOrUpdatePlaylist combined with missing path containment in Store.Write. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4gxv-p5g5-j7w7 documents the issue and a fix is available.
Authorization bypass in doobidoo mcp-memory-service prior to 10.65.3 lets OAuth clients with only the read scope invoke mutating MCP tools such as store_memory and delete_memory via the /mcp JSON-RPC endpoint, despite the equivalent REST endpoints correctly enforcing the write scope. Authenticated read-only clients can therefore tamper with or destroy memory entries used by downstream AI applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.
Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.
Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).
Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
Local privilege escalation in Dell Server Hardware Manager versions prior to 3.2.2 allows a low-privileged local user to gain higher privileges due to improper access control (CWE-284). The CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflects high impact across confidentiality, integrity, and availability once exploited. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). No public exploit identified at time of analysis, but SSVC rates technical impact as total.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.
Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).
Denial of service in CoreWCF net.tcp, net.pipe, and net.uds framing handshake allows unauthenticated remote attackers to pin a server thread-pool worker at 100% CPU per TCP connection, exhausting CPU resources with only a small number of concurrent connections. Affects CoreWCF.NetFramingBase versions below 1.8.1 and 1.9.0 through 1.9.0, with no public exploit identified at time of analysis. The CVSS 7.5 (High) score reflects pure availability impact reachable pre-authentication over the network.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Denial of service in js-toml versions up to and including 1.1.0 allows remote attackers to exhaust CPU resources by submitting a single TOML document containing an oversized hexadecimal, octal, or binary integer literal. The hand-written parseBigInt loop exhibits O(n²) complexity, and a ~500 kB literal pins one CPU core for ~40 seconds; no public exploit identified at time of analysis, but the patched commit and test suite serve as a clear blueprint. Applies to any service invoking load() on attacker-controlled TOML, such as configuration upload endpoints, CI/CD pipelines, IDE plugins, and build tools.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.
Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.