Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.
Improper access-control re-validation in the Linux kernel's RDMA/InfiniBand subsystem (the ib_uverbs memory-region re-registration path) allows a local user with RDMA device access to obtain unintended read-write access to memory that was only pinned as read-only. When IB_MR_REREG_ACCESS upgrades a memory region from RO to RW, the underlying umem was not re-evaluated to confirm it is properly pinned for writing, enabling potential memory corruption or disclosure across RDMA-capable drivers. EPSS is low (0.17%, 6th percentile) and there is no public exploit identified at time of analysis; the issue is fixed upstream in multiple stable trees.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Improper network-namespace isolation in the Linux kernel's IPv6 VTI (ip6_vti) tunnel driver allows the per-netns fallback device (ip6_vti0) to be relocated into another network namespace, because vti6_init_net() omits the netns_immutable flag that sibling tunnel drivers (ip6_tunnel, sit, ip6_gre, ip_tunnel) all set. A local user holding CAP_NET_ADMIN in a namespace can move this fallback device, breaking the isolation guarantee the kernel enforces for other fallback tunnels and potentially destabilizing networking state. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.15%, 5th percentile).
Arbitrary file write and read in Symfony UX Toolkit's `ux:install` console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or `.env` files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
Local privilege escalation in Dell Server Hardware Manager versions prior to 3.2.2 allows a low-privileged local user to gain higher privileges due to improper access control (CWE-284). The CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflects high impact across confidentiality, integrity, and availability once exploited. No public exploit identified at time of analysis and the CVE is not in CISA KEV.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). No public exploit identified at time of analysis, but SSVC rates technical impact as total.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.
Cross-window message spoofing in TinaCMS (npm tinacms and @tinacms/app) lets a malicious web page hijack an authenticated editing session because the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer act on window.postMessage event.data without validating event.origin or event.source, and reply with wildcard target origins. An attacker who lures an authenticated Tina editor to a crafted page (or gains an opener/iframe relationship with the Tina admin) can forge messages to drive the editor, inject preview content, or observe and forge the OAuth popup channel to take over the session. There is no public exploit identified at time of analysis; a vendor patch is available in PR #7056 and the flaw carries a CVSS 4.0 base score of 7.6.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).
Denial of service in CoreWCF net.tcp, net.pipe, and net.uds framing handshake allows unauthenticated remote attackers to pin a server thread-pool worker at 100% CPU per TCP connection, exhausting CPU resources with only a small number of concurrent connections. Affects CoreWCF.NetFramingBase versions below 1.8.1 and 1.9.0 through 1.9.0, with no public exploit identified at time of analysis. The CVSS 7.5 (High) score reflects pure availability impact reachable pre-authentication over the network.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Denial of service in js-toml versions up to and including 1.1.0 allows remote attackers to exhaust CPU resources by submitting a single TOML document containing an oversized hexadecimal, octal, or binary integer literal. The hand-written parseBigInt loop exhibits O(n²) complexity, and a ~500 kB literal pins one CPU core for ~40 seconds; no public exploit identified at time of analysis, but the patched commit and test suite serve as a clear blueprint. Applies to any service invoking load() on attacker-controlled TOML, such as configuration upload endpoints, CI/CD pipelines, IDE plugins, and build tools.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.
Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Improper input validation in ProxySQL versions 3.0.0 through 3.0.8 lets MCP callers bypass the GenAI `run_sql_readonly` tool's read-only contract by submitting multi-statement payloads such as `SELECT 1; RENAME TABLE x TO y`, which execute in full because the backend connection enables `CLIENT_MULTI_STATEMENTS`. An attacker reaching the `/mcp/query` endpoint can perform writes and administrative SQL up to the privileges of the configured MCP backend account. No public exploit identified at time of analysis, though the upstream advisory documents a successful live test against the endpoint.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
{{#ev:}} or {{#evl:}} parser functions. The unsanitized service name is reflected into an error message that is rendered as raw HTML, executing in the wiki origin for every visitor to the affected page. No public exploit identified at time of analysis beyond the advisory's own PoC, but working PoC code is published in the GitHub Security Advisory GHSA-c29q-5xm7-5p62.
Prototype pollution in the npm package flat-to-nested (versions <= 1.1.1) lets attackers who control input records pollute Object.prototype by supplying a record with parent set to the string '__proto__'. The convert() function uses plain objects as lookup tables and writes attacker-controlled data through the prototype chain via initPush(), affecting any application that feeds untrusted flat records (REST input, DB rows, user-supplied data) into the library. No CISA KEV listing and no public exploit identified at time of analysis beyond the proof-of-concept embedded in the GitHub Security Advisory.
Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.
Authenticated remote code execution in gin-vue-admin 2.9.1 lets attackers with access to the code-generation and MCP management features inject arbitrary Go source via POST /autoCode/addFunc and trigger a rebuild/restart through POST /autoCode/mcpStart, yielding OS command execution as the application service account. No public exploit identified at time of analysis, and as of publication a patched version is not confirmed; the upstream GHSA-22cv-9jv2-6m62 advisory only documents allowlist-based workarounds.
Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. No public exploit identified at time of analysis and not in CISA KEV; exploitation requires a non-default template configuration that pipes visitor input into a tag's sort parameter.
Authentication bypass in CoreWCF (SAML 1.1 federation) allows remote attackers to be authenticated as the subject of a signed SAML assertion without proving holder-of-key possession or without a standard SubjectConfirmation method being enforced. Affects CoreWCF.Primitives versions before 1.8.1 and 1.9.0 through 1.9.1 when services consume SAML 1.1 tokens via WS2007FederationHttpBinding, WSFederationHttpBinding, or custom IssuedSecurityTokenParameters bindings. No public exploit identified at time of analysis, but the bypass directly defeats per-method authorization policies that federated services rely on.
Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. No public exploit identified at time of analysis, but the vendor-confirmed advisory (GHSA-2288-8h3r-cqgg) and CVSS 7.4 indicate a meaningful confidentiality/integrity exposure for affected .NET WCF replacement deployments.
SAML token signature bypass in CoreWCF (versions <1.8.1 and 1.9.0) allows remote attackers to forge authenticated SAML assertions when the service validates tokens via a non-X.509 signing method. The SamlSerializer silently skips the final SignatureValue verification step, enabling assertion tampering and authentication bypass against WS-Trust holder-of-key configurations using symmetric proof keys. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rpj7-hr7h-w6p9) confirms the issue and patches are available.
Authentication bypass via XML Signature Wrapping in CoreWCF allows attackers who capture a single signed SOAP envelope to replay arbitrary operations as the victim principal for the lifetime of the signing key. The flaw affects CoreWCF.Primitives versions below 1.8.1 and the 1.9.0 line below 1.9.1, defeating the DetectReplays mitigation because the attacker forges a fresh wsse:Security timestamp rather than reusing the original. No public exploit identified at time of analysis, but the vendor advisory (GHSA-gqv6-pwcg-87r8) provides sufficient technical detail to reproduce.
Heap out-of-bounds write in QEMU's virtio-snd paravirtualized sound device allows a malicious guest to corrupt host memory by sending oversized audio input that the `virtio_snd_pcm_in_cb` callback fails to size-check against the iov buffer. The flaw represents an incomplete fix for CVE-2024-7730 and affects hypervisor hosts exposing virtio-snd to untrusted guests. No public exploit identified at time of analysis, but the high CIA impact (C:H/I:H/A:H) and guest-to-host boundary crossing make this a meaningful VM escape candidate.
{% case %}` tag that has no `{% when %}`, `{% else %}`, or closing `{% endcase %}`. Because the loop occurs at parse time, any application that renders untrusted or user-supplied Liquid templates can be frozen with a payload as small as `{% case x %}`. It is a pure availability issue (CWE-835) with no confidentiality or integrity impact; not listed in CISA KEV and no evidence of active exploitation, though the trivial trigger is documented in the vendor advisory.
Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. No public exploit identified at time of analysis, but the issue is tracked under Red Hat and Chromium security trackers and an upstream fix commit has landed in aomedia.
Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.
Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected `/admin/queries/execute` endpoint. The flaw permits enumeration of the `User` model and even allows the supposedly `$hidden` `password` column to be probed via `LIKE` filter predicates, enabling blind extraction of password hashes. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q3r8-3h7c-96w3) confirms the issue and ships a fix.
Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authenticated path traversal in gonic music streaming server allows any Subsonic user to read or delete other users' playlists and probe arbitrary host file paths by smuggling `..` segments into the playlist `id` parameter. The flaw bypasses the ownership check introduced in commit 6dd71e6, which derived `playlist.UserID` from the first path segment of the attacker-controlled ID without containing the resolved file path. No public exploit identified at time of analysis, but a proof-of-concept test case is embedded in the upstream patch.
Denial of service in NI grpc-device 2.17.0 and earlier allows an authenticated remote attacker to crash or destabilize the gRPC server by sending a crafted BeginSidebandStream message containing an out-of-range enum value. The unchecked cast triggers undefined behavior in the server process, with no public exploit identified at time of analysis. The flaw is reported by the vendor and tracked under GHSA-prfr-q8h3-mqxv.
Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.
Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. No public exploit identified at time of analysis, though the upstream patch and commit-level root-cause disclosure provide a clear roadmap for exploit development.
Broken authorization in gonic music streaming server prior to version 0.21.0 allows any authenticated user to delete or read other users' playlists via the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view. Because playlist IDs are base64url-encoded paths containing a small integer user ID and a guessable filename, low-privileged users can enumerate IDs to wipe an administrator's curated playlists or exfiltrate the contents of any private playlist. No public exploit identified at time of analysis, and the issue is patched in commit 6dd71e6 included in version 0.21.0.
Cross-tenant data exposure in Capgo before 12.128.2 lets an authenticated org-scoped read API key reach other tenants' PostgREST endpoints and pull HMAC webhook signing secrets plus delivery logs. Disclosed by VulnCheck with a vendor GitHub Security Advisory (GHSA-hj3h-v877-g5rx); no public exploit identified at time of analysis, and the secrets retrieved enable subsequent forgery of authentic-looking webhook events against victim organizations.
Unauthorized attachment file access in Flexera FlexNet Manager Suite 2025 R1 and R2 allows authenticated low-privileged users to retrieve attachment files belonging to other tenants or users due to insufficient access control enforcement. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list, but the CVSS 4.0 base score of 7.1 reflects meaningful confidentiality impact over the network with low privileges required. Organizations using FNMS for software asset management and license compliance should review the Flexera Community advisory and apply vendor guidance.
Authentication bypass in Apache APISIX versions 2.2 through 3.16.0 allows remote attackers to circumvent authentication enforced by the jwt-auth plugin under certain configurations, granting unauthorized access to APIs that should require a valid JWT. The flaw stems from spoofable identity assertions (CWE-290) in the plugin's verification logic, and at time of analysis there is no public exploit identified, but the wide affected version range and gateway role make it operationally significant.