Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.
Capgo's Enforce Password Policy feature in versions before 12.128.2 permanently locks Super Admins out of their organization through a backend state management flaw, constituting a targeted denial-of-service against administrative access. When a Super Admin enables the password policy and successfully changes their password to a policy-compliant value, the backend fails to mark the account compliant, trapping the account in an infinite forced-password-reset loop and severing all organization management access. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.9 reflects the high-privilege prerequisite and pure availability impact with no confidentiality or integrity consequence.
Heap-based buffer overflow in libexpat before 2.8.2 allows heap memory corruption in applications that process externally-supplied XML with external entity parameter parsing enabled. The flaw resides in the doProlog function of xmlparse.c, where the scaffold backing array (scaffIndex) - used to index DTD content model tree nodes - is reallocated using the child parser's m_groupSize counter, which diverges from the actual allocated capacity of the shared scaffIndex inherited from the parent parser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the upstream fix PR includes a functional reproduction test case confirming exploitability.
LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.
Persistent denial-of-service in CoreWCF.Kafka allows any attacker with write access to a consumed Kafka topic to permanently halt message processing by publishing a single null-value (tombstone) record. Affected versions span all CoreWCF.Kafka releases below 1.8.1 and the 1.9.0 release prior to 1.9.1. The consume pump exits without recovery on the uncaught exception, meaning the endpoint remains silently dead until the service process is manually restarted - no exploit code or CISA KEV listing exists at time of analysis.
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.
Path traversal in Kestra's `inputFiles` task mechanism allows remote attackers to write arbitrary files to the worker filesystem when flows forward untrusted webhook or execution data as file names. Affected across four release branches (prior to 1.3.19, 1.2.19, 1.1.19, and 1.0.43), exploitation depends on a specific flow design pattern but requires no authentication if the target webhook is publicly accessible. No public exploit code or active exploitation has been identified at time of analysis, but the CVSS integrity impact is rated High due to the ability to create or overwrite files outside the task working directory.
Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.
Grafana Tempo and Enterprise Traces (GET) are vulnerable to an authenticated denial-of-service condition triggered by submitting a TraceQL query containing an excessively large exemplars hint value, causing the Tempo service to allocate unbounded memory until an out-of-memory crash occurs. Any authenticated user with query access - even low-privileged - can exploit this to take down the Tempo tracing backend, disrupting observability pipelines for the entire platform. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Out-of-bounds heap read in libheif's uncompressed HEIF decoder allows a remote attacker to crash any application processing crafted HEIF files. Versions prior to 1.22.1 fail to safely validate icef compressed-unit offsets because the addition of unit_offset + unit_size can integer-wrap, bypassing the range check and permitting a C++ vector to be constructed from iterators pointing outside the compressed item buffer. Exploitation requires a user or automated pipeline to open an attacker-supplied HEIF file; no public exploit or CISA KEV listing exists at time of analysis.
Local named pipe interception in CoreWCF.NetNamedPipe allows an authenticated local attacker to hijack WCF inter-process communication by winning a TOCTOU race condition. Affected versions expose a window between GUID publication to shared memory and named pipe creation, during which an attacker can pre-create the pipe and silently intercept or manipulate all NetNamedPipe transport traffic. No public exploit or active exploitation has been identified; fixed versions 1.8.1 and 1.9.1 are available from the vendor.
OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. The server returns no HTTP response, terminates with exit code 2, and the crash propagates to the entire cluster - making this a high-impact availability denial-of-service requiring only a single authenticated API request. Publicly available exploit code exists in the form of a detailed PoC curl command included in the security advisory; no CISA KEV listing is present at time of analysis.
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.
Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments to denial-of-service attacks via crafted media files. The decode_move() function retains a raw pointer into a heap-allocated decompressed buffer that is subsequently reallocated during move-table processing, leaving the pointer dangling; reading through it crashes the process. No public exploit or KEV listing has been identified at time of analysis, but the network-accessible attack vector (file delivery over the internet) and lack of authentication prerequisites make this a realistic threat to any environment that processes untrusted AVI content using the affected FFmpeg builds.
Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.
Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.
Heap use-after-free in the Oj Ruby JSON parser (versions prior to 3.17.3) is triggered when an application toggles the symbol_keys option from true to false on a reused Oj::Parser instance. The opt_symbol_keys_set function frees the internal key cache via cache_free but fails to NULL the d->key_cache pointer, so the next parse call dereferences freed memory through cache_intern, potentially leading to memory disclosure, crashes, or controlled corruption. No public exploit identified at time of analysis, and the issue is documented in GitHub Security Advisory GHSA-2cw7-v8ff-p88r.
HMAC authentication replay in Apache APISIX 3.11.0 through 3.16.0 permits remote attackers who have captured a valid hmac-auth signed token to reuse that token indefinitely, entirely bypassing expiry enforcement under certain plugin configurations. The CVSS 4.0 vector (6.3, AT:P) confirms exploitation depends on a specific hmac-auth configuration condition, limiting blanket exposure but posing significant risk to affected deployments where tokens can be intercepted. No public exploit code or CISA KEV listing has been identified at time of analysis; the fix is available in version 3.17.0 per the Apache security advisory.
Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.
Heap corruption in the Ruby Oj JSON parser (`Oj.load`) is triggered when applications process attacker-controlled JSON strings larger than 2 GB containing an escape sequence, due to an integer overflow in `read_escaped_str` that wraps a 32-bit length to a negative value and is then cast to `size_t`, causing `memcpy` to copy ~2 GB out of bounds. Versions of the `oj` gem prior to 3.17.3 are affected, and no public exploit identified at time of analysis; CVSS and EPSS are not provided.
Use-after-free in the Oj Ruby JSON gem's SAJ parser allows an attacker who can influence parsed JSON content and the SAJ callback handler to crash the Ruby process and potentially corrupt memory. Oj::Parser fails to protect heap-allocated cached object keys of 35 bytes or more from garbage collection, so a GC cycle triggered from inside a hash_end callback frees the key while C code still holds a dangling VALUE pointer. No public exploit identified at time of analysis, but a working reproducer is published in the GHSA advisory.
Use-after-free in the Oj Ruby JSON gem (≤ 3.17.1) crashes the host process when Oj::Parser is configured in :usual mode with a custom array_class or hash_class. Because parser_mark fails to register those VALUEs with the Ruby GC, the class object can be reclaimed and the next parse() dereferences freed memory, producing a segfault. A reproducer is published in the GHSA advisory; there is no public exploit identified for remote use and the issue is not listed in CISA KEV.
Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.
Authentication bypass in Apache APISIX's jwe-decrypt plugin (versions 3.8.0 through 3.16.0) allows unauthenticated network attackers to circumvent JWE token integrity validation and reach services protected by the gateway. The root cause (CWE-354) is improper validation of the JWE authentication tag under the plugin's default configuration, meaning crafted or tampered tokens are accepted as legitimate. No public exploit code and no CISA KEV listing are identified at time of analysis; the vendor-released fix is Apache APISIX 3.17.0.
Silent integer truncation in NI grpc-device 2.17.0 and earlier allows unauthenticated network-accessible attackers to corrupt size values processed by the CodeGen component, potentially causing integrity violations in instrument control operations. The root cause is CWE-681 - missing range checks during numeric type conversion in CodeGen - meaning oversized size fields silently lose their high-order bits rather than being rejected or flagged. No CISA KEV listing and no public exploit code have been identified at time of analysis, placing this in a lower operational priority tier despite its medium CVSS 4.0 score of 6.3.
Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.
HTML injection in HCL Verse for Android's rich text email composition component enables malicious content execution on the local device. The compose-rich-editor library (v1.0.0-rc14) bundled with HCL Verse for Android fails to sanitize HTML input, allowing crafted content to execute in the composition context. With High confidentiality and integrity impact signals in the CVSS vector, successful exploitation could expose sensitive email data or allow unauthorized modification of content; no public exploit code has been identified at time of analysis.
Race condition in CoreWCF.UnixDomainSocket peer identity resolution can cause one connection's POSIX identity to be misattributed to another connection, or crash the host process under contention. The root cause is the library's use of the non-reentrant POSIX functions `getpwuid` and `getgrgid` in concurrent connection handling paths, affecting all CoreWCF.UnixDomainSocket versions below 1.8.1 and 1.9.x versions below 1.9.1. No public exploit or CISA KEV listing has been identified at time of analysis.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in `Icon::fromFile()` only stripped top-level `<script>` children of `<svg>`, ignoring nested scripts and all `on*` event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON `body` field before inlining it as HTML. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Incomplete session termination in Langflow (pip/langflow < 1.7.0) leaves authentication cookies active after logout on shared machines, allowing any subsequent browser user to resume the previous session without credentials. The `/logout` endpoint issued cookie-deletion calls without matching the `httponly`, `samesite`, `secure`, and `domain` attributes used at cookie creation, causing browsers to silently ignore the deletion; the frontend compounded this by also failing to clear `access_token_lf` and `refresh_token_lf` from storage. No public exploit code has been separately catalogued, though the PoC is trivially reproducible (click Logout, press refresh), and the vulnerability is not listed in CISA KEV.
Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Memory exhaustion denial of service in NI grpc-device's BeginSidebandStream RPC endpoint allows authenticated network attackers to crash or destabilize the server by triggering a cumulative memory leak with each invocation. All versions of NI grpc-device up to and including 2.17.0 are affected, along with NI InstrumentStudio as a dependent product. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the network-accessible attack vector makes it relevant for any deployment where the grpc-device server is reachable by untrusted authenticated clients.
SAML token replay protection in CoreWCF.Primitives is silently inoperative when DetectReplayedTokens is explicitly enabled, allowing replay attacks to succeed against WCF services using SAML-based federated authentication. Affected versions of the NuGet package CoreWCF.Primitives include all releases before 1.8.1 and the 1.9.0 release prior to 1.9.1. A network-accessible attacker in possession of a valid, unexpired SAML token can replay it to impersonate a legitimate user, defeating the only control operators may have believed was protecting against token theft - no public exploit code has been identified, and this is not listed in CISA KEV.
Signature substitution in CoreWCF's WS-Security message processing allows a remote unauthenticated attacker to replace the server's cryptographic integrity check with a signature of the attacker's choosing, effectively forging authenticated SOAP messages. Affected versions of CoreWCF.Primitives perform a document-wide lookup for ds:Signature elements rather than scoping verification to the wsse:Security header, so an attacker-injected signature in a preceding SOAP header is found and verified first. Exploitation is constrained by two non-default server-side prerequisites, limiting widespread risk on generic deployments, but the integrity bypass is complete where those conditions are met. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis.
The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.
Silent TLS downgrade in Guzzle's built-in cURL handlers exposes proxy credentials and tunneled connection metadata to network interception when the application is configured to use an https:// proxy but runs against libcurl older than 7.50.2. Affected deployments see proxy authentication headers (Proxy-Authorization, CURLOPT_PROXYUSERPWD), CONNECT target host/port for tunneled HTTPS, and full request headers and bodies for plain HTTP requests transmitted without encryption - with no runtime error or warning from Guzzle or libcurl. No public exploit identified at time of analysis and no CISA KEV listing; however, the CVSS confidentiality impact is rated High (C:H) due to full credential exposure on the proxy leg.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Identity header spoofing in Apache APISIX versions 2.12.0 through 3.16.0 allows a low-privileged network attacker to manipulate header values forwarded by the forward-auth plugin to upstream backend services. The flaw, rooted in improper input validation (CWE-20) of the forward-auth plugin's header handling, enables an attacker to impersonate other identities as seen by backend services that rely on APISIX to assert trustworthy identity context. No active exploitation is confirmed in CISA KEV and no public proof-of-concept has been identified, but the CVSS 4.0 subsequent-system impact metrics (SC:H/SI:H/SA:H) signal that backend services face high-severity consequences if exploited.
Cookie domain validation in guzzlehttp/guzzle before 7.12.1 allows cross-origin cookie injection when a shared CookieJar contacts both attacker-controlled and trusted hosts. The flaw stems from SetCookie::matchesDomain() normalizing dot-only Domain values (e.g., 'Domain=.', 'Domain=..') to an empty string, while SetCookie::validate() only rejected strictly empty domains - meaning normalized-empty domains were stored and silently treated as matching every request host. Any application using new Client(['cookies' => true]) or an explicit shared CookieJar that requests data from an attacker-reachable origin is exposed to session fixation or cookie injection against unrelated downstream services. No public exploit or CISA KEV listing has been identified at time of analysis.
Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. Subsequent pods using an IfNotPresent or Never pull policy then inherit the poisoned tag and execute arbitrary code under the victim pod's Kubernetes identity. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis; vendor-released patches are available.
Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.
Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.