Stack/heap buffer overflow in the Edimax BR-6478AC V2 wireless router (firmware 1.23) lets an authenticated attacker corrupt memory by sending an oversized selSSID parameter to the formWlSiteSurvey handler under /goform/, enabling denial of service and potentially arbitrary code execution on the device. Publicly available exploit code exists, but no public exploit identified at time of analysis as actively used in attacks (not in CISA KEV); the vendor was notified and did not respond, leaving devices unpatched. CVSS 4.0 base score is 7.4 reflecting network reachability of the management interface combined with required low-privilege authentication.
Local privilege escalation in EZB Systems UltraISO Premium Edition up to 9.76 stems from improper access controls in the bundled bootpt64.sys kernel driver, allowing an authenticated local user to abuse the driver and achieve high-integrity kernel-level impact on confidentiality, integrity, and availability. Publicly available exploit code exists, and the vendor was contacted but did not respond, leaving all currently shipped versions unpatched.
Local privilege escalation in IM-Magic Partition Resizer up to 7.9.0 stems from improper access controls in the MDA_NTDRV.sys kernel driver, allowing a low-privileged local user to gain elevated kernel-level capabilities. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, leaving all currently shipped versions (7.0 through 7.9.0) without a fix. No public exploit identified as being used in attacks (not in CISA KEV), but POC weaponization risk is elevated given the unpatched status.
Local privilege escalation in EaseUS Partition Master versions 14.0 through 14.5 allows low-privileged users to abuse the EUEDKEPM.sys kernel driver due to improper access controls (CWE-284). Publicly available exploit code exists and the vendor has released a patched version, though the issue is not listed in CISA KEV. The flaw maps to authentication-bypass behavior at the kernel-driver interface, giving attackers a path from a standard user account to SYSTEM-level capabilities.
Local privilege escalation in EaseUS Partition Master through version 14.5 stems from improper access controls in the epmntdrv.sys kernel driver, allowing a low-privileged local user to gain SYSTEM-level control over the host. Publicly available exploit code exists and the vendor has confirmed the issue was resolved in newer releases, though no specific patched version is named in the advisory.
Local privilege escalation in AOMEI Backupper through 8.3.0 stems from improper access controls in the bundled kernel driver amwrtdrv.sys, allowing an authenticated local user to abuse driver IOCTLs and escalate privileges. Publicly available exploit code exists for this issue, and the vendor was contacted but has not responded, leaving customers without an official fix. The CVSS 4.0 base score is 7.1 with local attack vector and low privileges required, reflecting realistic post-foothold risk rather than remote compromise.
Local privilege escalation in AOMEI Dynamic Disk Manager up to version 10.10.1 stems from improper access controls in the ddmdrv.sys kernel driver, allowing a low-privileged local user to interact with privileged driver IOCTLs and gain SYSTEM-level control. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving installations unpatched. No CISA KEV listing or active exploitation has been confirmed at time of analysis.
Local privilege escalation in AOMEI Partition Assistant through version 10.10.1 allows authenticated low-privileged users to abuse improper access controls in the ampa10.sys kernel driver to gain SYSTEM-level code execution. Publicly available exploit code exists per VulDB, and the vendor did not respond to coordinated disclosure attempts, leaving installations exposed; no public exploit identified at time of analysis as actively used in the wild (not in CISA KEV).
Missing authentication in LiteLLM's SSO Debug Flow exposes the `json.dumps` output of the `ui_sso.py` management endpoint to unauthenticated remote attackers, enabling authentication bypass against versions up to 1.82.2. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms this is network-exploitable with no privileges or user interaction required. A public proof-of-concept has been disclosed on GitHub, elevating practical risk beyond the moderate base score alone; no active exploitation has been confirmed by CISA KEV at the time of analysis.
Authentication bypass in BerriAI LiteLLM versions 1.59.0 through 1.59.8 allows unauthenticated remote attackers to circumvent the UserAPIKeyAuth function within the experimental MCP Proxy server component, gaining unauthorized access to protected LLM proxy functionality without valid credentials. A public proof-of-concept exploit is confirmed available via GitHub gist (YLChen-007), materially lowering the bar for exploitation. No CISA KEV listing is present at time of analysis, but the network-accessible, zero-authentication attack surface combined with an available PoC warrants urgent remediation prioritization for any deployment with the MCP server component exposed.
SQL injection in Montodel House-Rental-Management's /login.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and interact with the underlying database without credentials. A public proof-of-concept exploit is available on GitHub, and the vendor was unresponsive to pre-disclosure contact, leaving no patch path. Any internet-exposed deployment of this PHP application should be treated as immediately at risk given the zero-barrier exploitation prerequisites and available exploit code.
Remote code execution in SiYuan note-taking application (before v3.6.1) allows any malicious Bazaar marketplace package author to compromise users via unsanitized HTML rendering of package displayName, description, and README content. Because the Electron renderer is configured with nodeIntegration:true and contextIsolation:false, injected JavaScript pivots directly to arbitrary OS command execution. No public exploit identified at time of analysis, but VulnCheck published a detailed technical advisory documenting both zero-click (metadata) and one-click (README) vectors.
Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. Reported by VulnCheck with detailed vulnerable-code analysis published in the GHSA advisory; no public exploit identified at time of analysis and not listed in CISA KEV.
Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to forge valid JWT tokens because the signing key defaults to the hardcoded value 'mysecret' present in the public source code. Anyone aware of the default secret can mint tokens for arbitrary users and obtain full access to protected crawling, extraction, JavaScript execution, and configuration endpoints. No public exploit identified at time of analysis, but the underlying weakness is trivially reproducible from the upstream repository.
Improper session authorization in the Linux kernel's in-kernel SMB3 server (ksmbd) lets an authenticated SMB client reach sessions it never bound to. Because the connection-wide conn->binding flag stays set after a binding SESSION_SETUP, the global lookup in ksmbd_session_lookup_all() would resolve any session by ID, allowing a low-privileged remote user to access another user's session (Information Disclosure tagged). No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and it is not in CISA KEV.
Privilege escalation in phpMyFAQ before 4.1.4 allows authenticated non-SuperAdmin users holding the edit_user permission to promote themselves to SuperAdmin via missing authorization checks in the editUser() and updateUserRights() endpoints. The flaw lets a low-tier administrator set the is_superadmin flag or grant arbitrary rights, fully compromising the FAQ application; publicly available exploit code exists is not asserted, and at time of analysis no public exploit identified at time of analysis.
Unauthenticated organization member enumeration in Capgo before 12.128.2 allows remote attackers to harvest email addresses, user IDs, roles, and pending invitations by invoking the public.get_org_members RPC with only a publishable Supabase key and a target organization UUID. The flaw, reported by VulnCheck and tracked as EUVD-2026-38169, carries a CVSS 4.0 score of 8.7 and reflects a broken access control check on a public Postgres RPC. No public exploit identified at time of analysis, but the trivial invocation makes mass scraping straightforward once an org UUID is known.
Information disclosure in Capgo before 12.128.2 lets remote unauthenticated attackers abuse the security-definer RPC function get_identity_apikey_only to validate arbitrary API keys and map them to owning user_ids. The endpoint functions as an oracle, and results can be chained into other exposed RPCs such as get_orgs_v6 to enumerate organization membership and harvest management email PII. No public exploit identified at time of analysis, though VulnCheck has publicly documented the technique and a vendor patch is available.
Authenticated remote code execution in Craft CMS versions 5.5.0 through 5.9.13 allows admin users to execute arbitrary PHP by injecting Yii2 event handlers via the fieldLayoutConfig POST parameter to FieldsController::actionRenderCardPreview(). The flaw stems from missing Component::cleanseConfig() sanitization, enabling disclosure of environment variables including database credentials and CRAFT_SECURITY_KEY. No public exploit identified at time of analysis, though VulnCheck has published a detailed advisory describing the attack technique.
Detection bypass in picklescan before 0.0.28 allows attackers to smuggle arbitrary code through pickle files by abusing torch.utils._config_module.load_config inside __reduce__ methods, defeating the library's malicious-pickle scanning and enabling remote code execution when the file is later loaded. Publicly available exploit code exists (GHSA-vv6j-3g6g-2pvj includes a working PoC), and the flaw is significant for any ML pipeline that trusts picklescan to vet third-party PyTorch model files. No CISA KEV listing at time of analysis, so exploitation status is limited to public POC rather than confirmed in-the-wild use.
Detection bypass in picklescan versions before 0.0.30 allows malicious pickle files to evade security scanning by using cProfile.runctx in __reduce__ methods, leading to arbitrary code execution when the file is loaded via pickle.load(). The flaw undermines the core purpose of picklescan as a defensive tool for ML model security and was reported by VulnCheck with a published proof-of-concept in the GitHub Security Advisory. No public exploit identified at time of analysis as a weaponized in-the-wild attack, but PoC code is published in the GHSA.
Detection bypass in picklescan before 0.0.30 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing idlelib.pyshell.ModifiedInterpreter.runcommand inside a __reduce__ method, which the scanner fails to flag as dangerous. Any victim who relies on picklescan to vet PyTorch models or other pickle artifacts and then calls pickle.load() will execute attacker-supplied commands. Publicly available exploit code exists (PoC published in the GHSA advisory), no CISA KEV listing, and the issue is fixed in version 0.0.30.
Detection bypass in picklescan versions before 0.0.25 allows attackers to embed remote code execution payloads in pickle files by abusing the built-in timeit.timeit() function inside a __reduce__ method, which is not on the unsafe-globals blacklist. Any organization using picklescan to vet PyTorch or other pickle-based model files is affected, and a working PoC is publicly documented in the GHSA advisory (no public exploit identified at time of analysis as a weaponized tool, but POC code is published).
Privilege escalation in Capgo before 12.128.2 allows authenticated Supabase users to manipulate billing data for arbitrary organizations by invoking the public.apply_usage_overage SECURITY DEFINER function via RPC. The function executes with owner privileges and skips auth.uid(), org membership, and check_min_rights validation, bypassing Row Level Security and enabling fraudulent overage insertion or credit depletion across tenants. No public exploit identified at time of analysis, but vendor and VulnCheck have published advisories and a patched release.
Authenticated path traversal in Craft CMS (4.0.0-RC1 through 4.17.6 and 5.0.0-RC1 through 5.9.12) allows low-privileged users to read arbitrary SVG files on the server via the assets/icon endpoint's extension parameter, which was passed to file existence checks without validation. No public exploit identified at time of analysis, though VulnCheck published an advisory and the upstream fix is visible in commit 30f5f1a. Confidentiality impact is high but no integrity or availability impact, and exploitation requires valid authenticated session.
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated API clients read build status and logs belonging to other applications by combining an authorized app_id with a job_id from a different, unauthorized app. The /build/status and /build/logs endpoints validate the app_id but fail to verify that the supplied job_id actually belongs to that application, exposing logs, metadata, and potentially embedded credentials across tenant boundaries. No public exploit identified at time of analysis, though VulnCheck has published an advisory with technical details.
Privilege escalation in Capgo before 12.128.2 allows authenticated users holding the admin role to elevate themselves to super_admin by abusing a broken row-level security (RLS) policy on the org_users table. No public exploit identified at time of analysis, but a vendor patch is available and the flaw was disclosed by VulnCheck through a GitHub Security Advisory.
Authentication bypass in Capgo's /build/upload/:jobId/* endpoint exposes all versions before 12.128.2 to unauthenticated denial of service. Remote attackers exploit HTTP OPTIONS request handling to sidestep authentication middleware entirely, forcing tusProxy to execute with invalid credentials and reliably producing HTTP 500 errors at scale. No public exploit code or CISA KEV listing exists at time of analysis, but the trivial attack mechanics - requiring no credentials, tools, or interaction - mean any internet-exposed Capgo instance is at risk of request flooding.
Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.
Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.
Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.
Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.
Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.
Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.
Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.
Symlink-following vulnerabilities in Capgo CLI before version 12.128.2 (npm @capgo/cli < 7.84.6) allow an attacker who controls a repository to overwrite arbitrary files on a developer's machine and expose sensitive signing credentials when the developer runs CLI login or build credential operations inside that repository. Three distinct issues are present: unsafe writeFileSync on .capgo and .capgo-credentials.json without symlink validation, and global credential files written with world-readable 664 permissions instead of the required 0600. A proof-of-concept demonstrating the .capgo clobber is publicly documented in the GitHub Security Advisory GHSA-8mpm-q7mh-8fvh. No CISA KEV listing exists at time of analysis, but exploitability is straightforward given the PoC and low attack complexity.
Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.
Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.
Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.
Reflected cross-site scripting in Suna's authentication endpoint allows remote attackers to execute arbitrary JavaScript in a victim's browser by manipulating the returnURL parameter passed to Next.js router.replace/router.push. All Suna releases from 0.8.0 through 0.8.38 are affected; the flaw spans every auth action (signIn, signUp, resetPassword, signInWithPassword, signUpWithPassword, sendOtpCode, resendMagicLink, installOwner) because none sanitized the returnUrl form field before use. A public proof-of-concept exploit exists (GitHub Gist by TrebledJ); no public exploitation confirmed and the vulnerability is not listed in CISA KEV.
Insufficient session expiration in LiteLLM's SSO authentication flow exposes deployments running versions 1.82.0 through 1.82.2 to unauthorized persistent session access by low-privileged authenticated users. The flaw resides in the `get_redirect_response_from_openid` function within the OpenID Connect callback handling code, allowing manipulation of the SSO redirect response to bypass session lifetime enforcement. No confirmed active exploitation (not in CISA KEV), but a publicly available proof-of-concept exploit on GitHub lowers the barrier to abuse, and the CVSS 4.0 vector explicitly encodes the exploit availability modifier E:P.
Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard `if (!l)` failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. A public proof-of-concept exploit exists per VulDB and a published Medium writeup; no active exploitation is confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects passive-interaction and low-impact ratings, but the presence of public exploit code elevates practical risk for any DCMTK deployment that parses externally influenced XML files.
Improper authorization in BerriAI LiteLLM versions 1.63.0-1.63.1 allows any authenticated user - holding any valid API key regardless of role - to perform admin-restricted operations on other users' API keys, including blocking, unblocking, and modifying budget limits via the `/key/block`, `/key/unblock`, and `/key/update` endpoints. The root cause, confirmed by GitHub PR #23781, is the complete absence of access-control enforcement on these endpoints despite their admin-only documentation. A publicly available proof-of-concept exploit exists on GitHub; this vulnerability is not in the CISA KEV catalog at time of analysis.
Improper authorization in BerriAI LiteLLM versions up to 1.82.2 allows authenticated low-privilege users to access user data beyond their permitted scope via the `ui_view_users` management endpoint - an incomplete remediation of the prior CVE-2025-0628 authorization bypass in the same function. A public proof-of-concept exploit is available on GitHub (YLChen-007), confirming practical exploitability. No active exploitation is confirmed (not in CISA KEV), and the authentication requirement (CVSS 4.0 PR:L) constrains the attacker pool to those already holding valid credentials on the target proxy.
Server-side request forgery in LiteLLM's experimental MCP OpenAPI Spec Loader allows authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests by supplying a malicious `spec_path` value to the `load_openapi_spec_async` function. Affected versions are LiteLLM 1.82.0 through 1.82.2 as confirmed by EUVD. A public proof-of-concept exploit exists on GitHub, though the vulnerability is not in CISA KEV and the CVSS 4.0 score of 2.1 with E:P modifier reflects low-severity, authenticated exploitation with a known but apparently limited threat footprint.
Incorrect authorization in BerriAI LiteLLM's enterprise banned keywords hook allows remote low-privileged authenticated users to bypass prompt content filtering by manipulating the `prompt` argument to the `async_pre_call_hook` function in `enterprise/enterprise_hooks/banned_keywords.py`. All versions in the 1.82.x series up to and including 1.82.5 are confirmed affected. A public proof-of-concept exploit is available via GitHub Gist, materially increasing the risk for enterprise deployments that rely on the banned keywords feature as a compliance or safety enforcement boundary; no confirmed CISA KEV listing exists at time of analysis.
Server-side request forgery in BerriAI LiteLLM versions up to 1.82.2 allows authenticated remote attackers to induce the proxy server to make arbitrary outbound HTTP requests by manipulating the MCP (Model Context Protocol) Server Connection Testing endpoint. The vulnerable function `_execute_with_mcp_client` in the experimental MCP server component fails to validate or restrict user-supplied connection targets, enabling internal network probing, potential access to cloud metadata services, and circumvention of network segmentation controls. A publicly available proof-of-concept exploit exists (GitHub gist by YLChen-007); no CISA KEV listing was present at time of analysis. The CVSS 4.0 reported score of 2.1 reflects threat-metric downgrade from E:P (proof-of-concept) and should not be taken as indicative of low inherent exploitability - the base network vector with low-privilege access represents a meaningful internal network exposure risk.
Insufficient session expiration in LiteLLM's proxy authentication layer (versions 1.82.0 through 1.82.2) allows remote low-privileged users to reuse or manipulate session tokens generated by the PROXY_ADMIN API Key Generator beyond their intended validity window. The flaw resides in the `authenticate_user` function within `litellm/proxy/auth/login_utils.py`, where session/API key lifecycle management does not enforce expiration correctly per CWE-613. A public proof-of-concept exploit exists (GitHub gist), though no active exploitation has been confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects a limited real-world blast radius despite the network-accessible attack vector.