Arbitrary code execution in the Angular Language Service VS Code extension prior to 21.2.4 allows attackers to silently run code on a developer's machine simply by having them open a malicious repository in VS Code. The extension reads the typescript.tsdk and js/ts.tsdk.path workspace settings without checking Workspace Trust, then require()s a tsserverlibrary.js file from that attacker-controlled path. No public exploit identified at time of analysis, though the patch diff in PR #68857 clearly illustrates the exploit primitive.
Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.
Session persistence flaw in @actual-app/sync-server through 26.5.2 lets disabled OpenID users retain authenticated access because session validation never re-checks the users.enabled flag. With the default token_expiration of 'never', a previously issued token continues to authorize sync and admin API calls indefinitely after an administrator disables the account. No public exploit identified at time of analysis, though the GHSA advisory includes a detailed PoC.
Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. Publicly available exploit code exists (a working PoC against try.gogs is documented, dumping DigitalOcean droplet metadata); it is not listed in CISA KEV and no public EPSS figure is provided.
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Authenticated path traversal in AIL Framework (CIRCL's Analysis Information Leak threat-intel platform) lets a low-privileged user abuse the investigation workflow to read arbitrary files readable by the AIL process and exfiltrate them inside a generated archive. The flaw is fixed in commit 0041456af25da0cdea1c1c4624e46baff2731d8f, and no public exploit is identified at time of analysis. CVSS 4.0 is 8.3 (High), driven by a scope change where the leaked filesystem content is considered subsequent-system confidentiality impact.
Unauthenticated S3 pre-signed URL minting in Budibase (npm @budibase/server before 3.39.0) lets anonymous attackers abuse the route POST /api/attachments/:datasourceId/url, which was registered with only a recaptcha middleware and no authorized() gate. An attacker who knows or enumerates a workspace id (app_...) and an S3 datasource id (ds_...) receives a 15-minute AWS SigV4 pre-signed PutObjectCommand URL minted on the victim's stored IAM credentials, and because the bucket is caller-controlled they can write to any bucket those credentials permit. Publicly available exploit code exists (a self-contained Node.js PoC is published in the advisory); this is not listed in CISA KEV and no EPSS score was provided.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.
A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
SQL injection in Apache Doris MCP Server versions 0.1.0 through 0.6.0 allows authenticated attackers (or anonymous attackers when authentication is disabled) to inject arbitrary SQL through a database-name parameter in a metadata query path, bypassing the caller's authorization context. Because the query executes without the requester's auth context, attackers can read metadata across databases they should not be able to see. No public exploit identified at time of analysis, and SSVC currently marks exploitation as 'none'.
Improper access control in the Grafana Snowflake datasource plugin (versions 1.14.7 through 1.14.12) lets any user permitted to run queries against the data source invoke Snowflake GET/PUT commands to read and write files between the local Grafana server and the connected Snowflake host. The flaw effectively turns query permissions into a file-transfer primitive that crosses the trust boundary between the Grafana host and Snowflake. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 14th percentile), and CISA SSVC marks exploitation as none, but the technical impact is rated total.
Authentication bypass in Gogs (self-hosted Git service) versions <= 0.14.2 allows any remote attacker who can reach the service to forge the X-WEBAUTH-USER header and impersonate any account, including administrators, when ENABLE_REVERSE_PROXY_AUTHENTICATION is turned on. Because Gogs trusts the reverse-proxy auth header without verifying the request actually came from the proxy, an attacker can also trigger automatic admin-level account creation if auto-registration is enabled. Publicly available exploit code exists (a single curl one-liner in the advisory); it is not in CISA KEV and no EPSS score was supplied.
A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Local privilege-bound symlink abuse in Dell Wyse Management Suite (WMS) versions prior to 2605 allows a low-privileged local user to gain unauthorized access to files or resources they should not reach. The flaw is rooted in improper link resolution before file access (CWE-59), and while no public exploit has been identified at time of analysis, the CVSS 7.8 score reflects full confidentiality, integrity, and availability impact once the local prerequisite is met.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.
Detection bypass in picklescan versions 0.0.26 and earlier (fixed in 0.0.30) allows attackers to smuggle arbitrary code through malicious pickle files by abusing Python's built-in ensurepip._run_pip function, which the scanner failed to flag as dangerous. Organizations relying on picklescan to vet PyTorch models or other serialized Python objects will load the file as safe and trigger remote code execution upon pickle.load(). Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified in active campaigns at time of analysis.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary code execution payloads through pickle files by abusing the idlelib.autocomplete.AutoComplete.get_entity function inside __reduce__ methods. Because picklescan does not flag this function as dangerous, malicious ML model files (e.g., PyTorch checkpoints) appear safe to scan but execute attacker commands the moment a victim calls pickle.load(). Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis in CISA KEV.
Information disclosure in Gogs 0.14.1 (and all versions ≤ 0.14.2) allows unauthenticated remote attackers who know or guess an attachment UUID to download files attached to issues, comments, and releases in private repositories. The `/attachments/:uuid` endpoint performs no repository-level authorization check, so private-repo attachments - credentials, keys, internal documents, unpublished source - leak when `REQUIRE_SIGNIN_VIEW = false`. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-p9f5-h3rx-j5qw includes a full proof-of-concept reproduction.
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.
Denial of service in IBM WebSphere Application Server 8.5 and 9.0, plus WebSphere Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending a specially crafted request. The CVSS 7.5 score reflects high availability impact with no privileges or user interaction required, though no public exploit identified at time of analysis and no EPSS or KEV data is provided.
Denial of service in IBM WebSphere Application Server 9.0 and 8.5, and WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.6, allows remote unauthenticated attackers to exhaust server memory by sending specially-crafted requests. CVSS 7.5 (availability-only impact) with no public exploit identified at time of analysis and a low EPSS score of 0.31% (23rd percentile). IBM has released a patch via support advisory 7276579; CISA SSVC currently rates exploitation status as 'none'.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.
Denial of service in the IBM WebSphere WebServer Plug-in component affects IBM i 7.3 through 7.6, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty via a NULL pointer dereference (CWE-476) triggered by crafted HTTP requests. The CVSS vector (AV:N/AC:H/PR:N/UI:N) confirms remote unauthenticated exploitation, though high attack complexity limits opportunistic mass exploitation. Impact is limited to availability - no confidentiality or integrity compromise - and no public exploit or CISA KEV listing has been identified at time of analysis.
Sensitive-data disclosure in IBM Datacap and Datacap Navigator (versions 9.1.7, 9.1.8, 9.1.9) lets an attacker recover user passwords and cryptographic keys that the application holds in cleartext in memory; the recovered keys can then decrypt stored credentials, authenticate to the application, and reach sensitive data in the backing database. IBM has released a patch. There is no public exploit identified at time of analysis, EPSS exploitation probability is negligible (0.08%, 0th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate field risk despite the high CVSS confidentiality impact.
Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.
Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.
Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but a vendor patch is available via IBM support advisory 7276597.
Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.
Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.
Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.
SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.
Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.
Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.
Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
Capgo's Supabase edge function backend (versions before 12.128.2) inconsistently applies global authentication middleware across HTTP methods on the /private/role_bindings/:org_id endpoint - GET requests reach the handler unauthenticated while POST and DELETE are gated by middleware. The handler currently performs its own authorization check and rejects unauthenticated callers, so no data is exposed in the current implementation. This is a CWE-306 defense-in-depth failure: the middleware gap creates latent risk that any future relaxation of handler-level logic could silently permit unauthenticated access to organization role binding data, with no public exploit identified at time of analysis.
Unauthenticated cross-tenant information disclosure in Capgo before 12.128.2 exposes billing plan metadata for arbitrary organizations via an improperly authorized Supabase RPC function. Any network-accessible attacker possessing only the public Supabase anon key can call the `public.get_current_plan_max_org` endpoint with any organization UUID to retrieve MAU limits, bandwidth, storage, and build time plan data belonging to unrelated tenants. No active exploitation is confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.
Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.
Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.
Cross-project App Engine request log leakage in Google Cloud Console's GraphQL private API exposed sensitive telemetry data to unauthenticated remote attackers. The vulnerability, classified as CWE-862 (Missing Authorization), allowed a specially crafted GraphQL request to bypass authorization controls on the App Engine section of Cloud Console, enabling read access to request logs belonging to arbitrary GCP projects. Google applied a server-side fix on 7 April 2026; no public exploit or KEV listing has been identified at time of analysis.
Email validation bypass in Gaudire's Assassin Game permits registration with arbitrary or non-existent email addresses, enabling automated mass account creation without real mailbox ownership verification. The CVSS 4.0 vector (PR:N, AV:N) indicates no prior authentication is required to trigger the flaw, though the description's contradictory reference to an 'authenticated attacker' has not been resolved by the vendor and warrants clarification before deploying mitigations. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact is confined to service integrity abuse - spam distribution, rate-limit evasion, and fraudulent account accumulation.
LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.
### Summary The regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed characters from the query. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.