Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.
Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.
Recovery code reuse in Filament (Laravel admin panel framework) versions 4.0.0 through 4.11.4 and 5.0.0 through 5.6.4 allows attackers who already possess a victim's password and recovery codes to obtain multiple authenticated sessions per single recovery code by submitting parallel authentication requests. The flaw stems from a TOCTOU race condition (CWE-362) in app-based MFA recovery code validation, undermining the single-use guarantee. No public exploit identified at time of analysis and the vulnerability is fixed in 4.11.5 and 5.6.5.
Authentication bypass in IBM WebSphere Application Server 8.5 and 9.0 allows remote attackers to gain unauthorized access to JAX-WS web service applications without valid credentials. The CVSS 7.3 score reflects network-reachable, no-authentication exploitation with partial confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but a vendor patch is available via IBM support advisory 7276597.
Account impersonation in Budibase 3.37.2 through 3.38.x allows attackers with a Slack, Discord, or MS Teams account in the same workspace to silently bind their external chat identity to any authenticated Budibase user who clicks a crafted link. Because the `/api/chat-links/:instance/:token/handoff` endpoint performs a permanent state-changing write with no consent UI and no CSRF token, a successful link grants the attacker full impersonation through the AI chat agent, reading data and triggering automations as the victim. No public exploit identified at time of analysis beyond the detailed proof-of-concept in the GHSA advisory authored by the reporter.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.
Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. Vendor patches are available via multiple MISP GitHub commits; no public exploit identified at time of analysis.
Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.
SQL injection in Capgo (cap-go) before 12.128.2 allows authenticated users with read-level API keys to access analytics data belonging to other tenants by injecting arbitrary SQL through multiple unparameterized parameters in cloudflare.ts. The flaw stems from direct string interpolation of request-body values into Cloudflare Analytics Engine queries, enabling cross-tenant data exposure. No public exploit identified at time of analysis, though a VulnCheck advisory and an upstream GitHub Security Advisory document the issue.
Privilege inversion in Cap-go (Capgo) before 12.128.2 lets holders of read-only API keys cancel running native builds by abusing the GET /build/logs/:jobId SSE endpoint. On client disconnect the server invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission enforced on POST /build/cancel/:jobId. No public exploit identified at time of analysis, but the issue is trivially reproducible against any deployment exposing the log stream.
Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.
Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the `_queryId` parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from `IdentityResourceV1.queryCollection()` explicitly setting `escapeQueryId=false`, regressing the escape protection added for CVE-2021-29156. No public exploit identified at time of analysis, but the issue is fixed upstream in release 16.1.1.