Denial of service in Gogs repository and wiki web interfaces allows any authenticated user with write access to permanently break file listing pages by committing a file whose name contains incomplete git pathspec metacharacters. Affected versions are Gogs <= 0.14.2; the web UI for the targeted repository or wiki returns HTTP 500 on every subsequent page load until an administrator removes the malicious file via CLI. Publicly available exploit code exists as documented in the GHSA-3qq3-668m-v9mj advisory with a specific PoC payload; no active exploitation confirmed (not in CISA KEV).
Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.
Stored Cross-Site Scripting in Akaunting 3.1.21 allows a high-privileged authenticated user with report creation or update permissions to persist arbitrary HTML/JavaScript in the description field of the report management workflow. Any user - including administrators - who subsequently views the poisoned report will have the malicious script execute in their browser session, enabling session token theft, credential harvesting, or unauthorized UI actions on behalf of the victim. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the stored nature of the payload amplifies impact over reflected XSS variants in shared-user deployments.
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated high-privileged user to inject arbitrary HTML and JavaScript into their profile name, which is subsequently rendered unsanitized in the document timeline displayed on invoice and bill detail pages. Any other authenticated user - including administrators - who views those pages will have the malicious script execute in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Stored cross-site scripting in Akaunting 3.1.21 allows an authenticated user with record creation or modification privileges to embed malicious HTML/JavaScript into record name fields (such as Items), which subsequently executes in any other user's browser session when the reusable delete confirmation dialog renders that name unsanitized. The vulnerability is confirmed by Fluid Attacks security research and affects the shared delete confirmation component across multiple record types. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects the authentication barrier and required victim interaction as meaningful limiting factors.
CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.
Dell Wyse Management Suite (WMS) versions prior to 2605 ships with default credentials, enabling a high-privileged local attacker to authenticate using those credentials and access sensitive information. Reported by Dell under DSA-2026-247, the flaw is classified under CWE-1392 (Use of Default Credentials) and carries a CVSS 3.1 base score of 6.0, reflecting local-only attack surface constrained by the requirement for high privilege. No public exploit code or CISA KEV listing has been identified at time of analysis.
Missing authorization on the GET /secret/:name endpoint in @actual-app/sync-server allows any authenticated non-admin BASIC user in OpenID multi-user deployments to enumerate which admin-managed bank-sync integrations are configured - specifically GoCardless, SimpleFIN, and Pluggy AI credential names. The disclosure is existence-only (HTTP 204 vs 404); actual secret values are not returned. No active exploitation is confirmed (not in CISA KEV), but a working PoC is included in the GHSA advisory, and the attack is trivially scriptable for any valid session holder.
WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypass that revocation and continue receiving real-time platform events. Affected across four actively maintained release branches (11.7.x, 11.6.x, 11.5.x, 10.11.x), the flaw directly undermines the effectiveness of administrative session revocation - a control relied upon in account-compromise response and offboarding workflows. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV); the EPSS signal is absent from available data, and the vendor-assigned CVSS of 4.3 reflects correctly scoped, medium-severity risk.
Email verification bypass in Paymenter allows authenticated users to retain verified account status after changing their email to an address they do not own or control. The email update function fails to reset the verification column, meaning a user who initially verifies with a legitimate address can subsequently substitute any arbitrary email and keep the verified flag intact. No public exploit has been identified at time of analysis; the vendor-confirmed fix is available in version 1.5.0.
CSV formula injection in Actual Budget's transaction export functions allows an attacker who controls imported transaction data to embed spreadsheet formulas in Payee, Notes, Account, and Category fields, which survive verbatim into exported CSV files. Affected versions of @actual-app/web prior to 26.6.0 pass these fields to csv-stringify at export-to-csv.ts:56 and :131 without any formula-prefix neutralization, meaning strings beginning with =, +, -, @, tab, or carriage return are written raw to disk. When victims or downstream recipients (accountants, tax preparers) open the exported file in Excel, LibreOffice Calc, or Google Sheets, the =HYPERLINK variant silently exfiltrates adjacent transaction data on click with no security prompt, while =WEBSERVICE and =IMPORTXML auto-fire in some configurations; a fully working PoC is documented in GHSA-xqjm-27pc-rvwm and no KEV listing exists at time of analysis.
Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot accounts to guest status, affecting versions 11.7.0 and 10.11.17 and earlier. The root cause is missing validation of whether the target of a demotion operation is a bot account, meaning an admin who lacks full system privileges can still weaponize the standard API endpoint against bot identities. No public exploit exists and the vulnerability is not listed in CISA KEV; its real-world priority is low given the high-privilege requirement and limited blast radius.
{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-specific permission checks at this endpoint, accepting the deactivation request based solely on user management write access. While no public exploit has been identified at time of analysis, successful abuse disrupts any automated workflows or integration pipelines dependent on the targeted bot accounts.
{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index, making all repository pages that render issue references permanently unavailable until the configuration is corrected. No public exploit beyond the PoC included in the advisory is identified at time of analysis; this is not in CISA KEV.
HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.
Code injection in langflow's Bundle URL Loader component allows local attackers with low privileges to inject and execute arbitrary code within the langflow process across versions 1.9.0 through 1.9.3. A publicly available proof-of-concept demonstrating startup-time RCE via maliciously crafted bundle URLs has been published by the researcher, though the CVSS 4.0 vector (VC:L/VI:L/VA:L) rates impact as low - a discrepancy with the RCE claim in the PoC that warrants independent verification. No vendor-released patch is available; the vendor did not respond to the researcher's disclosure.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authentication bypass in motionEye versions prior to 0.44.0 allows remote attackers to impersonate any user, including the administrator, by setting the client-controlled cookies meye_password_hash and meye_username without ever knowing the plaintext password. The server treats these attacker-controlled values as sufficient authentication material, and because the admin hash is stored in a world-readable file (/etc/motioneye/motion.conf), any local shell user can trivially escalate to admin via the web UI. Publicly available exploit code exists in the GitHub Security Advisory GHSA-r3cw-c95m-wfh9, but there is no public exploit identified beyond the PoC and the issue is not in CISA KEV.
Reflected XSS in OpenAM's SAML2 federation library (openam-federation-library versions prior to 16.1.1) allows unauthenticated remote attackers to inject arbitrary JavaScript into the OpenAM origin via the Cookie-Hash-Redirect path, exploiting inconsistent output encoding in the FSUtils.postToTarget method. The attack surface is limited to deployments using a non-default clustered configuration; standard single-node deployments are not affected. A vendor-released patch (16.1.1) is available, and no public exploit has been identified at time of analysis.
Denial of service in Inspektor Gadget's USDT note parser (pkg/uprobetracer/usdt.go) allows an unprivileged container process to crash or OOM-kill the privileged IG host process by placing a crafted ELF binary at a path targeted by a custom USDT gadget. Two distinct attack vectors exist: a panic from out-of-bounds slice access when DescSize is artificially small, and unbounded memory allocation (~4 GiB) when NameSize or DescSize is set to 0xFFFFFFFF. No public exploit identified at time of analysis; critically, no gadget shipped by the Inspektor Gadget project uses USDT probes, so only deployments running operator-developed custom USDT gadgets are exposed.
Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low (any valid session), and deployment context - a central enterprise authentication gateway - elevates the downstream risk of internal network reconnaissance or session data exfiltration.
LDAP injection in OpenAM (Open Identity Platform) versions <= 16.0.6 allows authenticated attackers to inject arbitrary LDAP metacharacters via the `_queryId` parameter on the CREST REST API user/group endpoints, enabling user enumeration and blind LDAP injection. The flaw stems from `IdentityResourceV1.queryCollection()` explicitly setting `escapeQueryId=false`, regressing the escape protection added for CVE-2021-29156. No public exploit identified at time of analysis, but the issue is fixed upstream in release 16.1.1.