Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow any authenticated user holding the minimal Overall/Read Jenkins role to trigger outbound connections from the Jenkins controller to an attacker-specified URL using credential IDs sourced through a secondary method. This creates an SSRF-like primitive enabling internal network probing and credential ID validation without administrative access. No public exploit code has been identified at time of analysis, and SSVC confirms current exploitation status as none.
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.
Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.
Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.
Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.
Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Filter validation bypass in Ghost CMS public API endpoints exposes private fields - including password hashes - to unauthenticated remote attackers via repeated brute-force probing. Instances running SQLite are most severely impacted: full password hashes are recoverable, enabling offline cracking. MySQL-backed instances leak structurally degraded hashes (case information lost), which the vendor assesses would render subsequent cracking attempts fruitless. No public exploit code exists and the vulnerability is not in CISA KEV at time of analysis, but the unauthenticated, network-accessible nature of the flaw lowers the bar for opportunistic discovery.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
Ghost CMS versions 5.18.0 through 6.21.1 expose registered member email addresses to unauthenticated enumeration via observable discrepancies in the members signin endpoint responses. Any Ghost site with the members feature active is affected, allowing an attacker to silently probe whether arbitrary email addresses belong to site subscribers. No public exploit or active exploitation (CISA KEV) has been identified; vendor patch is available in 6.21.1.
Uninitialized GPU memory use in Google Chrome on Android before 149.0.7827.197 exposes process memory contents to remote attackers without requiring authentication. An attacker who induces a user to load a crafted HTML page can read potentially sensitive data from Chrome's GPU process memory, consistent with the High confidentiality impact assigned in the CVSS vector. No public exploit code exists at time of analysis, and CISA's SSVC framework classifies exploitation as none and not automatable with only partial technical impact - indicating this is a patch-cycle priority rather than an emergency response item.
Uninitialized GPU memory use in Google Chrome prior to 149.0.7827.197 enables a second-stage attacker who has already compromised the renderer process to read sensitive data from GPU process memory via a crafted HTML page. Classified as CWE-457 (Use of Uninitialized Variable), the flaw creates an information disclosure path within Chrome's multi-process architecture. No public exploit exists, CISA has not listed this in KEV, and SSVC rates exploitation as none - but the C:H confidentiality impact rating reflects meaningful data exposure if an attacker successfully chains this with a renderer exploit.
Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.
HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.
Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.
Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.
Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.
Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.
Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.
Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.
Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.
Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.
Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.
NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with its local, timing-dependent nature.
Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.
Infinite-loop denial of service in the Zephyr RTOS PL011 UART driver (v4.1.0-v4.4.0) permanently stalls any thread that calls uart_irq_tx_enable() - including the Bluetooth HCI H4 send path - when CTS hardware flow control is enabled and the wired peer withholds CTS during transmission. The root cause is a software workaround loop (CWE-835) that compensates for the PL011 controller's level-transition TX interrupt behavior but never exits when pl011_fifo_fill() returns 0 due to a blocked CTS line. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; exploitation requires physical or hardware-adjacent control of the UART CTS pin, materially constraining real-world risk.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.
Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.
Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. No public exploit has been identified at time of analysis; exploitation is constrained to legacy browsers and requires victim interaction, reflected in the official CVSS score of 4.4 Medium.
Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. The CVSS-assigned availability impact (A:L) and absence of integrity impact (I:N) appear inconsistent with the described spoofing behavior; session state falsification is the primary operational concern for affected users.
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.
Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.
Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.
Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.
A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata.