Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management rights over a single low-privilege group hijack the entire realm. A missing authorization check in the Admin REST API's GroupResource.addChild() endpoint allows reparenting an arbitrary group; when Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker can move a privileged group (e.g., one holding realm-admin) under a group they control, inheriting management and password-reset rights over its members. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the resulting full realm takeover makes it a serious escalation primitive in environments that delegate group administration.
SQL injection in the open-source Grocery Store Management System (PHP/MySQL, v1.0 by anirudhkannanvp) lets attackers read arbitrary database contents by injecting a crafted SQL payload through the unsanitized 'scost' parameter of /grocery/search_products.php. The flaw (CWE-89) carries a CVSS of 7.7 and exposes credentials, customer records, and other sensitive data; publicly available exploit code exists in a dedicated GitHub repository, though it is not listed in CISA KEV and its EPSS exploitation probability is low (0.24%, 16th percentile).
Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.
Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.
Arbitrary file deletion in the JS Help Desk (JS Support Ticket) WordPress plugin versions 3.1.1 and earlier lets a low-privileged authenticated user (Subscriber, PR:L) delete arbitrary files on the server via path traversal. Because the scope is changed (S:C) and impact is availability-only (A:H), an attacker can remove critical files such as wp-config.php to trigger denial of service or force WordPress into a reinstall/setup state. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; it was disclosed through Patchstack.
Detection bypass in picklescan through version 0.0.26 lets attackers smuggle malicious pickle payloads past the scanner by invoking idlelib.pyshell.ModifiedInterpreter.runcode from a __reduce__ method, which picklescan does not blocklist. Because organizations rely on picklescan to vet PyTorch models and serialized Python objects, a payload it marks 'safe' still achieves arbitrary command execution the moment the victim calls pickle.load(), enabling ML supply-chain attacks. Publicly available exploit code exists (GHSA-3gf5-cxq9-w223 ships a working PoC); the CVE is not in CISA KEV and EPSS data was not provided, so active exploitation is unconfirmed.
Information disclosure in GitLab Enterprise Edition 19.1 (before 19.1.1) lets a user retrieve sensitive data previously committed to a project because Duo Workflows fails to adequately filter its output under certain conditions. The flaw exposes confidential repository content through GitLab's AI workflow feature without altering or destroying data. No public exploit is identified at time of analysis and CISA SSVC rates exploitation as 'none', though EPSS sits at a modest 0.33% (25th percentile).
Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet reception by sending a small number of crafted fragmented IPv6 packets. Each malicious fragment leaks its RX network buffer (CWE-772) instead of returning it to the memory slab, so a handful of packets exhausts the fixed RX buffer pool and the device stops receiving all traffic until reboot. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (A:H only) reflects high availability impact with no confidentiality or integrity exposure.
Missing authorization in the CheckView Automated Testing WordPress plugin (versions 2.1.0 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, enabling unauthorized modification of site data or test/automation state. The CVSS 3.1 vector (7.5, AV:N/AC:L/PR:N/UI:N) reflects a network-reachable, no-interaction flaw with high integrity impact but no confidentiality or availability loss. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Missing authorization in the Five Star Restaurant Reservations WordPress plugin (version 2.7.19 and earlier) lets remote unauthenticated attackers invoke protected plugin functionality and modify data without holding any account, per the CVSS PR:N vector. The flaw is a broken access control / missing capability check (CWE-862) reported by Patchstack, with a CVSS 3.1 base score of 7.5 driven entirely by integrity impact (C:N/I:H/A:N). No public exploit code or active exploitation has been identified at time of analysis.
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the MSIAPService.exe component
Broken access control in the MainWP Child WordPress plugin (versions 6.1.1 and earlier) allows remote attackers to invoke privileged actions without proper authorization checks (CWE-862). Because the flaw is reachable without authentication (PR:N) it can be triggered by external attackers, though exploitation depends on tricking a user into an action (UI:R) and on overcoming non-trivial conditions (AC:H). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information disclosure in MSI NBFoundation Service v2.0.2506.1201 lets remote attackers read sensitive data exposed through the named pipe MSI_SERVICE_2, which is configured with overly permissive access controls. The flaw scores CVSS 7.5 (high) for confidentiality-only impact with no authentication required; publicly available exploit code exists in a GitHub proof-of-concept, though there is no evidence of active exploitation and the EPSS probability is low (0.22%, 13th percentile).
Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Denial of service in the Linux kernel's Hyper-V netvsc network driver (hv_netvsc) allows a system crash when transmitting packets whose skb fragments reference high memory. On 32-bit x86 builds with CONFIG_HIGHMEM=y, netvsc_copy_to_send_buf() calls phys_to_virt() on fragment PFNs that may live above the LOWMEM boundary, producing an address outside the kernel direct map; the following memcpy() faults fatally on the transmit softirq path. No public exploit has been identified, the EPSS probability is low (0.18%), and the issue is not in CISA KEV.
Remote denial of service in the Linux kernel's UDP receive path affects systems where a UDP socket is placed in a BPF sockmap with an attached SK_SKB verdict program. Because skb->dev is repurposed as dev_scratch on the UDP path and never cleared before the verdict program runs, a verdict program that calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp) causes dev_net() to dereference a stale integer as a net_device pointer, triggering a general protection fault on a non-canonical address in softirq. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and the flaw is fixed; impact is availability only (kernel crash), not the 'Information Disclosure' the input tags suggest.
Resource exhaustion in the Linux kernel's MPTCP (Multipath TCP) subsystem lets a remote peer drive incoming traffic past the receiver's configured rcvbuf size by breaking receive-window accounting. The defect arises because the TCP-level receive window is prevented from shrinking while the MPTCP-level window is independently constrained, so when data is acked at the TCP level but is out-of-order in MPTCP sequence space (or backlogged), the advertised MPTCP window is artificially inflated. EPSS is low (0.18%, 8th percentile), there is no public exploit identified at time of analysis and no KEV listing; the issue is corrected upstream and carries availability impact (CVSS A:H) despite a source 'Information Disclosure' tag.
Denial of service in the Linux kernel's iomap buffered I/O layer allows a NULL pointer dereference (kernel oops/panic) when a buffered read fails on a folio split across multiple read completions. Because iomap_finish_folio_read() decremented read_bytes_pending before calling fserror_report_io(), a concurrent final read completion plus a truncate could detach the folio (folio->mapping = NULL) before the error path dereferenced it. CVSS 7.5 reflects availability-only impact (A:H); EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis.
Remote denial-of-service in the Linux kernel networking stack (GRO path) lets attackers crash a host by triggering a reachable kernel BUG_ON() panic. The flaw lives in skb_gro_receive_list(), which calls skb_pull() without a preceding pskb_may_pull() guard; when frames arrive via napi_gro_frags() with all data in page fragments (skb_headlen == 0) and a non-zero GRO offset, the pull makes skb->len drop below skb->data_len and hits BUG_ON(skb->len < skb->data_len). It affects kernels from 6.10 up to the fixed stable releases, carries CVSS 7.5 (availability-only), has a low EPSS of 0.18% (7th percentile), is not in CISA KEV, and has no public exploit identified at time of analysis.
Resource exhaustion (DMA mapping and xdp_frame leak) in the Linux kernel's mlx5e driver affects systems using AF_XDP (XSK) zero-copy sockets on NVIDIA/Mellanox ConnectX NICs. In the XSK path of mlx5e_xmit_xdp_buff(), an XDP_TX transmit failure (e.g. a full XDP send queue) returns without unmapping the DMA address or freeing the converted xdp_frame, slowly leaking kernel memory and DMA mappings until availability degrades. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, so real-world risk is gradual leakage under heavy XSK workloads rather than direct remote compromise.
Denial of service in the Linux kernel timer migration subsystem allows the global timer hierarchy to enter an indefinite livelock, hanging the affected CPU. The flaw is in tmigr_handle_remote_up(), where tmigr_handle_remote_cpu() skipped timer_expire_remote() for the local CPU on the assumption that the softirq path already serviced its timers; when jiffies advance between local timer processing and remote evaluation, a newly expired timer is never run and is re-queued with expires==now, spinning the goto-again loop forever. The CVSS 3.1 base score is 7.5 (availability only) but EPSS is just 0.18% (7th percentile), there is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Denial of service in the Linux kernel's NFSD server affects systems that export filesystems implementing the VFS ->atomic_create operation. A mismatch between the dentry_create() error-handling contract and the newer start_creating()/end_creating() locking pattern means that when ->atomic_create returns an error, nfsd4_create_file() passes an error pointer to end_creating() and never unlocks the parent directory inode, leaving the lock permanently held. This is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV, but the held lock can stall NFS service for all clients.
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption
Remote unauthenticated denial of service in Sigstore Rekor (>= 0.3.0, < 1.5.2) allows attackers to crash the transparency log server via a gzip decompression bomb in its Alpine APK parsing path. The Package.Unmarshal() function decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size, so a ~1000:1 compression ratio payload (e.g. 2MB compressed to 2GB) exhausts heap and triggers a fatal Go runtime OOM or OS OOM-kill that the recover() middleware cannot catch. No public exploit identified at time of analysis; it is not in CISA KEV, and the impact is availability-only (no confidentiality or integrity loss).
Unauthenticated authentication bypass in OpenAM Community Edition (Open Identity Platform fork) through version 16.0.6 lets a network attacker spoof a RADIUS Access-Accept response and obtain a valid OpenAM session for any RADIUS-mapped username, without knowing the shared secret. The flaw stems from the RADIUS client accepting the first inbound UDP datagram as authoritative while skipping source, identifier, and Response Authenticator checks, making it materially easier to exploit than BlastRADIUS (CVE-2024-3596) since no MD5 chosen-prefix forgery is needed. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix is confirmed in version 16.1.1.
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
Blind SQL injection in the WP Photo Album Plus WordPress plugin (all versions up to and including 9.1.13.005) lets remote attackers inject crafted SQL into a database query, enabling extraction of sensitive data such as user credentials and WordPress secrets. The flaw, reported by Patchstack, is reachable over the network without authentication (CVSS:3.1 PR:N) but carries high attack complexity (AC:H), and there is no public exploit identified at time of analysis. No EPSS score or CISA KEV listing was provided in the source data.
Cache poisoning in PowerDNS Recursor allows a malicious or compromised authoritative DNS server to inject forged records by returning a crafted zone that the resolver ingests through its ZoneToCache feature. Because the poisoned data lands in the shared recursor cache, all downstream clients can be served attacker-controlled answers, enabling traffic redirection and spoofing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 7.5 (high) rating reflects high integrity impact with a scope change but high attack complexity.
Unauthenticated sensitive data exposure in the Vitepos WordPress plugin (versions 3.4.2 and earlier) lets remote attackers read sensitive information without any authentication. The flaw is reported by Patchstack and classified as CWE-201 (information exposure through sent data), with a CVSS 3.1 base score of 7.5 driven entirely by a high confidentiality impact. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Unauthorized data modification in the Motors car dealership and classified listings plugin for WordPress (versions <= 1.4.109) lets remote unauthenticated attackers invoke privileged actions they should not reach, due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/PR:N/UI:N) confirms no authentication and no user interaction are required, with a high integrity impact but no confidentiality or availability impact. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Server-side request forgery in Red Hat Build of Apicurio Registry 3 allows a Developer-role user to coerce the registry server into issuing HTTP requests to arbitrary internal URLs. The flaw stems from the WSDLReaderAccessor instantiating a wsdl4j WSDLReader with the javax.wsdl.importDocuments feature left enabled, so a crafted WSDL artifact with attacker-controlled import locations is fetched when content validation runs at FULL strictness. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.4 (scope-changed) and exploitation requires authenticated low-privilege access plus a non-default validation setting.
Sensitive data exposure in the Visual Link Preview WordPress plugin (versions 2.3.1 and earlier) allows a low-privileged Subscriber-level authenticated user to access information they should not be authorized to view. The CVSS 3.1 vector (PR:L) indicates only minimal authenticated access is needed, and the changed scope reflects data leaking beyond the plugin's intended security boundary. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permission (or access to client registration endpoints) register a malicious client whose redirect URI uses a case-insensitive `javascript:` or `data:` scheme, bypassing URI validation. When a victim later clicks a crafted link - for example during the logout flow or within the Admin Console - the script executes in the Keycloak origin, enabling session/token theft and effective code execution in that trusted context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it carries a CVSS 7.3 (PR:L, UI:R).
Arbitrary command execution in Vim's bundled zip plugin (autoload/zip.vim) affects builds from 9.1.1784 up to the 9.2.0678 fix on systems where the plugin falls back to PowerShell for archive operations. When browsing, reading, extracting, updating or deleting zip entries, the plugin quotes archive entry names for the shell but not for PowerShell, so a crafted entry name escapes the string context and runs attacker-supplied commands with the privileges of the user who merely opened or viewed the archive. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded to Windows/PowerShell-fallback deployments and requires user interaction.
Remote code execution in Dell Wyse Management Suite (versions prior to WMS 5.5 HF1) is reachable through a path traversal flaw (CWE-22) that lets an authenticated, high-privileged remote attacker access or write files outside the intended directory and ultimately execute arbitrary code on the management server. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality, integrity, and availability impact gated by a high-privilege requirement. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary file write in 3X-UI, a web control panel for managing Xray-core proxy servers, allows an authenticated administrator to write attacker-controlled files anywhere on the host by tampering with Xray configuration values through the database import feature in versions prior to 3.3.1. Because the written files execute in the context of the Xray process - frequently root in self-hosted deployments - this escalates to full code execution and persistent host compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is resolved in release 3.3.1.
Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. No public exploit identified at time of analysis; EPSS probability is low (0.19%) and the issue is not in CISA KEV.
Local heap disclosure and kernel crash in the Linux kernel networking stack arises because skb_is_err_queue() misidentifies AF_PACKET outgoing-tap skbs as error-queue skbs, letting AF_PACKET control-buffer state be misread as sock_exterr_skb::opt_stats. When timestamping and SO_RXQ_OVFL are enabled, an odd packet-drop counter makes the timestamp cmsg path emit SCM_TIMESTAMPING_OPT_STATS over non-linear skbs, reading past the linear head to leak adjacent kernel heap or trip hardened usercopy (BUG/panic). CVSS is 7.1 (C:H/A:H, local, low-priv); EPSS is low at 0.18% (8th percentile), and there is no public exploit identified at time of analysis.
Reflected cross-site scripting in the TablePress WordPress plugin (versions 3.3.1 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, including the WordPress admin session context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's WordPress vulnerability program.
Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 8th percentile).
Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. It affects a broad range of stable kernel series and is fixed upstream; there is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.18% (7th percentile).
Information disclosure in the Linux kernel's Thunderbolt XDomain driver allows a malicious peer device to read stale kernel DMA-pool memory from prior transactions. The tb_xdomain_copy() function copies the full expected response_size from a received packet buffer without bounding it to the actual frame size, so a deliberately short response causes the kernel to leak adjacent buffer contents. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV.
Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).
Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).
Out-of-bounds kernel memory read in the Linux kernel's rtl8723bs staging Wi-Fi driver (Realtek RTL8723BS SDIO) lets a local low-privileged actor read past the intended information-element (IE) buffer. rtw_update_protection() receives a pointer already offset into the ies buffer while still being passed the full ie_length, so parsing walks beyond the valid data. There is no public exploit identified at time of analysis, EPSS risk is low (0.17%, 7th percentile), it is not in CISA KEV, and fixed kernel releases are available.