Reference leak in the Linux kernel Bluetooth ISO subsystem allows a local low-privileged user to exhaust kernel resources and cause a denial of service. The `iso_conn_big_sync` function acquires an `hci_dev` reference via `hci_dev_hold()` through `hci_get_route()` but never releases it, violating the borrow contract. No active exploitation has been confirmed and EPSS is very low at 0.18% (7th percentile), but the affected surface - the BLE Audio Broadcast Isochronous Group (BIG) synchronization path - is present on any Linux system with a Bluetooth controller.
Stack overread in the Linux kernel ALSA MIDI sequencer dummy client (snd_seq_dummy) allows a local low-privileged user to crash the kernel or potentially leak kernel stack contents by sending a crafted Universal MIDI Packet (UMP) event. The dummy port copies incoming events into a legacy-sized stack temporary, but when the UMP flag remains set the delivery path calls snd_seq_event_packet_size() and copies a larger UMP-sized packet from that undersized allocation, reading past the stack buffer end. No public exploit has been identified and EPSS is 0.18% (7th percentile), placing this firmly in routine-patch rather than emergency-response territory.
NULL pointer dereference in the Linux kernel's Marvell EBU GPIO driver (gpio/mvebu) causes a kernel oops and system crash during suspend/resume operations on Marvell Armada ARM platforms. The flaw affects all stable kernel branches from 4.12 onward where mvebu_pwm_suspend() and mvebu_pwm_resume() are unconditionally invoked for every GPIO bank, including those where mvchip->mvpwm is NULL due to absent PWM hardware. A local authenticated user with sufficient privileges to trigger system suspend can crash the kernel with no recovery, resulting in full availability loss. No public exploit exists and EPSS is 0.18% (7th percentile), reflecting a niche hardware dependency that sharply limits real-world exposure.
NULL pointer dereference in the Linux kernel netfilter bridge redirect target crashes the kernel when a bridge port is removed or reassigned between an initial NFQUEUE hook invocation and packet reinject. The affected function ebt_redirect_tg() in the ebtables bridge filtering subsystem calls br_port_get_rcu() without guarding against a NULL return, and the additional complexity noted in the fix is that a mere NULL check would still be insufficient - userspace can move the device into a macvlan while the packet is queued, requiring the packet to be dropped entirely. This flaw has existed since commit f350a0a87374418635689471606454abc7beaa3a (kernel 2.6.36), making it a long-standing latent bug. No public exploit identified at time of analysis; EPSS at 0.18% (7th percentile) signals negligible automated exploitation risk.
Memory leak in the Linux kernel TEE subsystem's register_shm_helper() function allows a local low-privileged user to exhaust kernel memory and degrade system availability. Triggering the leak requires calling the TEE_IOC_SHM_REGISTER ioctl with a length of zero, causing the function to allocate shared memory and then skip its deallocation when iov_iter_npages() returns 0. No public exploit has been identified at time of analysis, and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability.
Reference-count leak in the Linux kernel's drm/virtio GPU driver allows a local low-privilege user inside a QEMU/KVM virtual machine to gradually exhaust kernel memory, causing a guest denial of service. The bug exists in virtio_gpu_dma_fence_wait(), where an early error return from inside dma_fence_unwrap_for_each() leaves a dma_fence reference acquired by dma_fence_unwrap_first() unreleased - the only such early-return site in the entire kernel tree. No public exploit is identified at time of analysis and EPSS sits at 0.18% (7th percentile), consistent with the absence from CISA KEV and the non-trivial conditions required to trigger repeated fence-wait failures.
Resource leak and use-after-free in the Linux kernel's gpio-rockchip driver can crash the kernel on systems using Rockchip GPIO hardware. The driver's remove path fails to call irq_domain_remove_generic_chips(), leaving allocated generic chip structures unreleased and dangling on the global gc_list. After driver unbind or module removal, IRQ subsystem suspend, resume, or shutdown callbacks may subsequently dereference the freed memory, producing a use-after-free condition and kernel panic. No public exploit exists and EPSS sits at the 7th percentile, indicating very low real-world exploitation probability; however, the availability of upstream fix commits makes patching straightforward.
Kernel stack information disclosure in the Linux kernel's netfilter nft_meta_bridge subsystem leaks 2 bytes of uninitialized stack data to userspace via the IIFHWADDR register. A local attacker with CAP_NET_ADMIN privileges can craft an nftables bridge rule that reads the full 8-byte register span after a memcpy writes only 6 bytes, exposing stale nft_do_chain() stack content. No public exploit exists and EPSS is 0.17%; however, on hardened systems kernel stack leaks can assist KASLR bypass when chained with other primitives.
ABBA deadlock in the Linux kernel xfrm iptfs subsystem causes availability loss on SMP systems when iptfs state is destroyed while its timer callbacks are concurrently executing on another CPU. The vulnerability affects the IP Traffic Flow Secrecy (IPTFS) implementation within the kernel's xfrm IPsec framework, specifically during iptfs_destroy_state() - a function that acquires spinlocks before calling hrtimer_cancel(), creating a circular dependency with softirq timer callbacks that attempt to re-acquire those same locks. No public exploit code has been identified and EPSS is 0.17% (7th percentile), indicating this is a low-probability exploitation target; the impact is a kernel deadlock causing a system hang (DoS) with no confidentiality or integrity impact.
NULL pointer dereference in the Linux kernel's futex PI requeue path allows a local low-privileged user to crash the kernel. Triggered via FUTEX_CMP_REQUEUE_PI when a non-top waiter already owns the target PI futex, the deadlock detection path returns -EDEADLK before initializing waiter->task, which remove_waiter() then dereferences unconditionally. Impact is a kernel panic (system-wide denial of service). No public exploit identified at time of analysis and EPSS is at the 7th percentile, but the attack surface is any unprivileged local process on an affected kernel version.
Null pointer dereference in the Linux kernel's real-time mutex (rtmutex) subsystem allows a local low-privileged user to crash the kernel via FUTEX_CMP_REQUEUE_PI, causing a denial of service. Affected stable branches span Linux 6.1 through 7.1-rc5; vendor patches are available via kernel.org stable commits. No public exploit has been identified and EPSS is 0.17% (7th percentile), indicating negligible observed exploitation activity.
Denial-of-service via race condition in the Linux kernel's netfilter synproxy subsystem allows a local low-privileged user to crash the system by triggering concurrent netfilter hook registration. The synproxy infrastructure registers hooks on-demand when iptables targets or nftables expressions are added; without serialization, concurrent additions race on the reference count control blocks, corrupting kernel state. No public exploit exists and EPSS is 7th percentile (0.17%), but any Linux system running a kernel from 5.3 onward with the ability for unprivileged users to manipulate netfilter rules is technically exposed.
Kernel stack memory disclosure and multicast address corruption in the Linux kernel's 6lowpan IPHC subsystem affects all deployments running the vulnerable code path from commit 5609c185f24d onward. A local unprivileged user on a system with an active 6lowpan interface can trigger `lowpan_iphc_mcast_ctx_addr_compress()` to transmit uninitialized kernel stack bytes over the 6lowpan link layer while also corrupting the RIID field in compressed multicast addresses, breaking multicast connectivity. No public exploit identified at time of analysis; EPSS is 0.17% (7th percentile), and this is not listed in CISA KEV.
NULL pointer dereference in the Linux kernel bnxt_en Broadcom NetXtreme Ethernet driver crashes the kernel when PCIe error recovery fires against a closed NIC, causing a denial of service. Affected kernel versions span from 4.17 through multiple LTS and mainline branches up to 7.1-rc4, with patches released across all active stable series. No public exploit exists and EPSS sits at 0.17% (7th percentile), marking this as a reliability and stability concern rather than an actively targeted attack vector.
Integer underflow in the Linux kernel fastrpc misc driver corrupts DMA addresses sent to Qualcomm DSPs, enabling a local low-privileged user to crash the DSP subsystem or induce a kernel panic. The flaw in fastrpc_get_args() affects all major stable kernel branches from 5.15 through 7.1-rc3 and is patched across multiple stable series. No public exploit exists and EPSS probability is 0.17% (7th percentile), indicating low real-world exploitation risk despite broad platform coverage.
Corrupted reverse-mapping (rmap) state in the Linux kernel's mm/huge_memory subsystem crashes or destabilizes affected systems through a flag misinterpretation in set_pmd_migration_entry() for device-private PMD entries. On x86-64 with CONFIG_MEM_SOFT_DIRTY enabled, the function incorrectly reads the softdirty bit as a write-permission flag - because _PAGE_SWP_SOFT_DIRTY aliases _PAGE_RW - causing migration entries to be marked writable when they should be read-only, ultimately triggering a VM_WARN assertion in __folio_add_anon_rmap() when an AnonExclusive folio reaches entire_mapcount=2. No public exploit exists and no active exploitation is confirmed; a vendor patch is available as of Linux 7.0.13 and 7.1.
Null pointer dereference in the Linux kernel's IPv6 address configuration subsystem crashes the kernel when cleanup_prefix_route() receives the fib6_null_entry sentinel from addrconf_get_prefix_route() and attempts to access its NULL fib6_table pointer without validation. An authenticated local user holding CAP_NET_ADMIN can trigger this by sending a crafted IPv6 DELADDR netlink message, causing a general protection fault and system-wide denial of service. No public exploit or CISA KEV listing exists; EPSS is 0.17% (6th percentile), consistent with a privilege-gated local DoS affecting an extremely widely deployed target.
NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. No public exploit exists and EPSS is 0.17% (6th percentile), consistent with a hardware-timing race condition requiring specific Qualcomm DSP hardware rather than generic remote exploitation.
Hugetlb VMA reservation leak in the Linux kernel mm/hugetlb subsystem allows a local authenticated user to trigger SIGBUS on a process at a previously reserved huge-page address. Two code paths - the UFFDIO_COPY resubmission path and the fork-time copy-on-write path - fail to call restore_reserve_on_error() after copy_user_large_folio() returns an error, leaving the per-VMA reservation map entry marked consumed. No public exploit exists and EPSS is 0.17% (6th percentile), but patches are available in multiple stable branches.
NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. No active exploitation is confirmed (absent from CISA KEV), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability; the primary risk is an accidental reliability failure on embedded systems running these legacy SoCs.
NULL pointer dereference in the Linux kernel's drm/amdkfd subsystem allows a local low-privileged user to trigger a kernel panic by invoking the kfd_ioctl_set_debug_trap() ioctl with a non-zero num_queues value and a NULL queue_array_ptr. The root flaw is that get_queue_ids() returns NULL in this case rather than ERR_PTR(-EINVAL), and both callers check only IS_ERR() - since IS_ERR(NULL) evaluates false, execution proceeds to q_array_invalidate(), which immediately dereferences the NULL pointer while iterating, crashing the kernel. No public exploit has been identified and the EPSS score of 0.17% (6th percentile) confirms low observed exploitation probability, though the trigger path is mechanically simple for any user with /dev/kfd access.
Memory exhaustion via vaddr leak in the Linux kernel's V3D DRM driver allows a local low-privileged user to degrade or deny service on systems equipped with Broadcom V3D GPUs. The function v3d_rewrite_csd_job_wg_counts_from_indirect() maps two buffer objects (indirect buffer and workgroup buffer) but takes an early return path - without releasing the vaddr mappings - whenever any workgroup count read from the indirect buffer is zero, permanently leaking both BO mappings per triggering job submission. No public exploit has been identified and EPSS sits at the 6th percentile (0.17%), consistent with the hardware-specific, local-only attack surface; this vulnerability is not listed in CISA KEV.
Uninitialized memory exposure in the Linux kernel FUSE subsystem allows a local attacker to read residual kernel page cache data via the FUSE_NOTIFY_RETRIEVE notification path. The flaw affects systems where folios not marked 'uptodate' are returned to FUSE daemons rather than treated as absent - a condition with direct security impact only on kernels built or booted without automatic page-allocation zeroing (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). No public exploit has been identified at time of analysis and EPSS sits at 0.17% (6th percentile), reflecting minimal observed exploitation activity.
Kernel availability impact in Linux iommu/dma SWIOTLB subsystem allows a local low-privileged user to corrupt IOMMU mappings and trigger a kernel WARN_ON via Thunderbolt NVMe passthrough commands. The iommu_dma_iova_link_swiotlb() function fails to guard against zero-length middle segments in unaligned DMA mappings, causing iommu_map() to receive an illegal zero-size argument; the subsequent error unwind then starts from the wrong offset, corrupting the IOMMU page table state and firing WARN_ON at destruction. No active exploitation is confirmed (not in CISA KEV), and EPSS of 0.17% (6th percentile) signals negligible threat-actor interest, but the bug is reliably reproducible with commodity Thunderbolt NVMe hardware.
NULL pointer dereference in the Intel Xe GPU driver (drm/xe) causes a kernel panic during system suspend or shutdown when display hardware is disabled via hardware fuses rather than absent at initial probe. Systems running Linux 6.8 and later with Intel Xe GPUs in fuse-disabled display configurations are affected; a low-privileged local user can trigger an unplanned system crash by initiating suspend or shutdown. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as a reliability and local-denial-of-service issue rather than a broad security priority.
Reference counting leaks in the Linux kernel's drm/v3d driver allow a local user to exhaust kernel memory and trigger a denial-of-service condition on systems equipped with Broadcom VideoCore VI GPUs (e.g., Raspberry Pi 4/5). The flaw exists across three code paths in the SET_GLOBAL and CLEAR_GLOBAL perfmon ioctls, as well as in the perfmon destroy path, each of which fails to release references acquired by v3d_perfmon_find(). No public exploit or active exploitation has been identified; EPSS probability stands at 0.17%, reflecting negligible automated exploitation interest.
The drm/v3d GPU driver in the Linux kernel mishandles indirect Compute Shader Dispatch (CSD) jobs that carry zeroed workgroup dimension counts, allowing a local low-privilege user with GPU compute access to crash the VideoCore VI GPU subsystem. The hardware interprets a zero workgroup count as 65536 - exceeding the user-space-exposed maximum of 65535 - instead of treating the dispatch as a no-op, causing undefined GPU behavior and a denial-of-service condition. Exploitation is constrained to Broadcom VideoCore VI hardware (Raspberry Pi 4/5 ecosystem); EPSS is 0.17% (6th percentile), no public exploit exists, and the vulnerability is absent from CISA KEV.
NULL pointer dereference in the ksmbd (in-kernel SMB server) subsystem of the Linux kernel causes a remotely triggerable kernel oops, resulting in denial of service. The race condition in smb2_oplock_break_noti() and smb2_lease_break_noti() allows an authenticated SMB client to crash the kernel by racing an SMB2 LOGOFF against an oplock/lease break notification - setting opinfo->conn to NULL in the window after ci->m_lock is dropped, then dereferencing it in ksmbd_conn_r_count_inc(). No public exploit identified at time of analysis; EPSS is very low at 0.16% (6th percentile), and CISA KEV listing is absent.
Memory leak in the Linux kernel devlink subsystem allows a local low-privileged user to trigger resource exhaustion by inducing a Sub-Function (SF) probe failure, leaving a nested devlink relation unreleased. The flaw occurs because devlink_free() does not clear devlink->rel when an instance fails probe before reaching devl_register(), bypassing the normal cleanup path in devl_unregister(). No public exploit has been identified and EPSS is 0.16% (6th percentile), consistent with a low-real-world-risk kernel memory management defect; patch is available across multiple stable branches.
Uninitialized stack variable use in the Linux kernel's rseq (restartable sequences) subsystem exposes systems to kernel information leak and denial-of-service. The flaw in `rseq_exit_user_update()` arises from a C standard evaluation-order ambiguity in struct initialization, detected by syzbot's KMSAN (Kernel Memory Sanitizer) as a kernel-infoleak. Affected are Linux 7.0.10 through 7.0.12 and 7.1 release candidates rc3-rc6; exploitation requires local low-privilege access, no public exploit exists, and EPSS is very low at 0.16%.
Deadlock in the Linux kernel PHY networking subsystem (net/phy) allows a local low-privileged user to freeze the networking stack on systems using the generic PHY driver (genphy) with SFP cage hardware. When genphy triggers PHY probing - which occurs while holding the RTNL lock - it erroneously calls sfp_bus_add_upstream(), which itself attempts to acquire RTNL, producing a self-deadlock confirmed by reproduction. No public exploit exists and EPSS is 0.16% (6th percentile), reflecting that exploitation requires an uncommon hardware and driver combination.
Missing bounds validation in the Linux kernel's accel/ivpu Intel VPU accelerator driver allows a local low-privileged user on an affected Intel VPU-equipped system to trigger kernel memory allocation errors or a denial of service by supplying a malformed firmware image header specifying improperly aligned or undersized runtime memory. Affected versions include Linux 6.19 and 7.1-rc1 through rc6; fixed commits are available for both the 7.0.x stable series and the 7.1 branch. No public exploit identified at time of analysis; EPSS is 0.16% (6th percentile), and no CISA KEV listing exists, reflecting minimal real-world exploitation interest.
Memory leak in the Linux kernel wifi cfg80211 subsystem allows a local low-privileged user to cause gradual kernel memory exhaustion by repeatedly triggering failed 6 GHz split scans. The leaked object is a 512-byte allocation in rdev->int_scan_req that escapes the cleanup path in ___cfg80211_scan_done() because rdev->scan_req is NULL at freeing time, causing an early return. No public exploit has been identified; EPSS of 0.16% (6th percentile) reflects very low real-world exploitation probability, and this vulnerability is not listed in CISA KEV.
Use-after-free in the Linux kernel ptp_ocp driver crashes the kernel during device removal on systems equipped with Open Compute Platform PTP hardware. The teardown function ptp_ocp_detach() frees pin resources before calling ptp_clock_unregister(), which then accesses those freed resources via ptp_disable_all_events(), introduced by commit a60fc3294a37. EPSS is 0.15% (5th percentile) and this vulnerability is not listed in CISA KEV, indicating no public exploitation and very low real-world risk outside specialized environments.
NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. The vulnerability is a local denial-of-service with no public exploit identified at time of analysis, and EPSS places exploitation probability at only 0.15%.
Unbounded kernel log spam and conditional kernel panic in the Linux kernel's accel/ethosu Arm Ethos-U NPU driver allows any local unprivileged user with DRM device access to exhaust kernel log resources or crash the system. The driver's unimplemented NPU_OP_RESIZE command handler contains an unconditional WARN_ON(1) that fires every time userspace submits this operation via DRM_IOCTL_ETHOSU_GEM_CREATE. On systems where the panic_on_warn kernel parameter is enabled, this becomes a trivial denial-of-service primitive requiring only local DRM device access. No public exploit has been identified at time of analysis, and EPSS sits at the 5th percentile (0.15%), reflecting the niche hardware and non-default configuration requirements.
Kernel crash in Linux cfg80211 WiFi subsystem occurs when EHT (Wi-Fi 7 / 802.11be) capability elements are present without matching EHT operation elements, triggering a null pointer dereference in mac80211 and causing a denial of service. Systems running affected kernel versions with Wi-Fi 7 hardware are at risk of a local-privilege kernel panic with no confidentiality or integrity impact. EPSS is extremely low at 0.15% (5th percentile) and no public exploit has been identified; this is not listed in CISA KEV.
Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.
Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.
Path traversal in Halo's backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem, bypassing directory boundaries. Affected are all Halo deployments prior to version 2.24.3, where the MigrationServiceImpl.download() method invokes Path.resolve() on attacker-supplied filenames without enforcing containment within the designated backups directory. A compounding issue exists in the backup creation endpoint, which fails to sanitize status fields. No public exploit code or CISA KEV listing has been identified at time of analysis, and the PR:H requirement meaningfully constrains the attack surface.
Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.
Stored cross-site scripting in GitLab Enterprise Edition (all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1) lets an authenticated user holding only developer-role permissions inject unsanitized input that executes as JavaScript in a victim's browser session. Because the script runs with scope change in the context of another (potentially higher-privileged) user, an attacker can hijack sessions, exfiltrate data, or act on the victim's behalf. The flaw was reported privately via HackerOne and patched by GitLab; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in GitLab Enterprise Edition's virtual registry cleanup policy feature allows authenticated users to read or modify cleanup policy settings belonging to groups they do not own. Affected versions span all GitLab EE releases from 18.6 through 18.11.5, 19.0 through 19.0.2, and 19.1.0. Exploitation requires a valid GitLab EE account but no elevated privileges; no public exploit code exists and this is not in CISA KEV at time of analysis.
Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.
Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.
API key scope bypass in Outline prior to 1.8.0 allows an authenticated attacker holding a limited-scope API key or OAuth token to perform actions on restricted endpoints by exploiting a URL fragment handling discrepancy. The `AuthenticationHelper.canAccess` function evaluates authorization against the fragment-appended URL path rather than the actual routed endpoint, enabling privilege escalation beyond the key's intended permissions. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity (PR:L, AC:L) makes this straightforward to exploit for any valid API key holder.
Confidential issue references in GitLab CE/EE public projects are exposed to unauthenticated users due to missing authorization checks (CWE-862). Affecting all GitLab versions from 17.5 through 18.11.5, 19.0.0-19.0.2, and 19.1.0, this flaw enables any unauthenticated remote attacker to retrieve references to confidential issues on public projects - potentially revealing issue IDs, titles, or internal metadata that project owners explicitly restricted. No public exploit code or CISA KEV listing exists at time of analysis; however, the unauthenticated, low-complexity network vector makes this trivially automatable for reconnaissance against large GitLab installations.
Broken access control in NewsBlur before 14.5.0 exposes any authenticated user's private social notification feed - follows, replies, and social activity - to any other authenticated user. The GET /social/interactions endpoint accepts an arbitrary user_id parameter and returns that user's MInteraction records without verifying the requesting session owns the account, a classic CWE-639 IDOR. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity (any registered account suffices) makes the flaw trivially exploitable by any NewsBlur user against any other.
Unrestricted file upload in K2 Extension for Joomla (versions 1.0 through 2.26) permits attackers to embed PHP scripts inside zip or tar archives uploaded via the article gallery feature, which are then extracted as-is into the publicly accessible `/media/k2/galleries/<id>/` directory and remain directly executable via HTTP. The extension applies renaming sanitization only to recognized image types, leaving PHP, shell, and other dangerous file types completely unfiltered post-extraction - a textbook CWE-434 flaw. No public exploit has been identified at time of analysis, but the reported CVSS base vector (AV:N/AC:L/PR:N/UI:N) and the nature of the flaw indicate trivial exploitability; notably, the reported CVSS impact metrics (C:L/I:N/A:N) appear to significantly understate the actual consequence of achieving arbitrary PHP code execution on the server.
Incorrect authorization in GitLab Enterprise Edition's DAST site profile management exposes stored secrets to users with the Developer role under certain conditions. Affecting all GitLab EE releases from 13.11 through the recently patched 18.11.6, 19.0.3, and 19.1.1, the flaw allows a lower-privileged authenticated user to read secrets - such as authentication credentials or API tokens - embedded in DAST site profiles they should not have access to. No public exploit code or CISA KEV listing has been identified at time of analysis, and the high attack complexity (AC:H) implies specific conditions must align for exploitation to succeed.