Unauthenticated broken access control in the Flash & HTML5 Video WordPress plugin (versions <= 2.11.0) allows remote unauthenticated attackers to bypass authorization checks and access restricted resources, crossing a privilege boundary (CVSS Scope Changed) with limited confidentiality impact. Reported by Patchstack and catalogued under EUVD-2026-39735, this is a CWE-862 (Missing Authorization) flaw requiring no credentials, no user interaction, and no special complexity to exploit. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Unauthenticated path traversal file deletion affects ShortPixel Adaptive Images WordPress plugin versions 3.11.4 and earlier, allowing remote attackers without any credentials to delete files outside the plugin's intended directory scope. The CVSS vector (PR:N, AC:L, S:C) confirms no authentication is required and that the impact crosses component boundaries, potentially reaching WordPress core files or other hosted content. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero privilege requirement make opportunistic exploitation straightforward once the vulnerability is known.
Credential brute-force exposure in Reolink Home Hub (versions prior to v3.3.0.456_26031911) enables adjacent-network attackers to crack authentication credentials used between the Hub and its associated cameras. The netclient and factory services transmit or store credentials in a manner susceptible to brute-force attack, allowing an adversary on the same local network to intercept Hub-to-camera traffic and recover camera credentials. No public exploit or CISA KEV listing is present at time of analysis; however, the CVSS 4.0 subsequent-system impact is rated High across confidentiality, integrity, and availability, reflecting full camera compromise potential once credentials are cracked.
CSS injection in OpenProject's rich text rendering pipeline prior to version 17.4.0 allows any authenticated user with write access to inject arbitrary CSS into formattable text fields (work package descriptions, comments, project descriptions, news). The misconfigured Sanitize::Config::RELAXED[:css] setting permits all CSS properties on permitted HTML elements, enabling UI redressing, phishing overlays, and potential CSS-based side-channel data exfiltration when a victim views the malicious content. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vendor-released fix is available in 17.4.0.
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message,. Rated medium severity (CVSS 5.6). No vendor patch available.
Soft CPU lockup in the Linux kernel SCSI generic (sg) driver allows a local user to trigger a denial of service by writing an out-of-range value directly to the def_reserved_size sysfs module parameter, bypassing the validation enforced by sg_proc_write_dressz. Setting def_reserved_size to -1 via /sys/module/sg/parameters/def_reserved_size causes sg_build_reserve to enter a non-terminating allocation loop on the next open() of any /dev/sgX device, hanging the affected CPU core for 26+ seconds until the kernel watchdog fires. No public exploit code has been identified and EPSS probability is very low at 0.18%; patches are confirmed available across all active stable kernel branches.
Off-by-one array overflow in the Linux kernel's hvc_iucv driver (IBM z/VM IUCV HVC terminal subsystem) can trigger an out-of-bounds write to hvc_iucv_table[8] when hvc_iucv_devices is set to the maximum value of 8, crashing the kernel. Exploitation requires local access with low privileges on IBM System z systems running z/VM with hvc_iucv configured. No public exploit identified at time of analysis; EPSS is 0.18% (7th percentile), consistent with a niche mainframe-only driver affecting a very limited deployment population.
Kernel denial-of-service in the Linux mailbox subsystem triggers an OOPS when a mailbox controller is instantiated without an associated channel array and the code dereferences the missing pointer without a NULL guard. Local low-privileged users on affected systems - particularly embedded or SoC-based Linux deployments that rely on mailbox-based inter-processor communication - can cause a system crash. EPSS is 0.18% (7th percentile), no active exploitation is confirmed, and patches have been backported across all active stable branches from 5.10.x through 7.1.
Silent audit trail corruption in the Linux kernel's capability auditing subsystem allows a local attacker who manipulates inheritable capabilities as a precursor to privilege escalation to have that manipulation go unrecorded in CAPSET audit logs since 2008. The `__audit_log_capset()` function records `cap_effective` into the `cap_pi` (inheritable) field due to a copy-paste error, meaning compliance and forensic systems receive falsified capability state that masks the inheritable-cap modification step of a privilege escalation chain. No public exploit has been identified at time of analysis, and the EPSS score of 0.18% (7th percentile) reflects that exploitation as a standalone attack is not observed in the wild.
Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). No active exploitation has been identified (EPSS 0.17%, not in CISA KEV), and patches are available across all actively maintained Linux stable branches.
Kernel crash via NULL pointer dereference in the ALSA HDA Conexant audio driver affects Linux kernel stable branches from 5.15 through 7.0, exploitable by a local low-privileged user on systems with Conexant HDA audio hardware. The cx_probe() function ignores the error pointer returned by snd_hda_jack_detect_enable_callback() on memory allocation failure, leaving the jack detection callback unregistered and an internal structure uninitialized; a subsequent audio jack event then triggers a kernel panic. No public exploit exists and no CISA KEV listing is present; EPSS is 0.17% (7th percentile), confirming very low real-world exploitation probability.
NULL pointer dereference in the Linux kernel ice driver's ice_reset_all_vfs() function crashes the host kernel when a Virtual Function VSI rebuild fails during concurrent NVM firmware updates on Intel E800-series NICs. Systems with SR-IOV enabled on Intel E800-series adapters running kernel versions from 5.8 through the patched stable releases are affected. An attacker or privileged local process can trigger a kernel panic by initiating a VF reset while nvmupdate64e has placed Admin Queue commands in a transitional failure state, resulting in complete host denial of service. No public exploit exists and EPSS is negligible at 0.17% (7th percentile); CISA KEV listing is absent.
Indefinite kernel hang in the Linux kernel's drm/gma500 Oaktrail LVDS display initialization code can be triggered locally on systems with Intel GMA 500/Oaktrail graphics hardware, causing a denial of service requiring a hard reboot. The defect lies in error handling that incorrectly attempts to deregister an I2C adapter obtained via i2c_get_adapter() - which only increments a reference count - rather than restricting cleanup to adapters the driver itself allocated. No public exploit code exists and EPSS is 0.17% (7th percentile), consistent with a niche, largely retired hardware platform.
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Stack overflow in Bento4's MP4 parsing component allows an attacker to crash any application built on the library by supplying a crafted MP4 file. The flaw resides in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity, a dynamic array growth function invoked while processing Track Run (trun) atoms, and affects all Bento4 releases before v1.8.9. A public proof-of-concept exists (poc4.zip), though EPSS sits at 0.17% and CISA KEV has not listed this CVE, indicating no confirmed widespread exploitation at time of analysis.
NULL pointer dereference in the Linux kernel's airoha QDMA network driver crashes the kernel when RX queue initialization fails mid-way through allocation. The flaw exists in airoha_qdma_init_rx_queue() where early ndesc initialization causes the cleanup routine to call netif_napi_del() on NAPI structures never registered via netif_napi_add(), dereferencing a null pointer and causing a local denial of service. No public exploit identified and EPSS at 0.17% (6th percentile) reflects minimal real-world exploitation probability; impact is constrained to systems running Airoha QDMA-based network hardware.
Improper locking in the Linux kernel's amdgpu DRM driver allows a local low-privileged user to trigger a kernel deadlock or system crash via the AMDGPU_INFO_READ_MMR_REG ioctl. Three distinct concurrency defects exist: inverted lock ordering between the reset semaphore and mm_lock (permitting copy_to_user() under lock), memory allocation while holding the reset semaphore, and use of down_read_trylock() where a blocking wait is required. No public exploit code has been identified and EPSS is 0.17%, placing this firmly in opportunistic-rather-than-targeted risk territory.
Memory corruption in the arm64 early kernel mapping on Linux allows a local low-privileged user to cause a kernel panic through an off-by-one page-table allocation error introduced since commit 5973a62efa34. Affected systems running 4K page granule on arm64 hardware may have the [data, end) segment overflow into the guard gap page before early_init_stack, corrupting critical early initialization memory. No public exploit exists and EPSS is 0.17% (6th percentile), reflecting this as primarily a kernel stability and reliability concern for arm64 deployments rather than an actively weaponized attack vector.
NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. Systems with ps883x retimer hardware running affected kernel versions are vulnerable when a privileged local user unbinds the driver via sysfs. No active exploitation is confirmed (no CISA KEV listing), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability.
NULL pointer dereference in the Linux kernel's EIP93 hardware crypto driver triggers a kernel panic during AEAD crypto operations on affected embedded systems. The root cause is a self-contradictory algorithm lookup mask in eip93_hmac_setkey() - CRYPTO_ALG_ASYNC is passed as an exclusion mask, yet EIP93 algorithms are inherently async, so the lookup always returns -ENOENT. This leaves the AEAD security association record with zeroed digest fields; any subsequent crypto operation then dereferences a NULL context pointer, crashing the kernel. No public exploit is identified at time of analysis, and EPSS is very low (0.17%, 6th percentile), reflecting the narrow hardware-specific attack surface.
Null pointer dereference in the Amlogic T7 SoC reset driver crashes the Linux kernel when uninitialized reset operation callbacks are invoked, causing a full system denial of service. Local low-privilege users on systems physically equipped with an Amlogic T7 SoC are affected across kernel versions from the introduction commit through the patched releases 6.18.33, 7.0.10, and 7.1. No public exploit has been identified and EPSS of 0.17% (6th percentile) reflects negligible real-world exploitation interest; this is a hardware-specific stability fix rather than an actively exploited security threat.
NULL pointer dereference in the Linux kernel's Airoha QDMA network driver causes a kernel panic (denial of service) when queue entry list allocation fails during TX queue initialization. Systems running Airoha-based network hardware on affected kernel versions - including Linux 6.19 - are vulnerable when the driver's cleanup path dereferences an uninitialized descriptor array pointer. No public exploit exists and EPSS sits at 0.17% (6th percentile), indicating minimal real-world exploitation activity; no CISA KEV listing.
Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. No public exploit exists and EPSS is 0.17% (6th percentile), indicating minimal real-world exploitation activity; however, the impact on Azure Linux VM availability is complete (kernel panic).
Boot-time kernel crash in Linux 6.16+ on AMD IOMMU-equipped systems causes a General Protection Fault when a PCI device whose Bus:Device.Function address is absent from the ACPI IVRS table is encountered during IOMMU initialization. The root cause is a missing bounds check in __rlookup_amd_iommu() that was latent until commit e874c666b15b changed the rlookup_table allocation from a zeroed page-order block (which returned NULL on overrun) to a tight kvcalloc(), causing adjacent slab contents to be dereferenced as a valid struct amd_iommu pointer. The result is a non-recoverable GPF at boot time, confirmed in production on Google Compute Engine ct6e VMs; no public exploit code and no CISA KEV listing exist at time of analysis.
Stack access fault in the x86/kexec purgatory handoff crashes non-kjump kexec operations on affected Linux kernel versions, resulting in a local denial of service. A prior regression removed a 'gratuitous' stack push in the non-kjump path; however, the purgatory code shipped by kexec-tools still reads above its stack top expecting that return address, triggering a memory fault that aborts the kexec reboot or crashes the system. No public exploit exists and EPSS sits at the 6th percentile, placing this firmly in the reliability-regression category rather than an adversarial attack surface.
Denial of service in the Linux kernel's padata parallel data processing subsystem results from a misplaced CPU hotplug callback that returns an error in a section where error returns are not permitted. Specifically, padata_cpu_dead() is registered below CPUHP_TEARDOWN_CPU, a hotplug state phase where callbacks are not allowed to fail; when the callback returns non-zero, the kernel emits a 'DEAD callback error' warning that can destabilize the system. A local attacker with low-privilege access on a multi-CPU system using padata (e.g., for parallel IPsec or crypto processing) can trigger this condition during CPU offline transitions, resulting in high availability impact. No public exploit is identified and EPSS is 0.16%, indicating low exploitation probability; patches are available across multiple stable kernel branches.
NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver crashes the host kernel when initializing Virtual Function (VF) devices in VFIO passthrough or nested KVM environments where `pdev->slot` is unpopulated. Systems running affected kernel versions in Azure-style or nested virtualization deployments face deterministic kernel panics and total availability loss on the host. No public exploit code has been identified, and EPSS probability is 0.16% (5th percentile), indicating low opportunistic exploitation risk - though in targeted Azure or nested KVM environments, the crash is straightforwardly reproducible.
NULL pointer dereference in the Linux kernel's mt76/mt7925 WiFi driver crashes the kernel when the 'sta' pointer is dereferenced before a NULL check in mt7925_tx_check_aggr(). Systems with MediaTek mt7925 WiFi hardware running affected kernel versions are exposed to a local denial-of-service via kernel panic. No public exploit exists and EPSS is at the 5th percentile (0.16%), indicating no observed widespread exploitation; patches have been applied across multiple stable kernel branches.
Firmware crash in the Linux kernel's mt76/mt7921 WiFi driver allows a local low-privileged user to cause denial of service by triggering station Association ID (AID) values above the firmware's undocumented limit of 20. Affected hardware includes Mediatek mt7922 chipsets operating in AP mode (IFTYPE_AP). Exploitation requires running a non-standard hostapd configuration that allocates AIDs starting at 65 or higher - stock hostapd is not affected. No public exploit has been identified and EPSS is 0.16% (5th percentile), indicating very low exploitation likelihood.
Deadlock in the Linux kernel's DSA (Distributed Switch Architecture) subsystem allows a local low-privileged user to hang the kernel network stack by running ethtool against a DSA-configured conduit interface. The DSA subsystem replaces the conduit device's ethtool_ops with aggregating wrappers, but these wrappers redundantly invoke netdev_lock_ops() on a lock already held by the kernel ethtool infrastructure, creating a classic double-lock deadlock. No public exploit exists and EPSS sits at 0.15% (5th percentile), though the issue is trivially reproducible with standard system tooling on affected configurations.
Kernel panic via reachable assertion in the Linux kernel Phonet subsystem allows any low-privileged local user to crash the system. The flaw exists in pn_socket_autobind() at net/phonet/socket.c:213, where a BUG_ON() assertion fires when pn_socket_bind() returns -EINVAL for a reason other than an already-bound socket - specifically, when sk->sk_state is not TCP_CLOSE on an unbound socket. This was confirmed exploitable by syzbot fuzzing. No public exploit exists independent of the syzbot reproducer, and no active exploitation is reported in CISA KEV; EPSS at the 5th percentile confirms low real-world exploitation probability.
Kernel crash in Linux DRM/AMD DCN32 display subsystem affects systems equipped with AMD RDNA3-generation GPUs running x86 non-RT kernels. The dcn32_validate_bandwidth() function locks FPU registers via DC_FP_START(), disabling local softirqs, then calls kvzalloc() for a ~335 KiB phantom-plane allocation that triggers the vmalloc path; vmalloc fires BUG_ON(in_interrupt()), crashing the kernel. No public exploit has been identified at time of analysis, and EPSS at 0.15% (5th percentile) reflects low real-world exploitation interest.
NULL pointer dereference in the Linux kernel IOMMU subsystem crashes affected systems during PCI device reset when a default domain allocation has previously failed. Local users with low-privilege access on Linux kernel versions in the 7.0 branch (prior to 7.0.10) and before 7.1 can trigger a kernel panic through the `pci_dev_reset_iommu_done()` function, resulting in a denial of service. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.15% (5th percentile) reflects the low real-world exploitation likelihood given the edge-case hardware precondition and local-only attack vector.
NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. No public exploit code exists and the EPSS score of 0.15% (5th percentile) confirms negligible real-world exploitation activity; vendor-supplied patches are available via upstream stable commits.
Unbounded NAPI busy-poll loop in the Linux kernel's io_uring subsystem allows a low-privileged local process to spin the kernel indefinitely when no I/O events arrive, triggering soft lockup watchdog complaints and degrading system availability. Affected kernels are those at or after commit 8d0c12a80cdeb80d5e0510e96d38fe551ed8e9b5 (introducing NAPI support in io_uring, Linux 6.9) through the patched stable releases 6.18.33, 7.0.10, and 7.1. No public exploit exists and this is not listed in CISA KEV; EPSS sits at 0.15% (5th percentile), reflecting very low exploitation interest.
Integer overflow on the RISC-V IOMMU invalidation path in the Linux kernel triggers an infinite loop, causing a local denial of service. A low-privileged local user on an affected RISC-V system with IOMMU hardware can hang the kernel by inducing an invalidation where gather->end equals ULONG_MAX, exploiting the sign-extended page table range supported by RISC-V. EPSS is 0.15% (5th percentile), no active exploitation has been identified, and no public exploit code is known.
Uninitialized memory read in the Linux kernel FUSE filesystem driver causes local denial-of-service conditions. Specifically, `fuse_dentry_revalidate()` in `fs/fuse/dir.c` reads the `->d_time` field of a dentry that was allocated by `__d_alloc()` without initialization, detectable by KMSAN as a use-before-initialize defect. A local authenticated user with access to a FUSE-mounted filesystem can trigger a kernel crash by opening a file through the affected `lookup_open` → `d_revalidate` code path. No public exploit exists and EPSS is 0.15%, indicating minimal real-world exploitation pressure at this time.
Kernel page fault in the Linux kernel's Tegra234 Control Backbone (CBB) driver crashes affected NVIDIA Tegra234-based systems when a cross-fabric error interrupt triggers incorrect register address resolution. The `tegra234_cbb_get_tmo_slv()` function uses the receiving fabric's base address (`cbb->regs`) with register offsets derived from a different fabric's target map, producing an invalid virtual address dereference (`ffff80000954cc00`) and a kernel panic. Exploitation requires local low-privilege access to Tegra234 hardware; no public exploit or POC exists, EPSS sits at the 5th percentile (0.15%), and the vulnerability is not in CISA KEV.
Null pointer dereference in the Linux kernel's pinctrl subsystem allows a local low-privileged attacker to crash the kernel, causing a denial of service. The flaw exists in pinconf_generic_parse_dt_pinmux(), which fails to validate that a 'pinmux' Device Tree property is non-empty before use - an empty property causes the allocator to return an invalid non-NULL pointer, and subsequent memory access triggers a kernel panic. No public exploit code exists and EPSS is 0.15% (5th percentile), reflecting low real-world exploitation probability; exploitation is further constrained to systems with specific pinctrl hardware and Device Tree configurations.
NULL pointer dereference in the Linux kernel's drm/amd/ras subsystem allows a local low-privileged user to crash the kernel on systems with AMD GPUs. The flaw in ras_core_get_utc_second_timestamp() occurs when a NULL ras_core pointer passes a conditional check but is then dereferenced in the subsequent error-printing path, producing a kernel panic. No public exploit exists and EPSS sits at 0.15% (4th percentile), placing this firmly as a low-urgency local denial-of-service hardening issue despite the Availability:High CVSS rating.
Spurious WARN_ON_ONCE calls in the Linux kernel's blk-wbt subsystem trigger unnecessary kernel warnings and stack traces under expected failure conditions - memory pressure or a pre-registered writeback throttle. Local low-privileged users can provoke this via ioctl(BLKPG) during MTD partition creation under memory-constrained conditions, generating noise in kernel logs and, on panic_on_warn-enabled kernels, potentially causing a system crash. No public exploit exists and the EPSS score of 0.14% (4th percentile) places this firmly in the low-priority tier; it has not been added to CISA KEV.
NULL pointer dereference in the Linux kernel's AMD RAS subsystem crashes systems with AMD GPU hardware. The function `ras_core_ras_interrupt_detected()` in `drm/amd/ras` fails to validate the `ras_core` pointer before dereferencing `ras_core->dev` in an error path, enabling a local low-privilege user to trigger a kernel panic and denial of service. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS at 0.14% (4th percentile) confirms negligible current exploitation probability. Upstream fix commits are available in stable kernel trees.
NULL pointer dereference in the Linux kernel AMD display driver (drm/amd/display) can cause a kernel panic on systems running AMD GPUs, resulting in a complete denial of service. The flaw resides in dc_dmub_srv_log_diagnostic_data() and dc_dmub_srv_enable_dpia_trace() in dc_dmub_srv.c, where a combined NULL guard incorrectly permits DC_LOG_ERROR() - which internally dereferences dc_dmub_srv->ctx - to execute when dc_dmub_srv itself is NULL. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating very low exploitation probability in the wild.
Use-after-free and memory leak in the Linux kernel max77705 power supply driver expose systems with Maxim MAX77705 PMIC hardware to local denial-of-service. Two concurrent bugs exist: the workqueue is never destroyed on driver removal (memory leak), and a race condition allows an interrupt handler to schedule work on an already-freed workqueue if the interrupt fires after workqueue destruction but before the devm interface releases the interrupt registration. On vulnerable kernel versions prior to the stable-tree patches (7.0.10 and 7.1 series), a local user on hardware with a MAX77705 PMIC can trigger kernel memory corruption. No public exploit code has been identified at time of analysis, and EPSS sits at 0.14% (4th percentile), reflecting negligible opportunistic exploitation interest.
Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.
Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.
Insufficiently protected credential storage in Dokku prior to 0.38.2 exposes git authentication secrets stored in $DOKKU_ROOT/.netrc to any local user who can traverse the Dokku home directory. The git:auth command pre-creates the .netrc file using bash's touch, which applies the process umask (0644) before the netrc binary runs - defeating the netrc binary's own 0600 enforcement because the file already exists at write time. No public exploit code exists and the vulnerability is not in CISA KEV, but the confidentiality impact is rated High given that plaintext git credentials (hostnames, usernames, passwords) are directly readable without any special tooling.
Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.
Signature type-binding bypass in @sigstore/core (npm) allows an attacker who controls the `payloadType` field of a DSSE envelope to substitute every ASCII character with a Unicode variant whose low byte matches, producing PAE bytes identical to a legitimate signature and causing verification to pass for a mismatched content type. All versions up to and including 3.2.0 are affected; a working proof-of-concept is included in the GitHub security advisory GHSA-jfc7-64v2-mr8c. The vulnerability is not confirmed in the CISA KEV catalog, but exploit code is publicly available, making exploitation straightforward for any attacker positioned to craft or relay DSSE envelopes.
Cross-site scripting in jupyter/nbconvert versions 7.17.0 and earlier allows any user with notebook write access to inject and execute arbitrary JavaScript in the browsers of users who view HTML-exported notebooks. The flaw stems from the `data_mermaid` rendering block in `share/templates/lab/base.html.j2`, which outputs `text/vnd.mermaid` cell content directly into HTML without escaping, enabling tag breakout from the enclosing `<pre>` element. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the stored-XSS pattern means any user who views a maliciously crafted HTML export is at risk.