Broken access control in the WPCafe WordPress plugin (versions 3.0.14 and earlier) allows authenticated subscriber-level users to access restricted functionality or data without proper authorization checks. The flaw stems from missing authorization (CWE-862) on one or more plugin endpoints, permitting low-privileged WordPress accounts to bypass intended access restrictions. No public exploit code or active exploitation has been identified at time of analysis, but the network-accessible, low-complexity nature of the issue makes it straightforward to abuse by any registered site user.
Broken Access Control in SEOPress PRO WordPress plugin versions up to and including 9.1.1 allows authenticated users holding the Contributor role to perform privileged actions beyond their intended authorization scope. Exploitation requires a valid WordPress account with at least Contributor-level access, making this an insider or low-privilege escalation risk rather than a remote unauthenticated threat. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and network reachability keep this a realistic risk in multi-author WordPress environments.
Broken access control in the Live Copy Paste for Elementor WordPress plugin (versions <= 1.5.3) allows contributor-level authenticated users to access restricted functionality beyond their intended authorization scope, resulting in unauthorized read access to content. The vulnerability stems from missing authorization checks (CWE-862) on plugin endpoints, and the 'Authentication Bypass' tag from Patchstack indicates contributors can bypass role-based restrictions enforced elsewhere. No public exploit code has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog.
Broken access control in the Restaurant Menu by MotoPress WordPress plugin (versions <= 2.4.11) allows authenticated users with subscriber-level privileges to perform actions reserved for higher-privileged roles. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated caller holds the required capability before executing sensitive operations, enabling low-privilege users to manipulate menu data or plugin functionality beyond their intended scope. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.
Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).
Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write files outside the intended restricted directory by supplying crafted pathnames, leading to high confidentiality and integrity impact. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) indicating network-reachable, unauthenticated exploitation against affected versions. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; fixed versions 1.3.6 and 2.0.7 are available from the Apache vendor.
Path traversal in Apache IoTDB (versions 1.0.0–1.3.5 and 2.0.0–2.0.5) lets remote unauthenticated attackers reference files outside the intended directory using crafted '../' sequences in a pathname, yielding high-impact disclosure and modification of files (C:H/I:H). With a CVSS 3.1 score of 9.1 and PR:N/UI:N, the flaw is exploitable over the network against affected instances with no credentials or user interaction. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV.
Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS score of 3.8 reflects low severity but the scope-change flag (S:C) correctly captures that the disruption crosses the guest boundary to a privileged host process.
Markdown image rendering restrictions in Mattermost are bypassed specifically for AI bot tool result posts, enabling authenticated attackers to exfiltrate data to attacker-controlled infrastructure. Affected are Mattermost versions 10.11.x through 10.11.18, 11.5.x through 11.5.6, and 11.6.x through 11.6.3. When a victim's client renders an AI bot tool result post containing injected markdown image syntax, the client issues an outbound request to the attacker's server, leaking request metadata such as session tokens or channel context. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Incorrect authorization in Statamic CMS's Live Preview endpoint allows authenticated Control Panel users with view-only permissions to submit and render arbitrary field values they are not authorized to edit. By exploiting this flaw, a restricted user can generate a shareable Live Preview URL that displays unauthorized content as if authored through legitimate editorial workflow. No public exploit code or active exploitation has been identified; this is a low-severity integrity issue confirmed patched by the vendor in versions 5.74.0 and 6.20.3.
DNS rebinding SSRF in Aimeos Pagible CMS's administrative proxy route (`cmsproxy`) exploits a TOCTOU race condition between URL validation and HTTP request execution to bypass private-IP blocklists. Authenticated attackers with basic CMS access who control a TTL=0 DNS server can cause the application to fetch cloud metadata endpoints such as the AWS Instance Metadata Service (169.254.169.254), potentially returning IAM credentials to the attacker. A detailed, step-by-step proof-of-concept is publicly available via GitHub Advisory GHSA-mmj8-wcvw-6789; no active exploitation is confirmed in CISA KEV at time of analysis.
Memory exhaustion via decompression bomb in fluent-plugin-s3's `in_s3` input plugin enables an attacker with S3 bucket write access to crash the Fluentd log collection process. Versions 0.7.0 through 1.8.4 decompress gzip, lzma2, and lzop files from S3 into memory with no size cap, allowing a crafted high-ratio compressed payload to trigger an OS OOM kill and disrupt all log ingestion on the affected node. No public exploit has been identified at time of analysis, and the CVSS PR:H requirement tightly constrains real-world exploitability.
RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.
Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.
An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input,. Rated low severity (CVSS 1.8). No vendor patch available.
Output manipulation in flawfinder before version 2.0.20 allows an attacker who controls repository filenames or file content to inject ANSI escape sequences into terminal output, visually hiding or falsifying scan results from human reviewers. The same untrusted-input handling gap extends to structured report generation: CSV reports and SonarQube XML output (via the output_sonar() function) can be corrupted or attribute-injected when filenames, categories, or code context contain unescaped special characters. No public exploit code is identified and the vulnerability is not in CISA KEV; however, the defense-evasion potential is meaningful for organizations running flawfinder against untrusted or adversarial repositories in CI/CD pipelines. The 'RCE' tag present in the intelligence metadata is not supported by the advisory and appears to be a mis-classification.
Nil pointer dereference in the Incus daemon (incusd) `CreateCustomVolumeFromBackup` function crashes the entire daemon process when a crafted backup tarball omits the `expires_at` field on any volume snapshot entry. Any authenticated user holding the `can_create_storage_volumes` entitlement on any project - below the admin tier - can trigger this with a single POST to the storage backup import endpoint, making it a persistent denial-of-service against all container, VM, and storage operations on the affected host or cluster member. A proof-of-concept exploit (479-byte tarball, confirmed against Incus 7.0.0) was bundled with the advisory; no public exploit identified at time of analysis beyond the reporter-supplied PoC. Fix is available in 7.1.0.
Nil-pointer dereference in Incus daemon (incusd) v7.0.0 allows any authenticated user holding the low-privilege `can_create_instances` permission to crash the entire incusd process with a single crafted HTTP request. The flaw resides in `createDependentVolumesFromBackup` (backend.go:9352-9412), where a prior partial fix (commit d768f81c) guarded only the outer loop variable but left three inner sub-fields - `disk.Volume`, `disk.Pool`, and `disk.VolumeSnapshots[i]` - unguarded against nil; an uploaded backup tarball with a null snapshot entry or omitted volume/pool block triggers a Go panic, taking down all container and VM operations on the host. No public exploit identified at time of analysis per CISA KEV, though a working 666-byte proof-of-concept tarball is publicly bundled with the report and was confirmed against the production 7.0.0 release.
Authentication bypass and account takeover in OpenAM Community Edition (OpenIdentity Platform) through 16.0.6 allows unauthenticated attackers to log in as any user who has authenticated via the OAuth2 module. The OAuth2 module silently rewrites a local user's password to the literal value of their own username, after which the default ldapService chain accepts the username as both identifier and password at the standard authenticate endpoint - no IdP interaction needed. No public exploit identified at time of analysis, but the attack requires only knowledge of a target username once the password-rewrite has fired.
Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.