Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.
Insecure Direct Object Reference (IDOR) in the Simple User Avatar WordPress plugin through version 4.9 allows authenticated low-privileged users to bypass authorization controls and access avatar-related resources belonging to other users by manipulating user-controlled object keys. The root cause (CWE-639) is the plugin's failure to verify that the requesting user owns or is authorized to access the referenced object. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV, though the low complexity and low privilege requirement (PR:L, AC:L per CVSS) mean any registered WordPress user on an affected site could trivially exploit it.
HCL DevOps Deploy and HCL Launch expose sensitive information in pipeline step output logs, enabling any low-privileged authenticated user with log access to read plaintext sensitive values - such as credentials, API tokens, or configuration secrets - that should be masked or redacted. All versions are potentially affected per the CPE wildcard, and the network-accessible nature (AV:N/PR:L) makes this a meaningful insider threat and lateral movement risk in enterprise CI/CD environments. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.