Sensitive data leakage in Apple Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2 exposes users to cross-site data disclosure when visiting a malicious or compromised website. The root cause is a permissions enforcement deficiency (CWE-1264) that allows a web context to access data beyond its intended permission boundary. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.17% (6th percentile) indicates low observed exploitation probability at time of analysis; however, the unauthenticated, low-complexity network vector makes this a realistic target for drive-by attacks once details become public.
Improper Authorization (CWE-285) in Apache Tomcat's default servlet allows HTTP method-based and method-omission security constraints to be silently bypassed across all major supported Tomcat branches from 7.0.x through 11.0.x. An attacker can perform HTTP operations - such as PUT or DELETE - that the web.xml security constraint configuration was intended to restrict, potentially enabling unauthorized file upload, modification, or deletion on the default servlet's served content. No active exploitation has been confirmed (not in CISA KEV) and no CVSS score has been published at time of analysis, but the broad version range and ubiquitous deployment footprint of Tomcat make prompt patching a priority.
Denial-of-service memory corruption in Apple's WebKit engine affects Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2, where processing maliciously crafted web content triggers an unexpected process crash. The CVSS vector scores only availability impact (A:H) with no confidentiality or integrity loss, indicating a crash rather than code execution. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.16%), consistent with a browser-rendering DoS reported internally by Apple rather than an actively exploited threat.
Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.
Replay attack vulnerability in Apache Tomcat's cluster EncryptionInterceptor allows a network-adjacent attacker to retransmit previously captured encrypted inter-node cluster messages, causing receiving nodes to accept and process them as legitimate - potentially corrupting distributed session state or triggering unintended cluster actions. All major supported branches are affected: 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, plus end-of-life branches 8.5.38-8.5.100 and 7.0.100-7.0.109. No public exploit or CISA KEV listing has been identified at time of analysis; however, the breadth of affected versions across all active and legacy branches elevates organizational exposure, particularly for environments running EOL 8.5.x or 7.x with no available patch.
Sandbox-escaping information disclosure in Yelp (the GNOME help viewer) lets a malicious Flatpak application read arbitrary user-readable files on the host. By using the OpenURI portal to open crafted help content that embeds an untrusted CSS stylesheet inside a structured SVG document, an attacker abuses an overly permissive Content Security Policy supplied by yelp-xsl to force Yelp to evaluate local XML inclusions and exfiltrate file contents via remote CSS resource requests, defeating Flatpak's intended isolation. The flaw was disclosed publicly (GNOME developer blog by Michael Catanzaro, May 2026) and tracked by Red Hat; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.
Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. No public exploit code and no CISA KEV listing are confirmed at time of analysis, placing current real-world exploitation risk in the moderate range.
Broken access control in WP User Frontend plugin for WordPress (versions <= 4.3.7) allows unauthenticated remote attackers to perform restricted actions without authorization. The flaw stems from missing authorization checks (CWE-862) on one or more plugin endpoints, enabling limited integrity and availability impact against affected WordPress installations. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, though the unauthenticated, low-complexity nature of the vulnerability lowers the bar for casual abuse.
Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.
Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subscriber-level users to inject arbitrary JavaScript that executes in other users' browsers. The scope-change indicator in the CVSS vector (S:C) confirms the payload can cross trust boundaries - most critically, scripts injected by a low-privilege subscriber can execute in the context of a higher-privilege user such as an administrator. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Command injection in Wavlink WL-NU516U1-A router firmware (M16U1_V240425) allows authenticated remote attackers to execute arbitrary OS commands by submitting crafted POST parameters to the wireless CGI configuration handler. The affected function sub_401D68 within /cgi-bin/wireless.cgi fails to sanitize the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters before passing them to OS-level commands. A public proof-of-concept exploit is confirmed available on GitHub; this CVE is not currently listed in CISA's KEV catalog, but the vendor has already released a patched firmware.
Unauthenticated access to private playlist data in Invidious before v2.20260626.0 is possible via a broken authorization check on the RSS feed playlist endpoint. By supplying a known playlist ID to this endpoint, a remote attacker with no credentials can retrieve the full contents of a private playlist, the owner's email address, and all associated video entries. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v2.20260626.0.
Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 subsequent-system confidentiality impact is rated High, reflecting the potential to enumerate internal services or harvest cloud credentials.
JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. No public exploit code is identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is substantially bounded by the prerequisite of jwtSecret compromise, reflected in the CVSS 4.0 score of 6.3 with High Complexity and Presence-of-attack-requirement modifiers.
OS command injection in the Edimax EW-7478APC wireless access point firmware 1.04 allows a network-reachable authenticated attacker to execute arbitrary OS commands on the device by manipulating the `rootAPmac` parameter in POST requests to `/goform/formStaDrvSetup`. A public proof-of-concept exploit is available, indexed by VulDB and documented externally, and the vendor did not respond to responsible disclosure - making a vendor-released patch unlikely in the near term. The provided CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as OS command injection on embedded Linux network devices typically yields full device compromise rather than the 'Low' impact across all three dimensions assigned in the vector.
Path traversal in Snowflake CLI versions prior to 3.19 enables arbitrary local file exfiltration to Snowflake cloud services when a victim processes attacker-controlled project or repository content. The CLI fails to restrict file path resolution during deployment or SQL template processing, allowing crafted project files to reference and transmit content from outside the intended project directory boundary to Snowflake-hosted artifacts. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog; upgrade to version 3.19 is required as the vendor documents no supported workarounds.
Broken access control in MainWP WordPress plugin versions 6.1.1 and below allows authenticated subscribers to bypass authorization checks and perform actions restricted to higher-privileged roles. The CVSS vector (PR:L, AC:L, AV:N) confirms any low-privileged WordPress account - the subscriber role being the lowest default - is sufficient for network-based exploitation with no special complexity. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the minimal barrier to obtaining a subscriber account on sites with open registration makes this a meaningful risk for multi-user or membership-based installations.
Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.
Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.
Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.
Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious JavaScript via a crafted JMS message ID, which executes in the browser of any administrator who browses the affected queue. The browse page renders message IDs without HTML sanitization, enabling privilege escalation from producer to administrator via session hijacking or credential theft. No public exploit identified at time of analysis and not listed in CISA KEV; rated moderate severity by Apache, consistent with the authentication prerequisite and required user interaction.
Server-side request forgery in GitBucket up to version 4.46.1 allows authenticated users to coerce the application server into issuing HTTP requests to arbitrary internal or private network hosts by supplying a crafted URL to the repository creation "clone from existing repository" feature. The flaw resides in `Git.cloneRepository.setURI()` within `RepositoryCreationService.scala`, where user-supplied URL input reaches JGit without validation against private address ranges. A public exploit exists (GitHub issue #4044), though no CISA KEV listing is present - no confirmed active exploitation at time of analysis. An upstream patch is available as commit 487a9b980f56aa73b6a044b1e86a92eed5043215 via PR #4056.
Improper access control in Feehi CMS up to version 2.1.1 allows low-privileged remote attackers to perform unauthorized operations against the /api/users API endpoint. Exploitation of CWE-284 at this endpoint enables access to or manipulation of user data beyond what the authenticated role should permit, representing an authentication bypass at the authorization layer. A public exploit exists per GitHub issue #89; no vendor patch or response has been issued as of analysis time, leaving the exposure unmitigated.
SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.
SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.
Broken tenant isolation in SigNoz through 0.130.1 allows authenticated users from one organization to read, modify, and delete alert rules belonging to entirely separate organizations by directly supplying a target rule UUID via API. The alert rule store predicates omit organization ID filtering - a textbook Insecure Direct Object Reference (CWE-639) - collapsing the multi-tenant access boundary. No active exploitation is confirmed (not in CISA KEV) and no public POC has been independently confirmed, though the referenced GitHub issue may expose sufficient technical detail for manual exploitation by any credentialed user on a shared SigNoz instance.
Cross-site request forgery in CodeAstro Human Resource Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - specifically department deletion - by tricking an authenticated user into visiting a crafted malicious page. The exploit targets the department deletion endpoint and publicly available proof-of-concept code has been published on GitHub, lowering the bar for exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of a public PoC, network-accessible attack vector, and no required attacker privileges makes this an accessible target for opportunistic attackers against organizations running this software.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.
Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attackers without any authentication to inject and store arbitrary JavaScript that executes in the context of a victim's browser when they visit an affected page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-accessible exploitation requiring no privileges, with a scope change indicating the payload crosses from the plugin's execution context into the victim's browser session. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated nature and low complexity lower the barrier to abuse significantly.
Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.
Broken object-level authorization (BOLA/IDOR) in LibrePhotos prior to version 1.0.0 allows any authenticated user to read private photos belonging to other users by manipulating shared_to relationship parameters in the SetPhotosShared endpoint without server-side ownership validation. The attack vector is network-accessible and requires only a low-privilege account, delivering high confidentiality impact against victim photo libraries. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available as version 1.0.0.
Cross-operation authorization bypass in Mythic C2 framework before 3.4.0.60 exposes encryption keys and C2 profile configurations to authenticated operators from separate operations. Four webhook REST endpoints - c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, and c2profile_sample_message_webhook - fail to verify that a submitted payload UUID belongs to the caller's operation, allowing an operator in Operation A to retrieve the full C2 profile configuration of Operation B by supplying a known UUID. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.0 reflects high complexity due to the prerequisite of obtaining a cross-operation UUID.
SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).
Heap-based buffer overflow in LLVM llvm-project through version 22.1.6 allows a local low-privilege attacker to crash affected LLVM tooling by supplying a crafted bitcode file that triggers an out-of-bounds heap write in the GCRelocateInst::getBasePtr function within the Bitcode File Handler component. The LLVM project was notified via a GitHub issue report but has not yet responded or released a patch. A proof-of-concept exploit has been publicly disclosed, and no active exploitation is confirmed in CISA KEV.
Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.
Unbounded zlib decompression in GPAC up to version 26.02.0 allows a local low-privileged attacker to cause resource exhaustion via a crafted highly-compressed (zip-bomb) payload processed by the ISOBMFF parser and associated filter modules. The affected function `gf_gz_decompress_payload_ex()` in `src/utils/base_encoding.c` applies no ceiling on inflated output size, enabling disproportionate memory or CPU consumption. A public proof-of-concept exists (GitHub issue #3588), but no active exploitation is confirmed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the local-only attack surface and limited availability-only impact.
Honeywell IQ MultiAccess physical access control software, all versions through V28, improperly verifies digital signatures on downloaded files due to a time-of-check/time-of-use (TOCTOU) race condition, allowing a local low-privileged attacker to replace a legitimately verified file with a malicious one in the window between signature check and file consumption. Successful exploitation yields high integrity and availability impact on the vulnerable system, as the replaced file may execute attacker-controlled code or corrupt system components. No public exploit identified at time of analysis; Honeywell has released patches V27 SP1 and V28 SP1.
Privilege escalation via role parameter manipulation in SourceCodester Inventory Management System 1.0 allows unauthenticated remote attackers to self-assign elevated roles during user registration. The vulnerability resides in /api/users_handler.php, where the application fails to enforce server-side restrictions on the role argument at the User Registration Endpoint, enabling account creation with admin-level privileges. A public proof-of-concept exploit is available, lowering the skill bar for abuse against any exposed instance; no CISA KEV listing exists, so confirmed active exploitation in the wild has not been established.
Kernel state disclosure in Apple iOS, iPadOS, and macOS Tahoe allows a locally installed app to leak sensitive kernel memory through insufficiently sanitized input. All versions prior to iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 are affected. No active exploitation is confirmed (not in CISA KEV), and EPSS sits at 0.19% (9th percentile), indicating minimal current threat actor interest despite the kernel-level information exposure.