Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote, unauthenticated attackers to corrupt heap memory by sending a crafted Modbus TCP packet containing a malformed `length` field to applications using the library's `pcpp::ModbusLayer::getLength()` parser. The CVSS 4.0 score of 2.9 reflects the high attack complexity (AC:H) required to exploit the flaw reliably, with impact capped at low across confidentiality, integrity, and availability. Publicly available exploit code exists (poc.zip), though no active exploitation has been confirmed by CISA KEV at time of analysis.
Google OAuth login in Documenso through version 2.11.0 fails to enforce two-factor authentication during the OAuth callback flow, allowing a remote attacker to authenticate as any Google-linked user without completing MFA verification. The flaw resides in handle-oauth-callback-url.ts, where the oauth2fa state is not properly routed through the dedicated OAuth 2FA verification path - as confirmed by the PR diff showing the signin form was not checking the oauth2fa=true callback parameter. Publicly available exploit code exists (GitHub issue #2758), though no active exploitation has been confirmed and the CVSS 4.0 AC:H rating indicates the attack requires precise manipulation of the OAuth callback flow.
Cherry Studio's MCP OAuth Local Callback Server, in all versions up to 1.9.6, accepts OAuth authorization code callbacks without validating the OAuth `state` parameter, enabling authorization code injection attacks. The PR diff confirms that `src/main/services/mcp/oauth/callback.ts` processed any inbound `code` value without checking a bound state token, allowing a network-positioned attacker to substitute a malicious authorization code during an active OAuth flow. A public exploit has been disclosed via GitHub issue #15372; no confirmed patched release exists - only an unmerged fix PR (#15388) - and no active exploitation has been confirmed (not in CISA KEV).
SQL injection in YzmCMS up to version 7.5 allows network-based attackers to manipulate database queries by supplying crafted input to the siteurl argument within the installation endpoint /application/install/index.php. No authentication is required per the CVSS 4.0 vector (PR:N), though the attack is rated high complexity (AC:H), meaning exploitation is non-trivial despite a publicly available proof-of-concept on GitHub. The vendor did not respond to coordinated disclosure, leaving no official patch available; CVSS 4.0 scores this 6.3 with partial impact across confidentiality, integrity, and availability - no confirmed active exploitation (not in CISA KEV).
Heap-based buffer overflow in PcapPlusPlus 25.05's Telnet subnegotiation packet parser allows remote attackers to corrupt heap memory by sending a specially crafted Telnet subnegotiation packet to any application embedding this library. The flaw in `pcpp::TelnetLayer::getSubCommand` (Packet++/src/TelnetLayer.cpp) results in low-level confidentiality, integrity, and availability impact against the parsing process. A proof-of-concept exploit (poc.zip) is publicly available on GitHub, but no active exploitation has been confirmed via CISA KEV, and the high attack complexity (AC:H in the provided CVSS 4.0 vector) keeps the overall score at a low 2.9.
Heap-based buffer overflow in PcapPlusPlus 25.05's TLS Hello Handler allows remote unauthenticated attackers to trigger memory corruption via a crafted handshakeVersion argument in the SSLClientHelloMessage::getHandshakeVersion function of SSLHandshake.cpp. Successful exploitation requires high attack complexity, limiting practical impact, but a public proof-of-concept (poc.zip) has been disclosed via GitHub. This vulnerability is not confirmed in CISA KEV, and its CVSS 4.0 score of 2.9 reflects the constrained, low-impact nature of the flaw despite the public exploit availability.
Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote attackers to crash applications that parse attacker-controlled pcapng files via a crafted `captured_packet_length` value in the `parse_by_block_type` function of the LightPcapNg Parser. A publicly available proof-of-concept exploit (poc.zip) exists, though confirmed impact is limited to availability - application crash/denial-of-service - with no confidentiality or integrity impact indicated by the CVSS 4.0 vector. No active exploitation is confirmed, and no patch has been identified at time of analysis.
Command injection in Wavlink WL-NU516U1-A router firmware (M16U1_V240425) allows authenticated remote attackers to execute arbitrary OS commands by submitting crafted POST parameters to the wireless CGI configuration handler. The affected function sub_401D68 within /cgi-bin/wireless.cgi fails to sanitize the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters before passing them to OS-level commands. A public proof-of-concept exploit is confirmed available on GitHub; this CVE is not currently listed in CISA's KEV catalog, but the vendor has already released a patched firmware.
OS command injection in the Edimax EW-7478APC wireless access point firmware 1.04 allows a network-reachable authenticated attacker to execute arbitrary OS commands on the device by manipulating the `rootAPmac` parameter in POST requests to `/goform/formStaDrvSetup`. A public proof-of-concept exploit is available, indexed by VulDB and documented externally, and the vendor did not respond to responsible disclosure - making a vendor-released patch unlikely in the near term. The provided CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as OS command injection on embedded Linux network devices typically yields full device compromise rather than the 'Low' impact across all three dimensions assigned in the vector.
Authorization bypass in CodeAstro Complaint Management System 1.0 exposes the deletereport endpoint to unauthenticated arbitrary deletion of complaint reports and associated files. The deletereport function in application/controllers/Report.php accepts a caller-supplied report identifier without verifying ownership or authorization, enabling any remote user to delete any report by manipulating that identifier. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, indicating no confirmed widespread active exploitation.
Reflected cross-site scripting in GotoHTTP up to version 10.2 allows remote attackers to inject arbitrary JavaScript via the `sn` parameter in the `/reg.12x` endpoint. A publicly available proof-of-concept exploit exists (GitHub issue linked in references). The vendor has acknowledged the flaw and removed the parameter echo from source code, but explicitly declined to release a patched build immediately, stating the affected URL is not normally surfaced in a browser or exposed to end users - a claim that partially limits real-world risk but does not eliminate it. No active exploitation confirmed (not in CISA KEV); however, the public POC lowers the bar for abuse.
Server-side request forgery in GitBucket up to version 4.46.1 allows authenticated users to coerce the application server into issuing HTTP requests to arbitrary internal or private network hosts by supplying a crafted URL to the repository creation "clone from existing repository" feature. The flaw resides in `Git.cloneRepository.setURI()` within `RepositoryCreationService.scala`, where user-supplied URL input reaches JGit without validation against private address ranges. A public exploit exists (GitHub issue #4044), though no CISA KEV listing is present - no confirmed active exploitation at time of analysis. An upstream patch is available as commit 487a9b980f56aa73b6a044b1e86a92eed5043215 via PR #4056.
Improper access control in Feehi CMS up to version 2.1.1 allows low-privileged remote attackers to perform unauthorized operations against the /api/users API endpoint. Exploitation of CWE-284 at this endpoint enables access to or manipulation of user data beyond what the authenticated role should permit, representing an authentication bypass at the authorization layer. A public exploit exists per GitHub issue #89; no vendor patch or response has been issued as of analysis time, leaving the exposure unmitigated.
SQL injection in CodeAstro Human Resource Management System 1.0 allows low-privileged remote attackers to manipulate database queries via the ID argument passed to the GetFileInfo function within the View Endpoint. The vulnerability resides in hrsystem/application/models/Employee_model.php and can result in unauthorized read and write access to the underlying database. A public exploit has been published on GitHub, elevating practical risk despite the authentication requirement and moderate CVSS 4.0 score of 5.3.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/departmentDoctor.php` endpoint to database manipulation via the unsanitized `deptid` parameter, allowing a remote low-privileged attacker to read, modify, or corrupt backend database records. The CVSS 4.0 vector (PR:L) confirms that a valid application account is required, limiting opportunistic exploitation. A public proof-of-concept exploit is available on GitHub (linked from VulDB), and no vendor patch has been identified at time of analysis, making compensating controls the only available remediation path.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the billing endpoint /insertbillingrecord.php to database manipulation by low-privileged remote attackers via the unsanitized patientid parameter. A public exploit has been disclosed on GitHub, lowering the barrier to exploitation significantly despite a low CVSS 4.0 base score of 2.1. No CISA KEV listing exists, but the combination of a publicly available proof-of-concept and access to potentially sensitive patient health and billing records elevates real-world concern beyond what the numeric score alone conveys.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctortimings.php` endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privilege authenticated attacker to read, modify, or partially disrupt backend database contents. The CVSS 4.0 vector (PR:L) confirms that some form of application authentication is required, limiting opportunistic mass exploitation, but a publicly available proof-of-concept exploit on GitHub materially lowers the barrier for targeted attacks. No patch has been released; the vulnerability is not listed in the CISA KEV catalog, but the sensitivity of healthcare data in scope makes it a meaningful risk for any production deployment.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/doctorprofile.php` endpoint to remote exploitation via the `doctorname` parameter, allowing an authenticated attacker to execute arbitrary SQL commands against the backend database. Affected systems risk unauthorized access to, modification of, or partial disruption of sensitive medical and staff records stored within the application. A public proof-of-concept exploit has been disclosed on GitHub (CVSS 4.0 E:P), significantly lowering the technical barrier for exploitation despite the moderate base score; no CISA KEV listing is present at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the backend database to authenticated remote attackers through the `newpassword` parameter of `/doctorchangepassword.php`. An attacker holding low-privilege credentials - such as a doctor account - can craft malicious SQL payloads to read, modify, or potentially delete database records. A public exploit exists per the CVSS 4.0 E:P modifier and a referenced GitHub issue; no active exploitation has been confirmed by CISA KEV.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the /department.php endpoint to database manipulation via the unsanitized `editid` parameter, allowing a remote low-privileged authenticated attacker to read, modify, or delete hospital database contents. The CVSS 4.0 vector (PR:L) confirms a valid user account is required, constraining but not eliminating risk for internet-exposed instances. A public exploit has been released on GitHub, materially increasing the likelihood of opportunistic abuse against deployed instances.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the Appointment Handler endpoint `/appointmentdetail.php` to remote database manipulation via the unsanitized `editid` parameter. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege authentication is required and a public proof-of-concept exploit is available on GitHub, materially lowering the bar for exploitation. While not listed in CISA KEV, the combination of network reachability, trivial exploitation complexity, and live PoC code makes this a concrete risk for any organization running this codebase in production.
SQL injection in CodeAstro Human Resource Management System 1.0 allows a low-privileged authenticated remote attacker to manipulate the `emid` parameter in the Update_Earn_Leave endpoint, triggering time-based blind SQL injection against the underlying database. The vulnerability resides in the `emselectByCode` function within `application/models/Employee_model.php`, where unsanitized input is passed directly into SQL query construction. A public proof-of-concept exploit is available on GitHub; no active exploitation has been confirmed by CISA KEV at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/appointmentapproval.php` Appointment Handler endpoint to database manipulation via the `editid` parameter, allowing low-privileged remote attackers to read, modify, or delete backend data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-exploitability with minimal attack complexity once credentials are obtained, and a public proof-of-concept has been disclosed on GitHub, substantially lowering the attacker skill threshold. No active exploitation is confirmed by CISA KEV, but the medical context of the affected system - which likely stores sensitive patient and appointment records - amplifies the potential impact of even a limited SQL injection.
Cross-site request forgery in CodeAstro Human Resource Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - specifically department deletion - by tricking an authenticated user into visiting a crafted malicious page. The exploit targets the department deletion endpoint and publicly available proof-of-concept code has been published on GitHub, lowering the bar for exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of a public PoC, network-accessible attack vector, and no required attacker privileges makes this an accessible target for opportunistic attackers against organizations running this software.
SQL injection in itsourcecode Hospital Management System 1.0 exposes authenticated patient users to database-level attacks via the `/patientchangepassword.php` endpoint. The `newpassword` parameter is passed unsanitized into SQL queries, allowing an authenticated attacker to manipulate backend database operations - potentially reading, modifying, or deleting patient records. A public proof-of-concept exploit exists (GitHub issue linked from VulDB report), though no active exploitation has been confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects the limited real-world severity due to the authentication prerequisite and constrained impact scope.
SQL injection in itsourcecode Hospital Management System 1.0 exposes the `/patientdetail.php` endpoint to database manipulation via the unsanitized `editid` parameter, reachable by any low-privileged authenticated user over the network. A public proof-of-concept exploit is available (referenced via GitHub issue), lowering the skill barrier for exploitation against any deployed instance. The CVSS 4.0 score of 2.1 reflects low per-impact ratings across confidentiality, integrity, and availability, but SQL injection vulnerabilities routinely exceed their scored impact bounds when database accounts carry excess privileges - no public exploitation has been confirmed in CISA KEV.
Cross-site scripting in code-projects Online Music Site 1.0 allows unauthenticated remote attackers to inject malicious scripts via the feedback form's fname, femail, faddress, or fmessage parameters handled by /Frontend/Feedback.php. The CVSS 4.0 score of 2.1 (Low) reflects the UI:P requirement - a victim must interact with the crafted content for the payload to execute, limiting autonomous exploitation. A public proof-of-concept is available via GitHub, though no confirmed active exploitation (CISA KEV) has been recorded.
SQL injection in EyouCMS up to version 1.7.1 allows remote authenticated attackers with high privileges to manipulate database queries via the click_like argument in the /index.php API component. The CVSS 4.0 score is 2.0, heavily discounted by the PR:H requirement, yet confidentiality, integrity, and availability impacts are all rated Low. A public proof-of-concept exists via a GitHub issue report; the vendor has not acknowledged or patched the vulnerability. No active exploitation has been confirmed (not listed in CISA KEV).
Heap-based buffer overflow in LLVM llvm-project through version 22.1.6 allows a local low-privilege attacker to crash affected LLVM tooling by supplying a crafted bitcode file that triggers an out-of-bounds heap write in the GCRelocateInst::getBasePtr function within the Bitcode File Handler component. The LLVM project was notified via a GitHub issue report but has not yet responded or released a patch. A proof-of-concept exploit has been publicly disclosed, and no active exploitation is confirmed in CISA KEV.
Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.
Unbounded zlib decompression in GPAC up to version 26.02.0 allows a local low-privileged attacker to cause resource exhaustion via a crafted highly-compressed (zip-bomb) payload processed by the ISOBMFF parser and associated filter modules. The affected function `gf_gz_decompress_payload_ex()` in `src/utils/base_encoding.c` applies no ceiling on inflated output size, enabling disproportionate memory or CPU consumption. A public proof-of-concept exists (GitHub issue #3588), but no active exploitation is confirmed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the local-only attack surface and limited availability-only impact.
Authorization bypass in CherryHQ Cherry Studio up to version 1.9.7 allows authenticated remote attackers to cross user/agent memory isolation boundaries by manipulating memory content to produce SHA-256 hash collisions in the MemoryService deduplication logic. The vulnerable CherryIN Preload API component computed memory hashes solely from content, without scoping them to userId or agentId, enabling crafted inputs to match records belonging to other users. A public exploit exists per GitHub issue #15411, and a vendor patch is available via PR #15413; the vendor notes the memory feature is slated for removal in v2.
Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. No public exploit code exists and CISA has not listed this in KEV; EPSS is 0.23% (13th percentile), consistent with SSVC's 'Exploitation: none' rating at time of disclosure.
Firmware update signature bypass in Hitachi Virtual Storage Platform One Block models 23, 24, 26, and 28 allows an authenticated remote attacker to supply unvalidated firmware packages, potentially compromising storage array integrity and availability. The root cause is CWE-347 (Improper Verification of Cryptographic Signature), and the 'Jwt Attack' tag suggests the firmware validation chain relies on a JWT-based signing mechanism that can be circumvented under specific conditions. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the self-disclosure by Hitachi with a coordinated patch release indicates vendor-confirmed severity.
CORS misconfiguration in Papermark through version 0.22.0 enables unauthenticated remote attackers to silently perform credentialed cross-origin file uploads into authenticated victims' datarooms and read credentialed server responses. The TUS-based viewer upload endpoint reflects arbitrary caller Origins while returning Access-Control-Allow-Credentials: true, violating the fundamental CORS security contract and allowing any attacker-controlled webpage to abuse a victim's active session. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; exploitation is constrained by the requirement for victim user interaction.
OS command injection in Edimax EW-7478APC 1.04 allows a remote low-privileged attacker to execute arbitrary operating system commands by manipulating the submit-url parameter in POST requests to the /goform/formAccept endpoint. The vendor was notified prior to public disclosure but did not respond, leaving the vulnerability unpatched. A public proof-of-concept exploit has been disclosed, and the CVSS 4.0 impact metrics (VC:L/VI:L/VA:L) appear to significantly understate the realistic impact of OS command injection on an embedded network device, which typically yields full system control.
Stored and reflected cross-site scripting in MDEx's Lumis syntax highlighting adapter allows attackers who can submit Markdown content to inject arbitrary HTML and JavaScript into rendered output viewed by other users, enabling session theft and account takeover. The flaw exists in the native Rust code shared between the mdex (0.11.3-0.12.2) and mdex_native (0.1.0-0.2.2) packages, where the highlight_lines_class code-fence attribute is interpolated into per-line HTML div class attributes without escaping. Exploitation requires a non-default rendering configuration (full_info_string: true with syntax highlighting enabled); no public exploit identified at time of analysis, and vendor-released patches are available.
Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject malicious JavaScript via the Name argument in a POST request to /admin/mod_users/controller.php?action=edit. The vulnerability requires a victim to interact with the crafted content (CVSS 4.0 UI:P), limiting its reach but not eliminating risk against administrative users. A publicly disclosed proof-of-concept exploit exists per VulDB submission 843586, though no public exploit identified at time of analysis in CISA KEV.
Cross-site scripting in itsourcecode Online Hotel Management System 1.0 enables remote attackers to inject arbitrary JavaScript via the Name parameter in the amenities management POST handler at /admin/mod_amenities/controller.php?action=add. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) confirms no authentication or special attack conditions are required to submit the payload, but passive user interaction - an admin browsing the amenities panel - is needed to trigger execution. A proof-of-concept exploit has been publicly disclosed via GitHub (VulDB submission 843584), though no active exploitation has been confirmed by CISA KEV.
Out-of-bounds read in Investintech SlimPDFReader through version 2.0.14 exposes users to application crashes when processing maliciously crafted PDF files, exploitable remotely with passive user interaction. The vulnerable function `SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0` within `SlimPDFReader.exe` fails to validate buffer boundaries during PDF parsing, resulting in a low-severity availability impact (application crash/DoS) with no confirmed confidentiality or integrity effect despite the 'Information Disclosure' tag in source metadata. No public exploit identified at time of analysis beyond the CVSS 4.0 E:P maturity indicator, and no patch will ever be released as the product is confirmed end-of-life.
OS command injection in the Edimax EW-7478APC wireless access point (firmware 1.04) allows remote attackers with low-privilege credentials to execute arbitrary operating system commands by manipulating the rootAPmac parameter in a POST request to /goform/formiNICbasic. A public proof-of-concept exploit is available, materially lowering the barrier to exploitation. The vendor did not respond to coordinated disclosure, leaving no official patch path for affected devices.
Cross-site scripting in itsourcecode Online Hotel Management System 1.0 allows remote attackers to inject arbitrary JavaScript via the unsanitized `Name` parameter in POST requests to `/admin/mod_room/controller.php?action=add`. The CVSS 4.0 base score of 2.1 reflects constrained real-world impact: only vulnerable-system integrity is affected (VI:L), user interaction is required (UI:P), and no confidentiality or availability impact is assessed. A publicly available exploit exists (E:P per CVSS 4.0 supplemental vector), but no active exploitation has been confirmed via CISA KEV, consistent with the niche deployment footprint of this free PHP educational project.
Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.
Stored cross-site scripting in SourceCodester Inventory Management System 1.0 allows a low-privileged remote attacker to inject arbitrary JavaScript via the `full_name` parameter of the User Registration Endpoint at `/api/users_handler.php`. When a privileged user such as an administrator subsequently views the stored user data, the malicious script executes in their browser context, enabling session hijacking, credential theft, or UI redress. Public exploit code exists per VulDB (E:P in CVSS 4.0 vector); however, this vulnerability is not listed in CISA KEV and carries a low CVSS 4.0 base score of 2.0, indicating limited real-world severity.
Stored cross-site scripting in CodeAstro Complaint Management System 1.0 allows a low-privileged authenticated user to inject persistent malicious scripts via the Report Title field at the /report/addreport endpoint, which then execute in the context of any administrator who views the submitted report. The GitHub-published proof-of-concept confirms the payload is stored and surfaces in the admin panel, enabling session hijacking or admin-context actions without further attacker interaction after initial submission. A public exploit has been released; however, no active exploitation has been confirmed by CISA KEV.
Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.
Insufficient data authenticity verification in MyScaleDB's vector index cache key function allows authenticated remote users to obtain stale or inconsistent vector search results following mutation operations on indexed columns. Versions through 1.8.0 are affected. A proof-of-concept exploit is publicly available (CVSS 4.0 E:P), though the very low base score of 1.3, high attack complexity, and required authenticated access substantially constrain real-world exploitation impact. No confirmed active exploitation exists - this is not on the CISA KEV list.
Improper authorization in DeepMyst Mysti 0.4.0 permits authenticated remote attackers to bypass access controls in the Contact Tracking component by supplying a manipulated `_channelType` argument to the `_isTrackedConversation` function in `src/managers/ChannelBridge.ts`. The CVSS 4.0 score of 1.3 reflects genuine low severity - all CIA impacts are rated Low and no subsequent system scope is affected. Publicly available exploit code exists (CVSS E:P confirmed), but no active exploitation has been confirmed by CISA KEV, and high attack complexity (AC:H) with required authenticated access (PR:L) substantially limits opportunistic abuse.
Chess Play and Learn (chess.com) Android app versions up to 4.9.42 expose application backup files to unauthorized parties through a misconfiguration in AndroidManifest.xml that enables Android's backup mechanism without adequate authorization controls. Physical access to the target device is required to exploit this issue. A public proof-of-concept is available, exploitation probability is very low given the physical access requirement, and the vendor has acknowledged the issue while noting it falls outside their bug bounty scope.