Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume server URLs, gRPC ports, file identifiers, and directory listings from unauthenticated endpoints reachable in the default deployment configuration. The shared `writeJson` helper in `weed/server/common.go` concatenates the `callback` query parameter verbatim into `application/javascript` responses with no allowlist validation, no `X-Content-Type-Options: nosniff` header, and no CORS policy, allowing attacker-controlled pages to load these endpoints via script tags and receive cluster metadata through the injected callback. A public proof-of-concept exists; the vulnerability is not in CISA KEV; the CVSS 4.0 score of 2.3 reflects constrained direct impact due to required user interaction and high attack complexity, though the leaked reconnaissance data elevates chained-attack risk.
Heap buffer overflow in the Ruby JSON gem's streaming generator (versions 2.9.0-2.19.8) enables reliable process crash via attacker-controlled serialized data. When applications invoke `JSON.dump(obj, io)` or `JSON::State#generate(obj, io)` to stream JSON to an IO object, the C-level generator can write past its internal buffer if the serialized object contains a string near 16 KB in size. Impact is confined to denial of service - reliable process termination - with no evidence of confidentiality or integrity impact. No public exploit code and no CISA KEV listing are identified at time of analysis; the CVSS score of 3.7 (Low) appropriately reflects the constrained attack conditions.
UI spoofing in Google Chrome's Video Capture component on ChromeOS allows a local attacker to deceive users by rendering misleading interface elements through a specially crafted HTML page. Versions prior to 150.0.7871.47 on ChromeOS are affected. No public exploit code exists and no active exploitation is confirmed - EPSS is 0.13% (3rd percentile) and SSVC rates exploitation as none - making this a low operational priority despite the low-complexity attack conditions.
UI spoofing in Google Chrome's CustomTabs component on Android enables a local attacker to manipulate what a victim sees within an in-app browser session by supplying a malicious file, affecting all Chrome for Android versions prior to 150.0.7871.47. The CVSS score of 3.3 (Low) and EPSS of 0.13% (3rd percentile) reflect constrained real-world impact: exploitation is local, requires user interaction, and produces only integrity-level spoofing. No active exploitation has been confirmed - this vulnerability is not listed in CISA KEV, and SSVC assessment indicates exploitation status of none.
UI spoofing in Google Chrome's Passwords component (versions prior to 150.0.7871.47) allows an attacker who has already achieved renderer process compromise to manipulate security-critical password UI elements via a crafted HTML page. This is a chained exploitation scenario - not a standalone initial-access vector - as the attacker must first compromise the renderer through a separate vulnerability before leveraging this flaw. EPSS at 0.21% (11th percentile) and no CISA KEV listing confirm no observed exploitation at scale; Chromium's internal classification is Medium severity.
Cross-origin data leakage in Google Chrome's DevTools component (versions prior to 150.0.7871.47) permits a remote attacker to exfiltrate data across origin boundaries by tricking a user into performing specific UI gestures on a crafted HTML page. The CVSS base score of 3.1 (Low) reflects high attack complexity and mandatory user interaction, consistent with the EPSS score of 0.21% (11th percentile) indicating negligible in-the-wild exploitation activity. No public exploit code is identified and no CISA KEV listing exists; a vendor patch is available in Chrome 150.0.7871.47.
Cross-origin data leakage in Google Chrome's DataTransfer implementation on macOS exposes sensitive content from one origin to an attacker-controlled page by exploiting improper boundary enforcement during user-driven UI gestures such as drag-and-drop. Versions prior to 150.0.7871.47 on Mac are affected; the flaw is platform-specific to macOS, limiting scope. No public exploit has been identified and SSVC assessment confirms no current exploitation, though successful abuse would silently exfiltrate cross-origin data without triggering typical security warnings.
UI spoofing in Google Chrome's WebShare implementation on Android allows a remote attacker who has already compromised the renderer process to deceive users via a malicious HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. The exploitation path is severely constrained by the requirement for a pre-existing renderer compromise, yielding a CVSS base score of only 3.1 (Low); no public exploit code exists and SSVC assessment confirms no active exploitation at time of analysis.
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Insufficient policy enforcement in Extensions in Google Chrome on Linux prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)
Race condition in Zephyr RTOS Bluetooth Classic RFCOMM host stack (v4.4.0 and earlier) permanently wedges session state and exhausts the fixed bt_rfcomm_pool when a peer-transmitted DISC frame for dlci 0 collides with a simultaneous local-initiated teardown. The underlying L2CAP channel is never released and the session slot is never reclaimed, eventually denying RFCOMM service to the targeted peer across repeated occurrences. No public exploit identified at time of analysis; the CVSS 3.1 score of 3.1 (Low) with AV:A/AC:H accurately reflects both the Bluetooth adjacency prerequisite and the high-complexity timing race required.
Path traversal in Vibe-Trading's swarm run directory handler allows low-privileged network attackers to read and overwrite arbitrary run.json files on the host filesystem. All releases before 0.1.10 are affected via the MCP swarm tools interface, where a crafted run identifier is passed to the run_dir function in agent/src/swarm/store.py without sanitization, enabling directory escape. No public exploit is identified at time of analysis and the vulnerability is not in the CISA KEV catalog; a vendor-released patch is available as v0.1.10.
CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.
Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.
Memory exhaustion denial of service in ImageMagick before 7.1.2-13 allows a local attacker with write access to the OpenCL cache directory to crash the application by placing malformed XML files that trigger an unpatched memory leak in LoadOpenCLDeviceBenchmark(). The root cause is CWE-401: memory allocated during XML parsing of unclosed device elements is never freed, enabling a resource exhaustion attack. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV; however, a patch commit and upstream advisory are available.