Denial-of-service via NULL pointer dereference in PipeWire's RAOP (Remote Audio Output Protocol) module affects Red Hat Enterprise Linux 8, 9, and 10. The RAOP module fails to enforce an upper bound on Content-Length values in incoming requests and does not validate the return value of pw_array_add(); when a sufficiently large Content-Length triggers an allocation failure, the unchecked NULL return causes a crash of the PipeWire daemon, resulting in complete loss of audio services. No special authentication is required from the adjacent network, and no public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.
Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.
Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.
Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.
Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.
Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.
Local privilege escalation in Cato Client on macOS allows an authenticated low-privileged user to gain root by chaining two flaws in the PrivilegedHelperTool XPC service: improper certificate validation (CWE-295) that accepts self-signed certificates to bypass XPC caller verification, and a TOCTOU race condition exploitable via symlink swap during package installation. All Cato Client (SDP Client) versions prior to 5.13.1 on macOS are affected. A proof-of-concept exists per the CVSS 4.0 supplemental metric E:P, and the AU:Y (Automatable) tag indicates the exploit chain can be scripted - elevating practical urgency despite the absence of a CISA KEV listing.
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.
Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.
Remote denial of service in pion/dtls (Go's DTLS implementation) versions prior to 3.1.4 allows an unauthenticated network attacker to crash any application built on this library by sending a crafted ECDHE_PSK ServerKeyExchange message during the DTLS handshake. The CWE-125 out-of-bounds read triggers a Go runtime panic, immediately terminating the host process. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; a vendor-released patch exists in version 3.1.4.
Prototype Pollution in Jodit Editor (versions prior to 4.12.18) allows network-reachable attackers to mutate Object.prototype by supplying crafted configuration payloads to Jodit.configure(), exploiting unfiltered merging in the internal ConfigMerge and ConfigProto helpers. Specifically, keys such as __proto__ or constructor nested inside legitimate option namespaces like controls can propagate to the global JavaScript prototype chain, corrupting runtime behavior for all JavaScript executing in the same environment. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; however, exploitation is contingent on the host application forwarding user-controlled input into Jodit.configure(), a pattern common in configurable WYSIWYG deployments.
Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. No public exploit has been identified at time of analysis, and active exploitation is not confirmed, but the attack is conceptually simple and requires no authentication beyond the security question hurdle.
A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.
Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.
Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition `fp->sect - sect < cc` in f_read() and f_write() uses unsigned arithmetic - when `sect` exceeds `fp->sect`, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. A proof-of-concept exists per SSVC assessment, and technical impact is rated Total, though physical access is required per the CVSS vector. No confirmed active exploitation (not in CISA KEV).
Sandbox allow-list bypass in the Twig PHP templating engine lets attacker-supplied filters, tags, and functions run unchecked when a shared Environment mixes sandboxed and non-sandboxed renders. The filter/tag/function SecurityPolicy check was computed once in the Template constructor and cached in $loadedTemplates, so any later sandbox state change or a pre-warmed template left a stale (typically empty) verdict, defeating the sandbox. Fixed in Twig 3.27.0; no public exploit identified at time of analysis and it is not in CISA KEV.
Stored XSS in Craft CMS 5.0.0-RC1 through 5.9.22 allows an author-level control panel user to execute arbitrary JavaScript in the session of an admin or any privileged user with saveEntries permission on the same Structure section. The vulnerability arises from an HTML encode/decode mismatch: the server safely escapes an entry title into a data-title attribute, but jQuery's .data() method re-decodes the value before it is concatenated back into HTML without re-escaping, bypassing the initial sanitization. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the vendor shipped a fix in version 5.9.23.
Deserialization of untrusted data in MediaWiki's wiki import subsystem and logging infrastructure exposes installations to PHP object injection, with high integrity impact on affected systems. Specifically, the WikiImporter, WikiRevision, and LogEntryBase components process attacker-controlled serialized data without sufficient validation, allowing a high-privileged authenticated user to trigger unintended object instantiation or code execution paths. No active exploitation (CISA KEV) or public proof-of-concept has been identified at time of analysis; however, vendor-confirmed patches are available in releases 1.43.9, 1.44.6, 1.45.4, and 1.46.0.
Heap buffer overflow in ImageMagick's MVG decoder allows remote unauthenticated attackers to trigger an out-of-bounds write by supplying a specially crafted image file, resulting in denial of service. Affected are all ImageMagick deployments prior to versions 6.9.13-51 (legacy v6 branch) and 7.1.2-26 (current v7 branch). No public exploit code or active exploitation has been identified at time of analysis; however, the network-accessible vector and zero-privilege requirement make this relevant for any service that accepts and processes user-supplied images.
Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.
CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible. An attacker who predicts a session id can impersonate the corresponding session and bypass authentication.
Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)
Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.
Download-limit enforcement in goshs (Go Simple HTTP Server) v2.0.9 and earlier can be bypassed by racing concurrent HTTP requests against a limited-use share token, allowing a single token to be redeemed more times than the operator configured. The TOCTOU flaw in `ShareHandler` means every concurrent goroutine observes the same pre-increment `Downloaded` counter, each passes the limit check, and each is served the file - completely defeating one-shot or low-count share-link controls. A working proof-of-concept is publicly documented in the GitHub security advisory (GHSA-j48m-h7xq-2xpj) with 5/5 consistent reproductions; no active exploitation is confirmed in CISA KEV.
Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.
An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Arbitrary HDF5 file read in Keras up to 3.13.2 enables information disclosure when a victim loads a crafted model file, representing an incomplete patch for the prior CVE-2026-1669. The flaw lies in two specific code paths - `H5IOStore._verify_dataset()` and `file_editor.py` - which omit the `dataset.is_virtual` check, allowing a malicious HDF5 Virtual Dataset (VDS) to silently redirect reads to attacker-specified paths on the local filesystem. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the attack surface is realistic in ML supply chain and model-sharing contexts.
Heap buffer over-write in ImageMagick's JP2 (JPEG 2000) encoder - present in all versions prior to 7.1.2-26 - allows an attacker to crash the process by supplying a maliciously crafted JP2 image file, resulting in a denial-of-service condition. The root cause is CWE-682 (Incorrect Calculation): argument handling logic in the JP2 encoder computes incorrect bounds, leading to an out-of-bounds heap write. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Use-after-free in ImageMagick's 8BIM profile parser crashes the process when a specially crafted image is identified, affecting all releases prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch). The vulnerability is triggered by a specific format string embedded in the 8BIM metadata profile, causing memory corruption that results in a denial-of-service condition. No public exploit or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in the intelligence feed.
Policy bypass in ImageMagick's `-concatenate` operation allows local users to read from and write to filesystem paths that the configured security policy explicitly prohibits. All versions prior to 7.1.2-26 are affected. An attacker or unprivileged local user can invoke ImageMagick with `-concatenate` to circumvent path-based access controls defined in ImageMagick's policy.xml, effectively nullifying a primary hardening control relied upon in restricted or multi-tenant deployments. No public exploit code or CISA KEV listing is identified at time of analysis.
Stack exhaustion via multiple unbounded alloca() calls in the PulseAudio protocol server on Red Hat Enterprise Linux 8, 9, and 10 allows a local low-privileged attacker to crash the audio daemon, resulting in denial of service. The root cause (CWE-770) is the absence of size validation on attacker-controlled protocol parameters before passing them to alloca(), a stack-based allocator with no OS-enforced ceiling. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging function win_log(), where a malloc size calculation wraps around on 32-bit builds when processing oversized URIs, producing an undersized heap allocation followed by an unchecked strcpy. Remote unauthenticated attackers can trigger this path by sending a maximally-sized URI to the repeater HTTP port, with practical impact bounded by the 153,600-byte HTTP receive buffer and currently assessed at availability disruption rather than reliable code execution. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Cross-site scripting in Silverstripe Framework's 'Insert media from web' CMS feature allows a remote unauthenticated attacker to inject malicious JavaScript by supplying a specially crafted embed URL that a CMS editor then inserts into content. All Silverstripe Framework installations prior to version 6.2.2 are affected. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and network accessibility make it a credible risk for any deployment where CMS editors process externally sourced media.
Authentication API endpoints and Special pages in MediaWiki expose low-severity confidentiality and integrity weaknesses exploitable by unauthenticated remote attackers who can induce victim user interaction. Five files spanning account-linking and credential management operations - ApiChangeAuthenticationData, ApiLinkAccount, ApiRemoveAuthenticationData, SpecialLinkAccounts, and SpecialUnlinkAccounts - are affected across all MediaWiki releases prior to the fixed branches 1.43.9, 1.44.6, 1.45.4, and the forthcoming 1.46.0. No public exploit code and no active exploitation have been identified at time of analysis; real-world risk is constrained by the user-interaction prerequisite and the limited impact scope.
SurrealDB's automatic graph edge cleanup mechanism bypasses edge-table permission clauses, allowing authenticated low-privilege users to delete edge records and observe hidden edge contents they are not authorized to access. When a node is deleted, the `Document::purge_edges` routine fires with permissions explicitly disabled (`opt.clone().with_perms(false)`), meaning the edge table's `PERMISSIONS FOR delete` and `PERMISSIONS FOR select` clauses are never consulted. This is a confirmed authorization bypass (CWE-285) fixed in version 3.1.0; no public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.
Cross-site scripting in MediaWiki's JavaScript API client layer (resources/src/mediawiki.Api/index.js) allows network-accessible, unauthenticated attackers to inject malicious scripts that execute in a victim's browser upon user interaction. All MediaWiki deployments prior to versions 1.43.9, 1.44.6, 1.45.4, and 1.46.0 are affected, covering a broad range of wiki installations worldwide. No public exploit code or active exploitation has been identified at time of analysis, but the low attack complexity and lack of authentication requirement elevate concern for public-facing deployments.
Sensitive information exposure in MediaWiki's InfoAction.php allows unauthenticated remote actors to obtain restricted page metadata through the 'Info' action endpoint. All MediaWiki versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9 are affected across all deployment configurations. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the low attack complexity and lack of authentication requirements make opportunistic discovery straightforward for any actor who can reach the wiki.
Cross-site scripting in the Wikimedia Foundation SyntaxHighlight_GeSHi MediaWiki extension allows authenticated users to inject unsanitized input via the syntax highlighting interface, with malicious script executing in victims' browsers upon page view. The flaw originates in includes/SyntaxHighlight.php and affects all versions prior to branch-specific fixes at 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality impact scoped to the vulnerable system.
Sensitive abuse filter configuration data in Wikimedia Foundation's AbuseFilter MediaWiki extension is exposed to authenticated low-privilege users via the QueryAbuseFilters API endpoint (includes/Api/QueryAbuseFilters.php). Authenticated wiki users on affected installations (all versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9) can retrieve private or restricted filter rule details they should not be authorized to access. No active exploitation has been confirmed (not listed in CISA KEV) and no public proof-of-concept exploit is known at time of analysis, but the moderate CVSS 4.0 score of 5.3 reflects real risk to wikis relying on confidential filter logic for abuse prevention.
CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.
Incorrect authorization in GitHub Enterprise Server allows an attacker who has obtained a victim's user-to-server token - issued by a GitHub App installation - to perform write operations on any public repository, regardless of whether that installation was explicitly granted access to the target repository. Affected installations span all GHES versions prior to 3.22, with fixes backported to six supported release trains. The CVSS 4.0 score is 5.3 (medium); no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Unauthorized cross-volume asset deletion in Craft CMS versions 4.0.0-RC1 through 4.17.13 and 5.0.0-RC1 through 5.9.20 allows any authenticated user with file-replace permission in one volume to permanently delete assets from other volumes where they hold no delete permission. The flaw stems from a PHP ternary operator short-circuit in AssetsController::actionReplaceFile() that bypasses source-volume authorization when both assetId and sourceAssetId parameters are supplied together. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the low complexity of the attack logic and the CMS's sequential asset IDs make exploitation straightforward for any low-privilege authenticated insider or compromised account.
Unrestricted file upload in MyComplianceOffice MCO version 25.3.3.1 allows an authenticated low-privileged attacker to upload files of arbitrary types by bypassing client-side-only validation controls. The CVSS 4.0 vector confirms network-accessible exploitation with low complexity, requiring only a valid low-privileged account and a web proxy to intercept and modify upload requests. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Insecure Direct Object Reference in MyComplianceOffice MCO version 25.3.3.1 allows authenticated users to retrieve trading document PDFs belonging to other customers by manipulating a user-supplied document identifier at the fetchPdfStatement API endpoint. The application performs no ownership or authorization check beyond confirming the user is logged in, enabling horizontal privilege escalation across customer accounts. No public exploit code or active exploitation has been identified at time of analysis, but predictable document ID patterns make automated enumeration feasible, raising real-world risk in financial compliance environments where trading statements contain sensitive regulatory and transactional data.