Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.
Heap-based buffer overflow in Open Asset Import Library (Assimp) versions up to 5.4.3 allows a local attacker with low privileges to corrupt heap memory by supplying a crafted 3D model file with manipulated width or height values to the SceneCombiner::Copy function in code/Common/SceneCombiner.cpp. A public proof-of-concept exploit has been disclosed via GitHub issue #6079, elevating real-world risk despite the local-only attack vector. No confirmed patched release has been independently verified at time of analysis, and exploitation conditions require only low-privilege local access with no user interaction beyond loading the malicious file.
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authentication Base64 decoder, where a strict greater-than comparison at `repeater/webgui/webutils.c:817` fails to block an input whose length exactly equals the 1024-byte output buffer. Under current code, the outer HTTP request parser incidentally caps Authorization header length before the defect can produce an out-of-bounds write, making this vulnerability practically unexploitable in its present form - but the flaw is real and would become a one-byte stack write if upstream buffering constraints change. No public exploit code exists and the vulnerability is not listed in CISA KEV; this is a latent memory-safety defect requiring patch application as hygiene rather than urgent incident response.
Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.
Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. No KEV listing and no EPSS data were provided, but the presence of a public bounty report and a confirmed fix commit indicates the issue is verified. The fix is available in version 2.1.6.
Resource exhaustion in Wasmtime's native WASIp1 implementation allows low-privileged WebAssembly guests to exhaust host-level file descriptors and OS resources by repeatedly invoking fd_renumber in a loop. The affected versions span four distinct release branches - all pre-24.0.10, 25.x-35.x, 37.x-44.x, and 45.0.0-45.0.1 - but only runtimes that both expose fd_renumber and grant guests the ability to open files are vulnerable. No public exploit code exists and the issue is not listed in CISA KEV; however, the attack is mechanically straightforward once the conditions are met, making patching the primary defense.
Insufficient permission enforcement in MediaWiki's user query API endpoints allows low-privileged authenticated users to access sensitive user information - such as group memberships or account details - that permission controls should restrict. The vulnerability spans four source files: ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php, indicating that the flaw lies in how permission checks are applied (or bypassed) when the API serializes user data. No public exploit code exists and the CVSS 4.0 score of 2.1 reflects the constrained real-world exploitability. No confirmed active exploitation (CISA KEV) has been reported.
Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.
{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.
Open redirect in Concourse's web login flow allows a remote unauthenticated attacker to craft a URL that silently redirects an authenticated user to an arbitrary external site upon completing the login process. Concourse versions prior to 8.2.3 are affected via the `/sky/login` endpoint's `redirect_uri` parameter. While no credentials are leaked server-side, the post-login redirect to an attacker-controlled site creates a high-fidelity phishing vector targeting CI/CD operators and developers - users who typically hold sensitive pipeline secrets and source-code access. No public exploit identified at time of analysis, though the advisory provides a fully working proof-of-concept URL.