Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.
Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.
Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.
Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.
Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.
Infinite loop denial-of-service in Erlang OTP's ssh_sftpd module allows an authenticated SFTP user to permanently freeze individual SFTP channel processes by sending SSH_MSG_CHANNEL_EXTENDED_DATA frames. The affected function handle_data/4 tail-calls itself indefinitely when it receives extended-data channel messages (type != 0) with an empty pending buffer, because the SFTP protocol never expects such messages and the catch-all clause has no exit condition for them. No public exploit code or active exploitation has been identified at time of analysis; the vulnerability was disclosed and patched by the Erlang Ecosystem Foundation.
Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.
Improper cryptographic signature verification in the CubeSpace CW0057 Reaction Wheel firmware (versions prior to 5.0.20) permits an attacker with physical access to flash arbitrary, unsigned firmware onto the device without any authentication. This affects a safety-critical spacecraft attitude control component used in CubeSat and small satellite missions, where unauthorized firmware replacement could cause mission-critical failures including attitude loss or uncontrolled spacecraft behavior. A proof-of-concept exploit exists (indicated by E:P in the CVSS 4.0 supplemental vector); no active exploitation has been confirmed by CISA KEV at time of analysis.
Unbounded memory exhaustion in zebrad's mempool download pipeline allows unauthenticated remote peers to crash Zcash full nodes by sustaining P2P transaction traffic. The root cause is that timed-out verification tasks never remove their entries from the `cancel_handles` map because `tokio::time::error::Elapsed` carries no payload, making the transaction ID unrecoverable at the timeout arm of `Downloads::poll_next()`. All nodes running zebrad up to v4.4.1 with default configuration are affected, and a working end-to-end reproduction exists on a live regtest network. No patch has been released at time of analysis; the only recovery action is a node restart.
Repeated sync-stalling via a crafted P2P block response in Zebra (zebrad) v4.4.1 and earlier allows any unauthenticated peer to indefinitely delay a syncing node's chain catch-up by forcing 67-second global sync restart cycles. The root cause is that the AboveLookaheadHeightLimit error variant in the sync download pipeline does not carry the advertiser's peer address, so the offending peer is never scored or disconnected, and the restart cancels all in-flight downloads from honest peers on every cycle. No public exploit has been identified at time of analysis, but the vendor advisory confirms the attack requires no authentication, mining capability, or valid chain data - only a standard post-handshake P2P connection.
Mempool admission in zebrad up to v4.4.1 can be completely blocked by a single unauthenticated P2P peer using minimal bandwidth (~1 KB/s), exploiting absent per-peer slot accounting in the transaction download/verification pipeline. By advertising fake transaction IDs via inv messages, an attacker holding one TCP connection can monopolize all 25 MAX_INBOUND_CONCURRENCY slots, causing every subsequent inbound transaction from honest peers - and local RPC sendrawtransaction calls - to fail with MempoolError::FullQueue indefinitely. No public exploit has been identified at time of analysis; the issue is fixed in zebrad 4.5.0.
Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.
Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.
Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.
Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.
Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.
DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.
Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the `oauth2_jose_jwks_aws_alb_resolve()` function reads the unverified `kid` JWT header field and appends it directly to the configured `alb_base_url` - without URL encoding or path sanitization - before any cryptographic signature check occurs. No public exploit code has been identified at time of analysis, but the low attack complexity and zero privilege requirement make this a meaningful risk for AWS-integrated deployments where liboauth2 handles ALB token verification.
SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.
Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.
Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.
Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.
Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.
DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.
Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.
Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.
Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.
Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.
Secret credential leakage in StormShield Network Security's CLI tool exposes the proxy CA passphrase or TPM password to other users sharing an SSH session on the firewall appliance. Affected versions span three distinct branches - 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5 - and exploitation is gated behind SSH multiuser mode being explicitly enabled. No active exploitation has been confirmed by CISA KEV and no public proof-of-concept has been identified at time of analysis, though the leaked secrets carry high downstream value for privilege escalation or certificate authority abuse.
Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.
Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.
Stored XSS in SFTPGo's WebClient allows an attacker who can place files in a share or home directory to serve an HTML payload as live text/html within SFTPGo's own web origin by exploiting the inline query parameter on file download endpoints, which suppressed the Content-Disposition: attachment header. Affected versions prior to v2.7.3 expose both the browsable-share and authenticated-user file download paths. No public exploit is identified at time of analysis; exploitation requires file placement access plus social engineering to deliver a crafted URL the WebClient never generates natively.
Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.
Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Path-traversal enumeration in Erlang OTP's ssh_sftpd module allows authenticated SFTP users to determine whether arbitrary filesystem paths exist outside the configured SFTP root directory. The SSH_FXP_REALPATH handler uniquely passes Canonicalize=false to relate_file_name/3, causing dotdot traversal sequences to skip the is_within_root/2 boundary check before entering resolve_symlinks/2, which then issues read_link() syscalls on arbitrary host paths. Affected versions span OTP 17.0 through the fixed releases 29.0.3, 28.5.0.3, and 27.3.4.14; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() bt_accept_dequeue() unlinks a not-yet-accepted child from the parent accept queue and release_sock()s it before returning, so the returned sk has no caller reference and is unlocked. l2cap_sock_cleanup_listen() walks these children on listening-socket close. A concurrent HCI disconnect drives hci_rx_work -> l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and frees the child sk and its l2cap_chan; cleanup_listen() then uses both: BUG: KASAN: slab-use-after-free in l2cap_sock_kill l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill This is distinct from the two fixes already in this area: commit e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the accept_q list/poll and takes temporary refs inside bt_accept_dequeue(), and CVE-2025-39860 serialises the userspace close()/accept() race by calling cleanup_listen() under lock_sock() in l2cap_sock_release(). Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF still reproduces on current bluetooth/master. Take the reference at the source: bt_accept_dequeue() does sock_hold() while sk is still locked, before release_sock(); callers sock_put(). cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under the parent sk lock and that would invert conn->lock -> chan->lock -> sk_lock (lockdep). KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced 12 use-after-free reports per run before this change; 0, and no lockdep report, over 1600+ raced iterations after it on bluetooth/master.
Unauthenticated arbitrary file read/write in Recce OSS server (DataRecce, PyPI package 'recce') affects DuckDB-backed deployments exposed to untrusted networks, where the query run API executes attacker-supplied SQL without authentication. By abusing DuckDB filesystem primitives an attacker can read and write files accessible to the server process, enabling local file disclosure, tampering with dbt/Recce artifacts, and injection of stored XSS into browser-served static files. No public exploit identified at time of analysis; the issue is fixed in Recce v1.50.0.
Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. No public exploit code exists and no CVSS score was assigned, consistent with the vendor's own characterization that the severity is low.
Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. Publicly available exploit code exists (documented in the GitHub advisory PoC), but there is no public evidence of active exploitation and no CVSS score was assigned.