Broken access control in Gitea's Composer package registry (versions up to and including 1.26.1) lets remote attackers read private or internal Composer package source links they should not be authorized to see, leaking internal repository/source metadata. The flaw is a missing-authorization (CWE-862) issue reported by the Gitea project itself and fixed in v1.26.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. With a CVSS 3.0 base score of 8.2 driven by high confidentiality impact, the practical effect is unauthorized disclosure of otherwise-private package sourcing information.
Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. This flaw was reported through CISA ICS-CERT (ICSA-26-183-03) and carries a CVSS 4.0 base score of 9.5, but no public exploit identified at time of analysis.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. The vendor was contacted but did not respond, and there is no public evidence of active exploitation.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within the ls1c CAN handler (bsp/loongson/ls1cdev/libraries/ls1c_can.h) for the Loongson LS1C board support package. A local attacker with low privileges can manipulate the recvmsg call path to overflow a stack buffer, corrupting memory to achieve code execution or crash the device. Publicly available exploit code exists (VulDB), but there is no public exploit identified as actively used in the wild; this is not on CISA KEV, and no vendor patch has been identified as the vendor did not respond to disclosure.
Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.
Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter across Red Hat Enterprise Linux 6 through 10, where an integer overflow triggered by specially crafted print data can corrupt memory. This is an incomplete-fix follow-up to CVE-2026-8631, meaning the original patch did not fully close the flaw, and no public exploit has been identified at time of analysis. The Red Hat CVSS of 9.8 reflects a network-reachable, unauthenticated attack path, though realistic exploitation depends on how the CUPS print pipeline is exposed.
Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized `Lambda` layer that is deserialized without an active `SafeModeScope`. The root cause is `_raise_for_lambda_deserialization()` treating a `None` `safe_mode` (the default when `from_config()` runs outside a `SafeModeScope`) as if it were an explicit `False`, so the safe-mode guard is skipped and attacker-controlled `marshal` bytecode executes. SSVC rates technical impact as total with a proof-of-concept available; EPSS is modest at 0.40% (32nd percentile), and the flaw is not in CISA KEV.
SQL injection in Raera's Destekz support/help-desk application (all versions through 02062026) allows remote attackers to inject arbitrary SQL via unsanitized input, per the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector indicating unauthenticated network exploitation. TR-CERT rates this critical (9.8) with full confidentiality, integrity, and availability impact, meaning an attacker can read, modify, or destroy backend database contents. No public exploit identified at time of analysis, but the vendor has confirmed the product is no longer supported, so no fix will be issued.
Branch-protection bypass in Gitea's self-hosted Git server (all versions before 1.26.0) allows a user with push access to circumvent pre-receive hook enforcement by supplying oversized hook input that trips a bufio.Scanner error the code fails to handle safely. Because Gitea does not fail closed on the scanner error, the protection check is silently skipped and the push is accepted. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and this is not in CISA KEV, but a vendor patch (v1.26.0) is available.
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
Authorization bypass in Gitea Open Source Git Server (versions up to and including 1.26.1) allows a user whose account was deliberately disabled by an administrator to silently regain access simply by signing in through a linked OAuth provider. The OAuth sign-in callback fails to honor the administrator's 'disabled' flag, effectively reversing an intended access-revocation action. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the flaw undermines a core account-lifecycle control on a widely self-hosted platform.
Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow-list filtering in the webhook and repository-migration features to coerce the server into making requests to internal or otherwise restricted network destinations. Because the existing SSRF protection is incomplete rather than absent, attackers can craft addresses that bypass the allow-list checks to reach services that should be unreachable from outside. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; a vendor patch is available in Gitea 1.26.3.
Cross-repository information disclosure and cross-task tampering in Gitea's self-hosted Git server (fixed in v1.26.2) arises from an HMAC signature ambiguity in the Actions Artifacts V4 signed-URL scheme, letting an authenticated low-privilege user reuse a validly signed URL outside its intended repository or task context. An attacker with access to a single Actions task can read private artifacts belonging to other repositories and write upload-state for tasks they do not own, crossing the repository trust boundary (CVSS 9.6, scope-changed). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to crash the RTOS kernel by supplying a crafted `ai_addr` argument to the `sys_getaddrinfo` handler in `components/lwp/lwp_syscall.c`. All RT-Thread versions through 5.0.2 are affected, with impact limited to availability (VA:H) - no confidentiality or integrity loss is indicated. A public proof-of-concept exists (GitHub issue #11428), though exploitation is not confirmed in CISA KEV; the upstream fix remains an unmerged pull request, leaving all deployed versions currently unpatched.
Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.
Out-of-bounds heap read in the Net::IP::LPM Perl module (all versions through 1.10) is triggered when an application passes an oversized CIDR prefix length (e.g. add("1.2.3.4/255") or a /255 IPv6 prefix) to the trie builder, which walks the packed address buffer by the attacker-supplied bit count without validating it against the 32-bit/128-bit address width. The read runs at most ~32 bytes past a 4- or 16-byte buffer and its contents are never returned through the module's API, so real-world impact is limited to a possible process abort under AddressSanitizer, valgrind, or a hardened allocator. No public exploit identified at time of analysis; EPSS is low (0.23%, 13th percentile) and SSVC lists exploitation status as none.
Gitea versions before 1.25.5 mishandle path resolution during template repository generation, allowing template processing to read or write through symlinked or otherwise non-regular paths.
Gitea versions before 1.25.5 lack validation constraints for repository creation fields, including length-limited template fields and trust model or object format values.
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
Path traversal (CWE-22) in the Apache Lucene.Net.Replicator library lets remote attackers read files outside the intended index directory by supplying crafted pathnames to the replication service, disclosing arbitrary server-side files. All releases from 4.8.0-beta00005 through 4.8.0-beta00017 are affected, and Apache fixed it in 4.8.0-beta00018. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 4.0 base score of 8.9 (High) reflects unauthenticated network access and high confidentiality impact including a subsequent-system scope change.
Path traversal in the Apache Lucene.Net.Replicator library (versions 4.8.0-beta00005 through 4.8.0-beta00017) allows a remote, unauthenticated attacker to read files outside the intended index-replication directory by supplying crafted pathnames during index synchronization. The flaw is a CWE-22 restricted-directory bypass confined to file disclosure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the vendor-supplied CVSS 4.0 base score of 8.9 reflects high confidentiality impact across a scope boundary. Exploitation is gated by high attack complexity and specific attack requirements, making practical abuse less trivial than the raw score suggests.
Authorization bypass in Gitea's Gitea Actions fork pull-request approval gate lets a low-privileged contributor permanently defeat the maintainer approval step that normally guards workflow execution on fork PRs, so that after the initial gate is subverted the attacker's workflow code runs against the repository's CI runners and secrets. CVSS is 8.9 (high) with a scope change and high integrity/availability impact; no public exploit has been identified at time of analysis, but a vendor patch (v1.26.4) is available. The flaw is classed as CWE-285 (Improper Authorization) and was self-reported by the Gitea project.
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that lets an unauthenticated attacker run arbitrary code when a victim visits a malicious web page. All Edge Chromium versions prior to the vendor-patched build are affected, and the CVSS 3.1 base score is 8.8 (High). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires user interaction such as browsing to attacker-controlled content.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.
Privilege escalation in Gitea 1.25.5 lets a user holding a per-branch maintainer-edit grant reuse that write permission against other refs and obtain full repository write access. The flaw stems from a branch-specific permission result being cached and incorrectly reused across multiple refs within a single pre-receive hook session. It is an authenticated authorization-bypass (CWE-863) fixed in Gitea 1.26.3; no public exploit has been identified and EPSS exploitation probability is low (0.20%).
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the software-center application for the Turkish Pardus Linux distribution) affects all versions up to and including 1.0.4. A low-privileged local user can smuggle attacker-controlled argument delimiters into a command the application invokes with elevated privileges, yielding full compromise of the host (confidentiality, integrity, and availability all high) with no user interaction. No public exploit has been identified at time of analysis, and the issue is not on CISA KEV; it is fixed in version 1.0.5.
Local privilege escalation via argument injection in TUBITAK BILGEM's pardus-software (the Pardus Linux application/software center) affects versions up to and including 1.0.4 and is fixed in 1.0.5. A low-privileged local user can abuse a missing authorization check (CWE-862) to inject attacker-controlled arguments into a privileged backend operation, and because the CVSS scope is Changed with High confidentiality, integrity, and availability impact, this realistically yields code execution or full compromise of the underlying system. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the 8.8 CVSS and scope change make it a serious local escalation issue.
Cross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web page reach the unauthenticated /services shell-terminal RPC namespace and execute arbitrary OS commands on the victim's host. The flaw stems from fail-open Origin validation in @theia/core combined with a client-controllable fix-origin header, so simply luring a developer running Theia to a malicious site yields remote code execution. There is no public exploit identified at time of analysis, and CVSS is rated 8.8 (High) driven by the user-interaction-only barrier.
Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /services messaging endpoint coerce the backend into fetching an attacker-supplied URL and returning the full response body, exposing localhost admin interfaces and cloud instance metadata that sit behind the browser network boundary. The flaw is exploitable by any client with access to the Theia service connection, making multi-tenant and publicly-reachable deployments the primary concern. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation to SYSTEM in ASUS Business Manager lets a low-privileged local user run arbitrary code by tampering with an inter-process communication (IPC) message that the software's privileged service trusts. Because the SYSTEM-level component controls a file name or path based on attacker-influenced IPC input (CWE-73), a standard user can coerce it into loading or executing attacker-chosen content. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV; ASUS is the reporter and has issued a security advisory.
** UNSUPPORTED WHEN ASSIGNED ** Improper Validation of Specified Quantity in Input in the ASUS AI Suite 3 driver allows a local user to access unintended memory regions via crafted IOCTL requests,. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. No vendor patch available.
Remote code execution in Microsoft Edge (Chromium-based) before 150.0.4078.48 allows an unauthenticated attacker to run arbitrary code when a victim is lured to a malicious web page, via a type-confusion flaw (CWE-843) in the browser engine. The CVSS:3.1 score is 8.3 with a scope change (S:C), indicating a likely sandbox/renderer boundary escape, though exploitation carries high attack complexity and requires user interaction. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, with EPSS at 0.53% (41st percentile).
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated, network-based attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact — typically by visiting a malicious or compromised web page — and the CVSS 3.1 score of 8.3 reflects high attack complexity plus a scope change consistent with a renderer sandbox escape. There is no public exploit identified at time of analysis and no CISA KEV listing, though the underlying Chromium engine origin (tags reference Google) means a shared upstream root cause across Chromium browsers is likely.
Remote code execution in Microsoft Edge (Chromium-based) via a type-confusion flaw (CWE-843) lets an unauthorized attacker run arbitrary code when a victim is lured to malicious web content. The CVSS 3.1 base score is 8.3 with a scope change, reflecting a likely renderer-to-sandbox impact, but exploitation requires user interaction and has high attack complexity. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available via Microsoft's MSRC update guide.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a victim views attacker-controlled web content, stemming from a use-after-free memory-corruption flaw (CWE-416). The scope-changed CVSS vector (S:C) indicates the bug can breach the browser's sandbox boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis (CVSS E:U) and it is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to break out of the browser's security boundary and run arbitrary code when a victim is lured to malicious web content. Rooted in an improper authorization flaw (CWE-285) with a scope-changing CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), exploitation requires user interaction and high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV, so exploitation is currently theoretical rather than observed.
Security-feature bypass in Microsoft Edge (Chromium-based) stems from a type-confusion (CWE-843) flaw that a remote, unauthenticated attacker can trigger over the network to defeat a browser security boundary. Microsoft has published a fix via its Update Guide (CVE-2026-58295), and the issue carries a CVSS 8.3 with a scope change reflecting the crossed trust boundary. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Authentication bypass in Gitea's Git LFS (Large File Storage) SSH handling allows a low-privileged authenticated user to read files from private repositories they should not access by supplying a malformed SSH sub-verb, per the Gitea security advisory GHSA-7wvc-rvp7-w99x. Because the flaw crosses a security boundary (CVSS scope change) it exposes confidential repository contents without any integrity or availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available in Gitea 1.26.4.
Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets an unauthorized attacker run arbitrary code when a victim is lured to interact with attacker-controlled content, stemming from external control of a file name or path (CWE-73). The flaw is network-reachable but non-trivial to exploit, requiring user interaction and high attack complexity, and there is no public exploit identified at time of analysis. Microsoft has released a patched build, and EPSS estimates a low 0.53% exploitation probability with SSVC reporting no observed exploitation.
Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.
Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory corruption flaw (CWE-416) that an unauthorized network attacker can trigger to run arbitrary code in the browser process. Exploitation requires the victim to interact with attacker-controlled content (UI:R) and involves high attack complexity (AC:H), so a user must be lured to a malicious or compromised page. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Microsoft has released a fix.
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free memory-corruption bug (CWE-416) that an unauthorized attacker can trigger over the network to run arbitrary code in the browser's context. Exploitation requires the victim to interact with attacker-controlled web content and the CVSS vector flags high attack complexity, so successful attacks are not trivial. There is no public exploit identified at time of analysis and no CISA KEV listing, but a vendor patch is available from Microsoft.
Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run arbitrary code when a victim is lured into loading attacker-controlled web content that triggers a use-after-free memory corruption. The flaw carries a CVSS 3.1 base of 7.5 and requires user interaction, and the CVSS temporal metrics (E:U, RL:O, RC:C) indicate the issue is confirmed and officially patched with no public exploit identified at time of analysis. Because Edge shares Chromium's rendering engine, the underlying defect is likely rooted in an upstream Chromium/Blink component (the intel tags also reference Google).
Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated attacker can trigger over the network when a victim loads attacker-controlled web content. Microsoft has released an official fix and rates the issue 7.5 (High), tempered by high attack complexity and required user interaction; the CVSS temporal data marks exploit maturity as Unproven (E:U), so there is no public exploit identified at time of analysis and no CISA KEV listing. The vendor tags ('Google', 'Use After Free', 'Denial Of Service') indicate this most likely tracks an upstream Chromium engine defect inherited by Edge.
Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.