Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.
Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.
Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.
Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.
Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.
Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.
Double-free heap corruption in Open Asset Import Library (Assimp) through version 6.0.4 allows remote low-privileged attackers to corrupt process memory by supplying a maliciously crafted PLY 3D model file to the ExportToBlob function in the PLY Model Handler. A publicly available proof-of-concept exploit was disclosed alongside the report. The CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality, integrity, and availability impact on the vulnerable system, though CWE-415 double-free conditions in C++ libraries carry latent potential for escalated impact depending on memory layout and heap state at runtime.
Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.
Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.
Heap-based buffer overflow in Assimp's CSM file handler (versions 6.0.0-6.0.5) allows a local low-privileged attacker to corrupt heap memory by supplying a crafted Character Studio Motion (CSM) file to any application that uses the library for asset import. The flaw exists in `Assimp::CSMImporter::InternReadFile` within `code/AssetLib/CSM/CSMLoader.cpp` and affects all Assimp 6.0.x releases confirmed by EUVD-2026-41601. No public exploit identified at time of analysis as a KEV entry, but a publicly available exploit code (poc.zip) exists, and the upstream patch commit is available though not yet confirmed in a tagged release.
Sensitive information disclosure in Dell PowerProtect Data Domain exposes credentials or configuration data to local low-privileged attackers via insufficiently protected log files. Affected are multiple release trains spanning versions 7.7.1.0 through 8.7, with specific LTS branches also impacted. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact (C:H) warrants prompt patching on any appliance accessible to untrusted local users or shared administrative accounts.
Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.
Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory contents and crash the service across multiple concurrent release trains. Affected versions span the mainline (7.7.1.0-8.7), LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches, creating broad organizational exposure for enterprises running any supported Data Domain release. No public exploit or confirmed active exploitation has been identified at time of analysis; the mandatory high-privilege prerequisite substantially constrains the realistic attacker pool.
Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.
Server-side request forgery in Microsoft Edge (Chromium-based) versions before 150.0.4078.48 enables unauthenticated remote attackers to perform network spoofing by inducing the browser to issue forged requests on behalf of a victim. The attack requires user interaction - a victim must visit or interact with attacker-controlled content - after which the browser can be coerced into making unauthorized requests that manipulate resource integrity or availability. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a vendor-released patch is available.
Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.
Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
webpack-dev-server 5.2.5 and earlier crash the entire Node.js host process when an unauthenticated remote peer sends either an HTTP request with a malformed Host header or a WebSocket upgrade to the /ws endpoint with a malformed Origin header. The malformed value bypasses graceful error handling in the host-validation path, triggering an uncaught exception that terminates the dev server process entirely. Impact is confined to availability - no confidentiality loss and no code execution occur despite a misleading 'RCE' tag in the source intelligence, which appears to be a mislabeling inconsistent with the vendor description and CVSS vector (C:N/I:N). No public exploit or CISA KEV listing exists at time of analysis.
Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a limited, confidentiality-only impact with no integrity or availability consequences.
Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.
Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.
Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
Symlink-following vulnerability in Dell PowerProtect Data Domain allows a high-privileged remote attacker to traverse outside intended file paths and read arbitrary files, resulting in information disclosure. Multiple version branches are affected, including the current mainstream 8.7 release, LTS2026 builds through 8.6.1.10, LTS2025 builds through 8.3.1.30, and LTS2024 builds through 7.13.1.70. Dell published advisory DSA-2026-278 addressing this issue; no public exploit code or active exploitation has been identified at time of analysis.
SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.
Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently invoke two unauthenticated state-changing endpoints - `/webpack-dev-server/open-editor` and `/webpack-dev-server/invalidate` - via simple browser-initiated GET requests that carry no CSRF protection. An attacker controlling a web page visited during an active dev session can open arbitrary local files in the developer's editor (including files outside the project root) and trigger repeated forced recompilations that degrade workstation performance. No public exploit has been identified at time of analysis, and exploitation is confined to developer workstations rather than production infrastructure.
Dell PowerProtect Data Domain exposes sensitive file content to high-privileged local attackers through a symlink-following flaw (CWE-59), where the application fails to validate link targets before file access. Affected versions span multiple release trains including the current 8.x mainline and LTS branches. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Link-following exploitation in Dell PowerProtect Data Domain enables a high-privileged local attacker to read files outside their intended access scope by manipulating symbolic or hard links before file access operations resolve. Affected across multiple release trains - mainline 7.7.1.0 through 8.6, LTS2026 8.6.1.10 and below, LTS2025 8.3.1.30 and below, and LTS2024 7.13.1.70 and below. No public exploit code or active exploitation confirmed at time of analysis; risk is bounded by the requirement for pre-existing high-privilege local access.
Path traversal in Dell PowerProtect Data Domain allows a locally authenticated high-privileged attacker to read files outside restricted directories, resulting in information disclosure. Affected deployments span multiple release trains - standard releases 7.7.1.0 through 8.6, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70. No public exploit identified at time of analysis; the low CVSS score of 2.3 correctly reflects the high privilege and local access prerequisites that substantially constrain real-world exploitation scope.
Incorrect permission assignment on a critical resource in Dell PowerProtect Data Domain exposes sensitive data to high-privileged local attackers across a broad range of supported release trains. The flaw (CWE-732) means a resource - likely a file, directory, or configuration object - carries overly permissive access controls, allowing a local attacker operating with elevated privileges to read data they are not authorized to access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the breadth of affected versions (seven release trains spanning 2024-2026 LTS and mainline builds) increases aggregate exposure across enterprise backup environments.
Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.
Gitea's repository RSS and Atom feed endpoints fail to enforce API token scope checks, exposing private repository commit metadata to any holder of a valid but under-privileged API token. Versions up to and including 1.26.2 are affected; the flaw is classified as CWE-863 (Incorrect Authorization) with a CVSS score of 4.3. No public exploit code or CISA KEV listing exists at time of analysis; vendor-released patches are available in v1.26.3 and v1.26.4.
{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.
Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) fails to enforce group-level authorization when a restricted administrator queries role-to-group assignments, exposing group names and custom attributes beyond the admin's intended scope. Restricted admins holding only role-view permission can enumerate all groups assigned to that role, bypassing the group-level access controls that FGAP v2 is designed to enforce. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog; however, the EPSS risk is compounded in deployments where group attributes carry sensitive operational metadata.
Unauthorized child group disclosure in Red Hat Build of Keycloak's Fine-Grained Admin Permissions v2 (FGAP v2) exposes group names, paths, and custom attributes to delegated administrators who lack direct authorization over those child groups. When FGAP v2 is enabled and a delegated admin queries child groups through a parent group endpoint, the system omits the required per-permission filter, returning records that should be outside the caller's scope. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, placing it in the category of a low-severity information disclosure risk that is nonetheless significant in multi-tenant IAM environments where group attribute confidentiality matters.
Improper access control in the RBAC implementation of Dell PowerProtect Data Domain allows a low-privileged authenticated remote attacker to tamper with information beyond their authorized role scope. Affected releases span the main 7.7.1.0-8.6 line and three LTS tracks covering LTS2024, LTS2025, and LTS2026. No public exploit code has been identified and exploitation has not been confirmed by CISA KEV, placing this as a medium-priority issue requiring patch scheduling rather than emergency response.
Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.
Two off-by-one errors in FreeIPA's ipa-otpd daemon expose RHEL 6 through 10 deployments configured with an external OAuth2/OIDC Identity Provider to out-of-bounds memory access during the device authorization flow. An attacker who controls or can man-in-the-middle the configured IdP endpoint can serve an oversized authorization response, triggering CWE-787 writes or reads one byte past a fixed-size buffer boundary. The most probable outcome is denial of service of the ipa-otpd daemon; no public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog.
Incorrect authorization in Dell PowerProtect Data Domain permits a high-privileged local attacker to execute commands outside their authorized scope across a broad span of affected versions covering the main release line and all three active LTS branches. The root cause (CWE-863) indicates the appliance's Data Domain OS fails to enforce authorization boundaries correctly for certain operations accessible to already-elevated users, enabling privilege escalation within an authenticated administrative session. No public exploit code or active exploitation is confirmed at time of analysis; the CVSS 4.2 Medium score accurately reflects the significant access prerequisites - local presence plus high-level credentials - required to trigger the flaw.
XML External Entity injection in Apache Lucene.Net's PatternParser component (Lucene.Net.Analysis.Common library) allows attackers who can supply XML input to the parser to read arbitrary files from the host filesystem or trigger server-side request forgery. Affected deployments span versions 4.8.0-beta00005 through 4.8.0-beta00017. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the well-understood XXE attack class combined with the availability of a fix version makes patching straightforward and strongly advisable.
Information exposure in Dell PowerProtect Data Domain across multiple release tracks allows a low-privileged local attacker to read sensitive residual data via an uninitialized memory resource (CWE-908). The flaw spans the mainline 7.7.1.0-8.7 branch and three LTS tracks (LTS2024, LTS2025, LTS2026), confirmed by Dell via advisory DSA-2026-278. No public exploit code exists and no active exploitation has been identified; the CVSS 3.3 score and local-only attack vector place this firmly in the low-severity tier.