Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.
Protection mechanism failure in NousResearch hermes-agent (≤ 0.15.2) allows remote authenticated attackers to bypass shell execution controls via the shell.exec function in tui_gateway/server.py, resulting in low-level confidentiality, integrity, and availability impact. The vulnerability is classified under CWE-693 and carries a CVSS 4.0 score of 5.3 (Medium), with a publicly available proof-of-concept exploit hosted on GitHub. No patch has been issued - the vendor did not respond to the researcher's disclosure - meaning all deployments of hermes-agent up to and including version 0.15.2 remain exposed.
SQL injection in itsourcecode Hospital Management System 1.0 exposes patient records to partial disclosure and modification via the `editid` parameter in `/patient.php`. The CVSS 4.0 vector (PR:L) confirms exploitation requires a low-privilege authenticated session, limiting the immediate attack surface to users who can log in. A public proof-of-concept exploit exists (E:P), elevating practical risk above the base score of 5.3, though no CISA KEV listing confirms active exploitation at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 allows low-privileged authenticated remote attackers to manipulate database queries via the `editid` parameter in `/medicine.php`. The attack achieves partial confidentiality, integrity, and availability impact against the underlying database. A public proof-of-concept exploit has been published (tracked via GitHub issue), lowering the barrier for exploitation; however, no active exploitation has been confirmed by CISA KEV at time of analysis.
Cross-site scripting (XSS) in code-projects Assessment Management 1.0 allows a remote attacker with administrative credentials to inject malicious scripts via the User parameter in admin/view-users.php, executing arbitrary JavaScript in the browser context of users who view the affected admin page. The CVSS 4.0 vector (PR:H, UI:P) confirms exploitation is gated behind high-privilege authentication and requires a victim to load the tampered page. A public proof-of-concept exploit exists on GitHub, though no active exploitation or CISA KEV listing has been identified at time of analysis.
Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. A public exploit has been disclosed; however, the project maintainer explicitly contests the severity, noting that DoS conditions are an accepted and expected limitation of Sass compilers by design.
SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.
Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS application in one tenant inherit OAuth/OpenID consent that a user granted to a same-named application in a different tenant, breaking tenant isolation of authorization scopes. Because matching is done by application name rather than a tenant-scoped identifier, an application in attacker-controlled tenant B can read and modify a victim's data in tenant A without that user's explicit authorization. No active exploitation is reported (not in CISA KEV, EPSS 0.15%/4th percentile) and no public exploit is identified, but a vendor patch is available.
Stored cross-site scripting in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows remote unauthenticated attackers to inject malicious scripts via the title or description arguments of the hidden REST API endpoint /index.php/api/product/set, executing arbitrary JavaScript in the browsers of users who subsequently view the affected product data. A public exploit has been disclosed (CVSS 4.0 E:P), though the low CVSS 4.0 score of 2.1 and the user-interaction requirement constrain practical impact. No active exploitation is confirmed by CISA KEV, and a patch commit is available in the project repository.
Denial of service in NousResearch hermes-agent (versions up to 2026.4.30) is triggered by manipulating the `todos` argument passed to the `AIAgent.run_conversation` function via the HTTP API in `run_agent.py`. An authenticated remote attacker can send a crafted request to crash or resource-exhaust the agent process, disrupting availability for legitimate users. No public exploit identified at time of analysis is incorrect here - a public exploit exists (E:P in CVSS 4.0 vector; GitHub Gist referenced), and the vendor has not responded to disclosure, leaving no patch available.
SQL injection in CodeAstro Ecommerce Website 1.0 exposes authenticated customers to database manipulation via the c_name parameter on the account-editing endpoint. The vulnerability was publicly disclosed with a proof-of-concept exploit referenced on GitHub, meaning exploitation tooling is accessible. Impact is assessed as limited scope - low confidentiality, integrity, and availability - but network reachability and the public PoC raise opportunistic risk for unpatched deployments.
Uncontrolled memory allocation in HdrHistogram up to version 2.2.2 allows a local attacker with low-privilege access to crash a dependent Java application by supplying a crafted `lengthOfCompressedContents` value to the `decodeFromCompressedByteBuffer` function, exhausting JVM heap space and causing a denial-of-service. A public proof-of-concept exists (E:P per CVSS 4.0), though the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.9 reflects the strictly local attack vector and limited impact scope - only availability at the vulnerable system level is affected.
Local denial-of-service in the grass Rust-based Sass compiler (versions up to and including 0.13.4) is triggerable by a local, low-privileged user who supplies crafted UTF-8 input to the `grass_compiler::raw_to_parse_error` function. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing has been issued. The project maintainer has explicitly stated in Issue #117 that DoS in Sass compilers is considered acceptable behavior due to the inherently exponential nature of the @extend algorithm and other compile-time constructs, significantly reducing the urgency of a vendor-released fix.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Set gc_in_progress to true in unix_gc(). Igor Ushakov reported that unix_gc() could run with gc_in_progress being false if the work is scheduled while running: Thread 1 Thread 2 Thread 3 -------- -------- -------- unix_schedule_gc() unix_schedule_gc() `- if (!gc_in_progress) `- if (!gc_in_progress) |- gc_in_progress = true | `- queue_work() | unix_gc() <----------------/ | | |- gc_in_progress = true ... `- queue_work() | | `- gc_in_progress = false | | unix_gc() <---------------------------------------------' | ... /* gc_in_progress == false */ | `- gc_in_progress = false unix_peek_fpl() relies on gc_in_progress not to confuse GC by MSG_PEEK. Let's set gc_in_progress to true in unix_gc().
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]