Denial of service in the mruby/c lightweight Ruby VM (all releases through 3.4.1) arises from a NULL pointer dereference in op_super()/OP_SUPER within src/vm.c, where a runtime guard for a top-level 'super' call is missing. When the interpreter executes a script that invokes 'super' outside of any method context, the VM dereferences a NULL pointer and crashes. There is no public exploit identified at time of analysis, and the low EPSS score (0.15%, 5th percentile) reflects limited exploitation interest; impact is confined to availability (CWE-476).
Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets an attacker steer which backend SOAP operation gets invoked. Because the operationName / operationNamespace selection headers lacked the Camel/camel prefix, HttpHeaderFilterStrategy failed to strip them at the HTTP boundary, so in any route bridging an HTTP consumer (e.g. platform-http) into a cxf: producer, an HTTP client could inject these headers and force CxfProducer to call a different WSDL operation than intended - for example swapping a read for a destructive write. No public exploit is identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV.
Uncontrolled memory consumption in the Perl module Imager::File::JPEG (before 1.003, and bundled in Imager before 1.032) lets remote attackers exhaust process memory by submitting a JPEG containing many repeated APP13 (Photoshop/IPTC) markers. The i_readjpeg_wiol handler leaks the heap payload of every APP13 marker except the last on each read, so long-lived services that decode attacker-supplied images accumulate leaks until the process is killed, causing denial of service. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix (Imager::File::JPEG 1.003 / Imager 1.032) is available and the trigger is trivial to craft.
Account takeover in Coder's OIDC login (versions before v2.34.2, v2.33.8, v2.32.7, and ESR v2.29.17) lets an attacker who controls a matching email address at the configured identity provider log in as a victim and seize their workspaces, templates and resources. Two chained flaws are responsible: email-based user matching silently linked accounts by email without verifying an existing IdP-subject link, and the email_verified claim was only honored when explicitly boolean false, so absent or malformed claims were treated as verified. CVSS is 7.4 (High) with no public exploit identified at time of analysis; the issue was privately reported by Anthropic's Security Team.
Account takeover in Coder's OIDC login flow allows an unauthenticated remote attacker to hijack an existing user account by registering the victim's email at a compatible identity provider. A Go `bool` type assertion on the `email_verified` claim failed open when an IdP returned the claim as a non-boolean (e.g. the string "false") or omitted it entirely, and an unconditional email-based account fallback then matched the attacker's session to the victim's account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was privately disclosed by Anthropic's Security Team and fixed across all supported release lines.
Man-in-the-middle interception affects the Coder AI Bridge Proxy (aibridgeproxyd), introduced in Coder v2.30.0, where the goproxy default transport set InsecureSkipVerify:true and only used a secure transport when an upstream proxy was configured. In the default no-upstream-proxy configuration, outbound HTTPS to the Coder access URL accepted any TLS certificate, letting an on-path attacker decrypt traffic and steal Coder session tokens, BYOK provider API keys, and full prompt/completion bodies. CVSS 7.4 (High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk hinges on an attacker already holding a network-adjacent position.
Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege vector warrants prompt patching.
Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0 allows remote unauthenticated attackers to send crafted input that the framework fails to validate, yielding limited information disclosure and partial integrity/availability impact per the CVSS vector. The flaw is reported directly by the Apache Software Foundation and is fixed in 4.18.3 and 4.21.0; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. The moderate 7.3 (High) score reflects easy network reachability but limited per-impact severity (C:L/I:L/A:L).
Untrusted JMS deserialization in Apache Camel's JMS-family components (camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6) lets an attacker who can publish an ObjectMessage to a consumed queue or topic inject arbitrary Exchange state - body, IN/OUT headers, properties, variables, exchange id and exception - into a Camel route. It affects 3.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x when mapJmsMessage (the default) is enabled and Camel acts as a JMS consumer. This is a bypass of the earlier CVE-2026-40860 hardening, requires no gadget chain (only java.lang/java.util types), carries CVSS 7.3, and has no public exploit identified at time of analysis (EPSS 0.18%).
{user}/password, because the endpoint only checked ActionUpdatePersonal and never required the current password when an admin reset another user. A user-admin can therefore hijack an owner account and gain full deployment control, including self-assigning the owner role. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the practical blast radius is bounded by the need to already hold the privileged user-admin role.
Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.
Brute-force protection bypass in the 9router dashboard (npm package 9router) lets remote attackers defeat the login lockout by rotating the attacker-controlled X-Forwarded-For header on each request, giving every attempt a fresh rate-limit bucket. Because the CVSS vector is PR:N/UI:N, unauthenticated remote attackers can target any instance directly exposed or sitting behind a proxy that does not overwrite forwarding headers, enabling unlimited password guessing and, against default or weak credentials, full administrative takeover. A working exploit is published in the GitHub Security Advisory (GHSA-7cfm-pqrj-xgq7); the issue is not listed in CISA KEV and no EPSS score was provided.
Cross-site scripting in Roundcube Webmail allows remote attackers to inject arbitrary script into a victim's authenticated mail session, with the CVSS scope-change flag indicating the payload can affect resources beyond the vulnerable component (e.g. the surrounding webmail DOM/session). The flaw was fixed in releases 1.6.17 and 1.7.2 announced on 2026-07-05 and was reported through Ubuntu's security tracker; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is rated CVSS 7.2 driven largely by the scope change, though confidentiality and integrity impact are each only Low and availability is unaffected.
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in vLLM 0.12.0 through 0.23.x lets any authorized API caller crash the entire inference server by submitting a pure prompt-embeddings payload to the /v1/completions endpoint when a model using M-RoPE (multimodal rotary position embedding) is loaded. The malformed request trips a reachable assertion in the EngineCore process, which terminates the whole server rather than rejecting the single request. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in vLLM 0.24.0.
Arbitrary file write via path traversal in pnpm prior to 10.34.4 and 11.7.0 lets a crafted lockfile place or overwrite files outside the intended hoisted node_modules directory when a victim installs dependencies. A malicious pnpm-lock.yaml can supply an alias containing traversal sequences (e.g. ../) to escape the module directory, or use reserved aliases like .bin or .pnpm to clobber pnpm-owned layout, enabling integrity compromise of the install tree. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is remotely deliverable through shared repositories or packages and requires only that a user run an install.
Arbitrary file deletion in pnpm before 10.34.4 and 11.7.0 allows a malicious project to delete any file reachable by the user when they run 'pnpm patch-remove'. A crafted patch entry escapes the configured patches directory via path traversal (CWE-22), so cloning or installing an attacker-controlled repository and running the patch-remove command destroys files outside the project. No public exploit identified at time of analysis and it is not on CISA KEV; exploitation requires the victim to run the specific command against poisoned configuration.
Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.
Server-side request forgery in flyto-core (Python pip package) lets an authenticated workflow author bypass the built-in SSRF guard by encoding internal targets as IPv6 transition-form literals (IPv4-mapped `::ffff:127.0.0.1`, 6to4 `2002::/16`, or NAT64 `64:ff9b::/96`), causing the `http.get` atomic module and ~10 sibling fetch modules to perform outbound reads against loopback, RFC 1918, and cloud instance-metadata endpoints and return the response body. The reporter provides a full working end-to-end reproduction against a clean install of default-branch HEAD, so publicly available exploit code exists, though there is no evidence of active exploitation and no CISA KEV listing. CVSS 3.1 base is 7.1 (High); no EPSS score was supplied.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Argument injection and directory traversal in Apache Camel's camel-docling component (4.15.0 before 4.18.3) let attackers who can influence the CamelDoclingCustomArguments or path-bearing exchange headers inject unintended docling CLI flags and traversal-laden path values into the externally executed docling tool. Because the original DoclingProducer validation relied on a flag denylist and only rejected literal '../' sequences, crafted arguments could reach the subprocess and resolve files outside the intended directory, yielding high confidentiality and integrity impact but no OS command injection (ProcessBuilder uses the list form, so no shell interprets the values). There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; EPSS is low (0.79%, 52nd percentile).
Information disclosure in SUSE Rancher AI Agent 1.0 before 1.0.2 writes API keys and raw LLM response text (which may contain sensitive data) into logfiles when the DEBUG loglevel is enabled, letting a local attacker with access to those logs harvest credentials and confidential model output. Rated CVSS 4.0 base 7.0, the flaw requires local access and high privileges plus a non-default debug configuration. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation via memory corruption in Qualcomm Snapdragon platforms occurs when asynchronous input parameters are validated and then re-read after modification, a time-of-check/time-of-use race that yields total compromise of confidentiality, integrity, and availability. Affecting a broad range of Snapdragon connectivity, WCD codec, WSA, and compute SoCs, a local low-privileged attacker who can win the race can corrupt memory and gain elevated code execution. No public exploit has been identified at time of analysis and EPSS is negligible (0.09%), but the CVSS 7.0 and 'total' SSVC technical impact make it a meaningful firmware/driver patch target.
Header injection in Traefik's ForwardAuth middleware allows unauthenticated remote attackers to manipulate the X-Forwarded-Port value sent to authentication backends, enabling bypass of port-based authorization checks. Affected are all Traefik v2.x prior to v2.11.51, v3.6.x from 3.0.0 prior to v3.6.22, and v3.7.x from 3.7.0 prior to v3.7.6. The flaw persists even when the trustForwardHeader: false safeguard is active, because the port derivation logic reads the original incoming request rather than the sanitized forwarded context. No public exploit code has been identified at time of analysis, and vendor-released patches are available.
Improper access control in Formbricks 5.0.0 allows remote unauthenticated attackers to bypass authorization checks in the link survey handler, enabling unauthorized manipulation of survey data with limited integrity and availability impact. The flaw resides in the Survey Handler component (apps/web/modules/survey/link/actions.ts) and is tagged as an authentication bypass, confirmed by the CVSS 4.0 PR:N metric indicating no credentials are required. No active exploitation has been confirmed and no public exploit code has been identified; a patch is available as release candidate 5.1.0-rc.1.
Traffic hijacking in Cilium's CiliumLocalRedirectPolicy (CLRP) mechanism allows a cluster user with RBAC permission to create CLRPs to specify arbitrary ClusterIPs via the addressMatcher field, redirecting service traffic across namespace boundaries and circumventing the namespace-scoping guarantees that serviceMatcher is designed to enforce. Affected versions span Cilium v1.17 (all prior to v1.17.16), v1.18.2-v1.18.9, and v1.19.0-v1.19.3. A compounding secondary behavior causes complete service translation failure when a maliciously crafted CLRP is deleted, enabling a denial-of-service condition against any targeted Service. No public exploit has been identified at time of analysis, and exploitation is constrained to users holding elevated cluster RBAC privileges; this is not confirmed actively exploited (CISA KEV).
Unauthenticated mass assignment in FOSSBilling's client self-registration endpoint (all versions prior to 0.8.0) allows any visitor to inject an arbitrary client group identifier during signup, bypassing group-based access controls on promotional codes. Attackers who successfully place themselves into a privileged group can redeem group-restricted discount codes and receive unauthorized price reductions. No public exploit or active exploitation has been identified; the CVSS 4.0 score of 6.9 reflects a limited, integrity-only impact with no confidentiality or availability consequence, and the erroneous 'RCE' source tag should be disregarded as inconsistent with the description and impact metrics.
Unrestricted file upload in Esri ArcGIS Server (all versions through 12.0) lets a remote, unauthenticated attacker push arbitrary files to an exposed administrative/upload endpoint, per CVSS PR:N. Esri self-reported the flaw (CWE-434) and rates it critical (CVSS 9.8), and successful upload of an executable payload can lead to full server compromise. There is no public exploit identified at time of analysis, and EPSS is low (0.22%, 13th percentile), indicating it is not yet a mass-exploitation target.
Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the attack is straightforward to automate for any authenticated user with knowledge of a valid promo code.
SQL injection in FOSSBilling's Massmailer module exposes the application database to read access by authenticated administrators who can supply crafted filter values during mass email message updates. Affected versions span 0.6.0 through 0.7.2, with the fix shipped in version 0.8.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the high confidentiality impact (VC:H per CVSS 4.0) means a malicious or compromised administrator account could extract sensitive billing and client data from the underlying database.
Authentication bypass via sessionId spoofing in Apache IoTDB (1.3.3 through versions before 2.0.8) lets a remote, unauthenticated attacker forge the sessionId parameter on certain Thrift RPC query handlers and retrieve valid query results without ever calling openSession. This exposes stored time-series data to arbitrary readers. No public exploit identified at time of analysis, and EPSS is low (0.20%, 10th percentile) despite the 9.1 CVSS, so exploitation is not confirmed in the wild.
Unauthenticated Camel control-header injection in Apache Camel's camel-cometd component (4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets any client that completes a Bayeux/CometD handshake inject internal headers such as CamelHttpUri, CamelFileName or CamelJmsDestinationName into the Camel Exchange, hijacking the behaviour of downstream producers. Because a CometdComponent installs no Bayeux SecurityPolicy by default, no authentication is required (PR:N), and the injected headers survive internal direct/seda/vm hops. Reported by Apache with a fix in 4.21.0; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (9th percentile).
Java object deserialization in the Apache Camel camel-pqc component allows code execution in the key-management application when an attacker who can write to the backing AWS Secrets Manager secret stores a malicious serialized payload. The flaw affects Apache Camel 4.18.0-4.18.2 and 4.19.0-4.20.x, where AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() calls a raw ObjectInputStream.readObject() with no class filter, so gadget side effects fire before the KeyMetadata cast. Rated CVSS 9.8 by Apache, but exploitation genuinely requires IAM write access to the specific secret; there is no public exploit identified at time of analysis and EPSS is low at 0.19% (8th percentile).
Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. NVD scores it CVSS 9.8, though EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis.
Cross-origin request forgery via CORS same-owner bypass in Coder's subdomain workspace app proxy allows an authenticated attacker to exfiltrate data from a victim's workspace apps. The flaw exists across Coder release lines 2.29 through 2.34, and was disclosed by Anthropic's Security Team. No public exploit exists and no CISA KEV listing is present, but the vulnerability is directly exploitable against any deployment with wildcard subdomain routing enabled, making prompt patching critical for affected configurations.
Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and the victim to visit the attacker's shared app; no public exploit code or CISA KEV listing has been identified at time of analysis.
Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. By declaring a massive FileSize value such as 1 TiB, an attacker with provisioner daemon credentials can trigger a Go runtime out-of-memory abort, terminating coderd and denying service to all users of the deployment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.
Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). No public exploit has been identified at time of analysis; the impact is strictly an availability loss - the advisory explicitly confirms no data disclosure or code execution is possible, contradicting the 'RCE' tag present in the intelligence feed.
Memory exhaustion in Coder's AI Bridge feature allows an authenticated member-level user to crash the entire control plane by sending arbitrarily large HTTP request bodies to provider endpoints such as `/api/v2/aibridge/anthropic/v1/messages`. Because AI Bridge runs in-process with `coderd`, a single crafted request can grow heap memory until the OS terminates the process, taking down the API server, workspace coordinator, and DERP relay simultaneously. No public exploit has been identified at time of analysis, but the vendor credits Anthropic's Security Team (ANT-2026-22443) with independent discovery, indicating external security research attention. Patched versions are available for the affected v2.33 and v2.34 release lines.
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.
CVE-2026-58251 has been reported by Ubuntu with no description, CVSS score, CWE classification, or technical details available at time of analysis. The affected component, attack vector, and impact are entirely unknown. No exploitation status, patch availability, or severity rating can be determined from the provided intelligence.
CVE-2026-58252 is attributed to Ubuntu per vendor reporting, but no description, CVSS score, CWE classification, or technical details are available in the provided intelligence data. The vulnerability cannot be characterized beyond its association with the Ubuntu platform. Security teams should consult Ubuntu Security Notices (USN) directly for authoritative details as this record is effectively unpopulated.
Unauthenticated access to Coolify's POST /api/feedback endpoint allows any remote attacker to forward arbitrary content directly to the operator's configured Discord webhook, enabling spam flooding, content injection, and webhook rate-limit abuse. All self-hosted Coolify instances prior to 4.0.0-beta.474 are affected, with CVSS AV:N/AC:L/PR:N/UI:N confirming zero-barrier network exploitation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the trivial exploit conditions (plain unauthenticated HTTP POST) make automated abuse straightforward.
Memory exhaustion in vLLM 0.22.0-0.23.0 allows authenticated API callers to crash or destabilize the inference server by uploading arbitrarily large audio files. The `/v1/audio/transcriptions` and `/v1/audio/translations` endpoints invoke `request.file.read()` to fully buffer multipart uploads into process memory before the `VLLM_MAX_AUDIO_CLIP_FILESIZE_MB` size guard is evaluated, meaning the size limit is checked only after the damage is done. No public exploit is identified at time of analysis; vendor-confirmed fix is available in version 0.24.0.
Missing authorization in Coolify's Settings/Updates Livewire component allows any authenticated non-admin user to access the Updates settings page and modify auto-update behavior or trigger update checks. Affected versions span all releases prior to 4.0.0-beta.471 of the self-hosted server management platform. No public exploit code or CISA KEV listing exists at time of analysis, but the network-accessible nature and low authentication bar (any valid account) make this a meaningful integrity risk in multi-tenant or shared Coolify deployments.
Incorrect authorization in Coolify's API layer allows any holder of a read-scoped API token to invoke mutating validation endpoints - including cloud token validation and server validation - that should require write-level privileges. All Coolify deployments prior to version 4.0.0-beta.466 are affected. No public exploit or active exploitation has been identified at time of analysis, but the low attack complexity and network accessibility via API make this straightforward to abuse for any user who has been issued even a minimal API token.
Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.