Divide-by-zero in GPAC's TeXML file handler crashes the process when a crafted file carries a zero or invalid txml_timescale value, triggering an unhandled arithmetic exception in txtin_probe_duration. The affected version is the development snapshot 26.03-DEV-rev342-g80071f700-master; exploitation is constrained to local users able to supply malicious input files, with impact limited to a process-level denial of service. No active exploitation or public proof-of-concept has been identified; an upstream fix commit is available on GitHub but no patched stable release has been independently confirmed.
CVE-2026-54432 is a vulnerability reported by Ubuntu with no description, CVSS score, CWE classification, or technical detail available in the provided intelligence data. The affected product is inferred as Ubuntu Linux based solely on the vendor reporter tag. No impact, attack vector, or exploitability information can be determined from the current data set.
Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.
Command injection in Pillow's WindowsViewer component (all versions prior to 12.3.0) allows arbitrary cmd.exe command execution when a user opens an image with a crafted filename containing shell metacharacters. The root cause is in WindowsViewer.get_command(), which embeds an unsanitized file path directly into an f-string and passes the result to subprocess.Popen with shell=True on Windows. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
Insufficient data exists to characterize this vulnerability. CVE-2026-58214 was reported by Ubuntu (vendor source) but carries no description, CVSS score, vector, or CWE at time of analysis. The affected component, attack vector, and impact are all unknown. Security teams should monitor the Ubuntu Security Notices (USN) feed and the NVD entry for this CVE for forthcoming details.
Insufficient data exists to characterize CVE-2026-58209 beyond its association with an Ubuntu vendor report. The CVE description is absent, no CVSS score or vector has been assigned, no CWE root cause is identified, and no additional intelligence sources were provided. Security teams should treat this as an unresolved reservation requiring active follow-up with Ubuntu Security Notices (USN) or the NVD pending full disclosure.
{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.
OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.
Heap exhaustion in OP-TEE OS (versions 3.3.0 through 4.10.x) allows a low-privileged normal-world local caller to progressively degrade and ultimately deny service to all trusted applications running in the secure world. The root cause is a missing bitmask application in `cleanup_shm_refs()` that causes `mobj_reg_shm` reference objects to accumulate indefinitely on internal lists without being released. No public exploit code has been identified at time of analysis, and EPSS data was not supplied; however, the flaw is structurally straightforward to trigger through normal TEE invocation with non-contiguous shared memory parameters, making it feasible for any process with TEE access to exhaust the secure heap over time.
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. On releases before 4.19.0, the most severe impact is full SMTP host redirection: the producer reconnects to an attacker-controlled server and authenticates with the endpoint's configured credentials, resulting in credential theft. On 4.19.0 through pre-4.21.0, host redirection is blocked, but attackers can still weaken transport security (disabling STARTTLS, manipulating SSL trust, or injecting a SOCKS proxy) and intercept outgoing mail content. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Command injection in Coolify's MongoDB backup handler (versions 4.0.0-beta.451 through 4.0.0-beta.470) allows a highly privileged attacker who controls backup configuration to inject OS-level shell commands via unsanitized metacharacters in MongoDB collection names. The attack requires an already-administrative account capable of modifying backup inputs, substantially limiting the realistic threat surface. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the vendor released a fix in v4.0.0-beta.471.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding oracle, allowing a local attacker to recover RSA plaintext by adaptively querying the oracle. Affected are optee_os versions 4.5.0 through 4.10.x built with Hisilicon HPRE support (CFG_HISILICON_ACC_V3=y) on Arm TrustZone-based platforms. No public exploit code or CISA KEV listing exists; exploitation is constrained by local access requirements and the high query volume characteristic of Bleichenbacher-class attacks.
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon HPRE hardware crypto driver, enabling a local attacker to recover RSA-OAEP plaintext through approximately 1000-2000 adaptive chosen ciphertext queries. The root cause is a non-constant-time `memcmp()` used for label hash verification combined with distinguishable error paths - classic CWE-208 timing side-channel conditions. Impact is heavily constrained by a non-default build requirement: only Hisilicon D06 (plat-d06) hardware built with `CFG_HISILICON_ACC_V3=y` is exposed, and no public exploit or active exploitation has been identified at time of analysis.
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to NXP CAAM-equipped platforms with the RSA driver enabled.
FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0 fails to validate IPN-supplied payment amounts against invoice totals, enabling authenticated clients to underpay invoices while having them marked as fully paid. The PayPal IPN field `mc_gross` is credited directly to the client balance without cross-checking the corresponding invoice amount, and a pre-existing $0.05 floating-point epsilon in the credit-payment logic expands the exploitable gap to $0.04 per invoice. No public exploit code exists and the vulnerability is not in CISA KEV; however, the attack is trivially executable by any registered client on a system with the PayPalEmail adapter enabled.
FOSSBilling prior to version 0.8.0 exposes sensitive administrative data to low-privileged staff accounts through an asymmetric access control flaw: write-side admin API endpoints correctly enforce fine-grained permissions, but their corresponding read endpoints lack any authorization guards entirely. Any authenticated staff user can call these read endpoints over the network and retrieve data beyond their intended access scope. No public exploit code has been identified and the vulnerability is not in CISA KEV; risk is primarily an insider-threat scenario within organizations with staff-level access to the billing platform.
Path traversal in NousResearch hermes-agent 2026.5.29.2 allows low-privilege authenticated remote attackers to read files outside the intended directory by supplying crafted path traversal sequences in the `Name` argument of the `skill_view` function within `tools/skills_tool.py`. Impact is confined to limited confidentiality exposure - no integrity or availability effect - consistent with the CVSS 4.0 score of 2.1 (Low). A public exploit has been disclosed (CVSS E:P), though no active exploitation has been confirmed via CISA KEV.
{from}/sendMail path segment, rewriting both path and query string of the outbound request. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 1.26.3.
Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Unauthenticated SSRF in Dragonfly's scheduler v1 gRPC service allows any remote client to force the scheduler to issue HTTP GET requests to arbitrary internal addresses, including loopback (127.0.0.1), cloud metadata endpoints (169.254.0.0/16), and RFC1918 ranges. The scheduler's `DownloadTinyFile()` function constructs HTTP requests from attacker-controlled `PeerHost.Ip` and `PeerHost.DownPort` gRPC fields with no destination address validation, and stores up to 128 bytes of each fetched response in `Task.DirectPiece`, which is subsequently served to other peers. The input tag of 'RCE' in the source intelligence is incorrect - this is a read-SSRF with a limited exfiltration path, not remote code execution. A fully confirmed proof-of-concept exists against v2.4.4-rc.2; no patched release version has been identified at time of analysis.
Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.
c-ares, the widely-embedded asynchronous DNS resolver library, received a security fix in version 1.34.7 addressing CVE-2026-33630, disclosed via the oss-security mailing list. The vulnerability was reported by Haruto Kimura of Stella and is also tracked under GHSA-pjmc-gx33-gc76 and GHSA-jv8r-gqr9-68wj. The nature of the flaw, its exploitability, and precise impact are not determinable from the available input data - no description, CVSS vector, or CWE was provided.
CVE-2026-58212 is reported by Ubuntu with no publicly available description, CVSS score, CWE classification, or technical detail at time of analysis. The sole intelligence signal is attribution to the Ubuntu vendor source, leaving the affected component, vulnerability class, and impact entirely uncharacterized. No meaningful risk assessment is possible without additional data from Ubuntu's security tracker or an upstream advisory.
NULL pointer dereference in the error handler of gstavdemux.c within gstreamer1-libav can crash the GStreamer pipeline process when it encounters a malformed or crafted media stream during AV demuxing. The flaw resides specifically in error recovery logic - the code path meant to handle failures itself dereferences a NULL pointer, producing a denial-of-service condition in any application relying on this plugin for media playback or processing. No public exploit code or active exploitation has been identified at time of analysis; this appears to be a stability/reliability bug reported through Ubuntu's vendor channel.