Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser within the Dashy origin by tricking an authenticated user into visiting a crafted URL containing a javascript: scheme in the url query parameter. All Dashy releases prior to 4.3.7 are affected. Successful exploitation enables reading same-origin browser data, DOM manipulation, and issuing authenticated requests on behalf of the victim. No public exploit identified at time of analysis.
GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. No public exploit code exists and no CISA KEV listing has been issued; however, the flaw is architecturally significant because it silently voids a key WebRTC security guarantee rather than causing an obvious crash.
Command injection in Coolify's DatabaseBackupJob allows authenticated users holding database management permissions to execute arbitrary OS commands on managed servers by embedding shell metacharacters in database credentials or MongoDB collection exclusion names. All Coolify releases prior to 4.0.0-beta.471 are affected. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; however, the practical impact substantially exceeds the official CVSS 3.3 Low rating because successful exploitation grants attacker-controlled shell execution on production infrastructure managed by the platform.
OS command injection in Coolify's database service configuration API allows authenticated administrators to execute arbitrary shell commands within Docker container contexts by embedding shell metacharacters into database credential fields. All Coolify versions prior to 4.0.0-beta.474 are affected, covering deployments managing Redis, KeyDB, Dragonfly, ClickHouse, PostgreSQL, and MySQL services. No public exploit code has been identified at time of analysis, and the CVSS PR:H requirement confines the attack surface to already-privileged admin accounts, positioning this as a post-compromise escalation risk rather than an initial access vector.
Coolify's database backup restore file upload endpoint accepts uploads without enforcing any file type or size constraints, enabling an authenticated user to degrade service availability by uploading oversized or unexpected files. All releases prior to 4.0.0-beta.474 are affected per CPE cpe:2.3:a:coollabsio:coolify. No public exploit code exists and the vulnerability is not listed in CISA KEV; with a CVSS score of 3.1 and availability-only impact, this represents a low-priority issue for most operators, especially given the authenticated access requirement.
Sanctum API tokens in Coolify never expire prior to v4.0.0-beta.474, meaning any token that is leaked or stolen remains permanently valid until an administrator manually revokes it. This affects the self-hosted server, application, and database management platform across all versions below 4.0.0-beta.474. An attacker who obtains a valid API token via secondary means retains indefinite read access to the Coolify API without natural time-bounded expiry as a safeguard. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained real-world impact.
Uncaught Exception in the Gallagher Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to force a controller restart by sending specific crafted requests, causing a temporary denial of service. Affected versions span Gallagher Command Centre 9.20 through 9.50 (pre-patch) and all versions of 9.10 and earlier. No public exploit code exists and no active exploitation has been identified; the high privilege requirement substantially limits real-world attack surface to insider or compromised-operator scenarios.
Gallagher Command Centre's T20 Readers component crashes and restarts when an authenticated, high-privilege operator sends specific crafted requests, causing a temporary denial of service. Exploitation requires existing operator-level credentials and authorization - this cannot be triggered by unauthenticated or low-privilege users. The vulnerability carries a CVSS 2.7 (Low) score with no public exploit code and no CISA KEV listing, indicating minimal real-world threat beyond insider misuse or compromised operator accounts.
Cross-organization authorization bypass in Grafana OSS and Enterprise allows an authenticated Org Admin to delete public dashboards owned by a different organization by supplying the target dashboard's identifiers to the deletion endpoint. The missing tenant-isolation check on the delete operation means any Org Admin - regardless of their organizational scope - can reach and destroy dashboards across organizational boundaries. No public exploit has been identified at time of analysis, and the low CVSS score of 3.1 reflects the constrained impact and prerequisite of an existing Org Admin credential.
Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.
Cross-origin request forgery against Anki's local HTTP server allows a malicious website to trigger unauthorized side-effecting requests to the application while it is running on the victim's machine. All Anki versions prior to 25.09.3 are affected (CPE: cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*). The practical severity varies significantly by browser: implementations with Private Network Access (PNA) protections block such requests by default, limiting real-world impact to older or less-restrictive browser configurations. No public exploit identified at time of analysis, though security researcher Tavis Ormandy (Google Project Zero) publicly discussed the issue on X, indicating independent researcher awareness.