Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.
Denial of service in js-yaml (a widely-used JavaScript YAML parser) 3.0.0-3.14.x and 4.0.0-4.2.x allows remote attackers to consume quadratic CPU time by submitting a linearly-sized YAML document built from a chain of mappings that use merge keys, where each mapping merges the previous one. Exploitation requires no authentication or user interaction (CVSS 7.5, availability-only impact), and any application that parses attacker-controlled YAML with a vulnerable version is affected. No public exploit identified at time of analysis; fixes are available in 3.15.0 and 4.3.0.
Denial of service in Mistune (the lepture Python Markdown parser) before 3.3.0 lets remote unauthenticated attackers exhaust CPU by submitting a Markdown document packed with many repeated or distinct reference-link definitions, which triggers quadratic-time processing in the block parser and its ref_links dictionary handling. Any service that renders attacker-supplied Markdown through Mistune (wikis, comment systems, docs pipelines, notebook converters) can be stalled with a single crafted input. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low-complexity, no-auth vector makes weaponization trivial.
Denial of service in Mistune, a Python Markdown parser, affects all versions prior to 3.3.0 when the strikethrough, mark, or insert plugins are enabled. Remote attackers can submit crafted Markdown containing runs of closed tilde (~), equals (=), or caret (^) marker pairs that trigger quadratic-time scanning in the formatting plugin, exhausting CPU and rendering the parsing service unresponsive. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; impact is limited to availability with no data exposure.
Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.
Denial of service in Mistune, a widely used pure-Python Markdown parser, affects all versions prior to 3.3.0 where the default inline parser exhibits quadratic (O(n²)) behavior on long runs of well-formed double- or triple-asterisk emphasis pairs. Because the parser rescans forward for matching close markers from every candidate opening run, a small crafted Markdown payload forces disproportionate CPU consumption, exhausting resources on any service that renders untrusted Markdown. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and unauthenticated network vector make availability impact realistic against default configurations.
Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.
Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) allows a remote, unauthenticated attacker to crash or hang the appliance by triggering an integer overflow (CWE-190). Per the CVSS vector (PR:N/UI:N), no authentication or user interaction is required, and the impact is confined to availability (C:N/I:N/A:H) - no data disclosure or code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.
Denial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/browsers) affects versions 8.0.0 through <8.6.6 and 7.5.0 through <7.6.5. When the parser reads an option declaration in a .proto schema it advances through tokens looking for '=' without checking for end-of-input, so a truncated schema (e.g. 'option foo') hangs parse(), Root.load, or Root.loadSync forever, pinning a CPU core and stalling the event loop. No public exploit is identified at time of analysis and it is not in CISA KEV; EPSS is low (0.33%, 25th percentile), matching the SSVC rating of exploitation 'none' but automatable.
Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in the js-yaml Node.js YAML parser (versions 5.0.0 up to but not including 5.2.0) lets a remote attacker consume quadratic CPU time by submitting a small, linearly-sized YAML document that chains merge keys (<<) so each mapping merges the previous one. Because confidentiality and integrity impact are nil and only availability is affected (CVSS 7.5, AV:N/A:H), a single crafted document can stall or hang the parsing thread. SSVC rates this poc / automatable=yes / partial impact; there is no public weaponized exploit and it is not on CISA KEV, with a low EPSS of 0.29%.
Denial of service in the js-yaml JavaScript YAML parser (versions 5.0.0 up to but not including 5.2.1) allows remote attackers to exhaust CPU by submitting a crafted YAML document containing an ordered-map (!!omap) node with many entries. Because the !!omap handler performs a linear duplicate-key scan on every insertion, parsing scales as O(n^2), so a modestly sized payload can consume disproportionate CPU when yaml.load() is called. Exploitation is gated behind the non-default YAML11_SCHEMA; SSVC lists proof-of-concept exploit status, there is no CISA KEV entry, and EPSS is low at 0.29%.
Denial of service in Progress MOVEit Transfer (Custom Reports modules) allows remote attackers to exhaust server memory through a missing-release-of-memory (memory leak) flaw, degrading availability of the managed file transfer service. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, and is addressed in the Progress Critical Security Bulletin of June 2026. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.
Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication bypass by spoofing in Progress MOVEit Transfer's HTTPS module allows remote unauthenticated attackers to impersonate or partially bypass identity verification, compromising integrity (CVSS 7.5, I:H) without exposing or destroying data (C:N/A:N). The flaw affects MOVEit Transfer builds before 2025.0.7 and the 2025.1.x line before 2025.1.3; a vendor patch is available. There is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none, but MOVEit Transfer's history as a mass-exploitation target warrants prompt patching.
Path traversal in Progress MOVEit Transfer's Admin Settings module (versions before 2025.0.7 and 2025.1.0 before 2025.1.3) lets remote attackers supply relative '../' sequences to read files outside the intended directory, exposing sensitive configuration or system data. The CVSS 3.1 vector scores it 7.5 with confidentiality-only impact (C:H/I:N/A:N) and no listed authentication (PR:N), though the 'Admin Settings' location warrants scrutiny of that claim. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and CISA SSVC records no known exploitation.
Remote denial of service in OpENer 2.3.0 (commit 76b95cf), an open-source EtherNet/IP (CIP) communication stack, lets unauthenticated network attackers exhaust device resources through the network processing loop, rendering the affected industrial device unavailable. The flaw carries CVSS 7.5 (availability-only impact) and publicly available exploit code exists (referenced GitHub gist and issue #562), though it is not listed in CISA KEV and EPSS is low at 0.20% (10th percentile), indicating no observed widespread exploitation. Because OpENer typically runs on embedded ICS/IIoT endpoints, loss of availability can translate directly to loss of process visibility or control.
Heap corruption in Google Chrome's Payments component (versions prior to 150.0.7871.115) lets a remote attacker who lures a user into performing specific UI gestures potentially achieve code execution via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and CVSS 7.5, with a vendor patch already shipped in the July 2026 Stable channel update; no public exploit has been identified at time of analysis. Exploitation is gated by high attack complexity and required user interaction, making it credible but not trivially weaponizable.
Heap corruption in Google Chrome's Views UI framework (versions prior to 150.0.7871.115) lets a remote attacker who lures a user into performing specific UI gestures on a crafted HTML page potentially execute code or crash the browser via a use-after-free. Google rates the Chromium severity High; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome UAF bugs are historically attractive exploitation targets.
Sensitive user-record disclosure in Adalo's no-code app builder (App Builder versions 1 and 2) lets remote actors enumerate the internal 'dbId' identifier to retrieve complete user records and correlate individuals' behavior across multiple applications hosted on the platform. The flaw stems from predictable/enumerable record identifiers combined with absent access controls and no data minimization. There is no public exploit identified at time of analysis, and EPSS rates near-term exploitation probability very low (0.15%, 5th percentile) despite the high confidentiality-only CVSS of 7.5.
Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. Publicly available exploit code exists (SSVC=poc) but it is not on CISA KEV, and EPSS is low at 0.14% (4th percentile), indicating minimal observed exploitation pressure.
Security-control bypass in OpenSSH sshd before 10.4 causes the DisableForwarding=yes hardening directive to be silently ignored when PermitTunnel=yes is also set, so tun-device forwarding remains available despite an administrator's explicit policy to disable all forwarding. Affected operators are those who rely on DisableForwarding as a defense-in-depth restriction; the flaw lets an authenticated user establish layer-2/3 tunnels the configuration was meant to forbid. There is no public exploit identified at time of analysis, EPSS is low (0.13%, 3rd percentile), and it is not on CISA KEV.
Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 lets a remote attacker crash or hang the application by feeding it crafted packets that trigger infinite loops in multiple protocol dissectors. No public exploit is identified at time of analysis, and the flaw is limited to availability - no code execution or data exposure. Real-world urgency is modest: EPSS sits at 0.12% and CISA SSVC rates exploitation as 'none' with only partial technical impact.
Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. No public exploit is identified at time of analysis, and the EPSS score is low (0.10%), but the network-reachable, no-authentication nature makes mass automated collection straightforward.
Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.
Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.
SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
Root-level OS command injection in Cisco RV130/RV130W (firmware 1.0.3.55) and RV110W (firmware 1.2.2.5/1.2.2.8) small-business routers lets an authenticated remote attacker run arbitrary commands via the unsanitized model_name parameter in the httpd binary's save_syslog_to_file() function. Because injected commands run as root, successful exploitation yields full device takeover. Publicly available exploit code exists (SSVC exploitation status: poc) but the flaw is not listed in CISA KEV.
Root-level OS command injection in Cisco RV130, RV130W, and RV110W small-business routers lets an authenticated remote administrator inject arbitrary shell commands through the wan_hostname parameter, which is passed unsanitized into the start_bonjour() routine of the 'rc' binary. Because the 'rc' process runs as root, successful exploitation yields full command execution and complete device takeover. Publicly available exploit details exist in an IoT vulnerability write-up; there is no evidence of active exploitation (not in CISA KEV) and no EPSS score was provided.
Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.
Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-organization authorization bypass in Capgo before 12.128.2 lets a scoped API key (limited_to_orgs) inherit its owner's full user permissions, so an admin holding a write key restricted to one organization can execute destructive operations against a different organization. Because route-level authorization (rbac_check_permission_direct) checks the owner's user privileges before enforcing the key's org scope, a key intended to be confined to Org A can call DELETE /organization or DELETE /organization/members on Org B. No public exploit has been identified at time of analysis; the flaw is documented in a GitHub Security Advisory (GHSA-ccm4-hf72-p28m) and a VulnCheck advisory.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.
Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.
Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.
Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is availability-only - no data confidentiality or integrity loss - but it can repeatedly take down central inventory sync, blinding a security monitoring deployment.
Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE permission override Confidence Level validation and Object Marking restrictions simply by adding the 'synchronized-upsert: true' HTTP header. Exploitation allows downgrading confidence levels, stripping security markings such as TLP:RED, and tampering with STIX objects (Indicators, Threat Actors, Malware, Reports) and their relationships. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV; the fix is delivered in release 7.260326.0.
Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. No public exploit has been identified at time of analysis, but exploitation is trivial for any low-privileged member.
Broken access control in Gumroad's PurchasesController (versions before 2026.07.06.2) lets any authenticated seller revoke or restore buyer access to products they do not own by sending PUT requests to the revoke_access and undo_revoke_access actions, which fail to validate seller ownership. Because the actions operate on arbitrary purchase records via direct object reference, a low-privileged seller can tamper with the is_access_revoked flag on other sellers' sales. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV, but the fix is confirmed in release v2026.07.06.2.
Authorization bypass in Capgo before 12.128.2 lets read-only organization members insert rows into the public.manifest table via a flawed INSERT row-level-security policy, poisoning the OTA update manifests that Capacitor apps fetch. Because these forged entries carry attacker-chosen s3_path values and are served to client devices through the unauthenticated /updates endpoint, a low-privileged insider can steer devices toward malicious update assets. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.
Denial of service in OpenSSH sshd before 10.4 lets remote unauthenticated attackers exhaust server resources by driving excessive authentication attempts, because the MaxAuthTries cap was not correctly enforced for the GSSAPIAuthentication path. Only deployments that have enabled GSSAPI-based authentication are exposed, and there is no public exploit identified at time of analysis. EPSS is low (0.34%, 26th percentile) and CISA SSVC records no observed exploitation, so this is a real but non-urgent availability issue rather than a code-execution threat.
Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.