Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.
Denial of service in Zeek network security monitor (versions before 8.0.9) lets unauthenticated remote attackers crash the sensor by driving unbounded memory growth in the FTP protocol analyzer. By opening an FTP control session, negotiating AUTH GSSAPI, and sending an oversized ADAT control line, an attacker forces the NVT_Analyzer to repeatedly double its base64-decode buffer until the process is terminated. VulnCheck reported the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, unauthenticated, low-complexity nature makes it a high-availability risk for exposed monitoring infrastructure.
Privilege escalation in the Qt Axivion Dashboard allows an authenticated low-privileged user to mint API tokens for other, higher-privileged accounts via the undocumented POST /api/users/~/{user}/tokens endpoint, which failed to enforce an authorization check on the target user. An attacker who knows a more-privileged user's login name and can log in through the Dashboard's OAuth/OIDC flow can forge and finalize a token for that account, potentially seizing Dashboard Administrator rights and — chained with a separate weakness — achieving code execution on the host. CVSS 4.0 is rated 8.7 (High); there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauthenticated attacker fill available storage by sending requests with oversized input that the audit-logging subsystem records without any size limit. Because the affected devices are OT/ICS network-monitoring appliances, exhausting disk can render the sensor or its management console inoperable and blind defenders. No public exploit is identified at time of analysis; EPSS and KEV data were not provided, but the network/unauthenticated CVSS 4.0 profile (VA:H) makes this a low-effort attack.
Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.
Heap-based buffer overflow in FreeRDP (the widely used open-source RDP client library) allows a malicious or compromised RDP server to corrupt client memory and potentially achieve remote code execution in the connecting client's context. The flaw lives in the primary drawing-order parser (update_read_delta_points in libfreerdp/core/orders.c), where an inverted integer-overflow guard let an attacker-controlled point count produce an undersized heap allocation followed by an out-of-bounds write. No public exploit identified at time of analysis; the issue is fixed in FreeRDP 3.28.0 (GHSA-v5wf-j8j4-77h7).
Stored cross-site scripting in SiYuan before 3.7.1 escalates to OS command execution inside the Electron desktop renderer because the bundled Lute Markdown/HTML engine sanitizes content but fails to block dangerous javascript schemes in form action and SVG xlink:href attributes. An attacker who plants crafted content that a victim later opens via document export-preview or a Bazaar package README render can run arbitrary code on the victim's machine. There is no public exploit identified at time of analysis, and it is not on CISA KEV; the CVSS 4.0 base score is 8.6.
Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. No public exploit identified at time of analysis, and it is not listed in CISA KEV; user interaction is required to trigger the flaw.
Session context hijacking in the arikusi DeepSeek MCP Server (versions 1.4.2 through 1.6.x) lets remote attackers read and continue another user's DeepSeek V4 conversations. The process-global SessionStore trusts any caller-supplied session_id without tying it to an authenticated principal or transport session, so an attacker can enumerate live sessions via the deepseek_sessions tool and then replay a victim's session_id through deepseek_chat. No public exploit identified at time of analysis and it is not on CISA KEV, but the mechanics are trivial and fully described in the vendor advisory (GHSA-fh3r-g96v-f578); version 1.7.0 fixes it.
Authenticated remote code execution in LibreBooking (open-source scheduling/reservation platform) versions prior to 5.1.0 allows an administrator to write arbitrary files outside the intended template directory by abusing the email template editor's save action, which trusts the submitted template name as part of the destination file path. Because the resulting file can be dropped into a web-executable location, the write primitive escalates to server-side code execution. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but a CISA CSAF advisory and upstream fix commit exist.
Root-level device takeover affects the Allwinner H616-based TV98 Android TV Box, which ships to production with the Android Debug Bridge (ADB) daemon enabled and reachable over the network (TCP/5555). A network attacker can send an ADB authorization request, and if the victim accepts the RSA key confirmation prompt on the device, the attacker obtains a root shell. Classified under CWE-489 (leftover debug functionality), there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the attack is trivial once a user approves the pairing.
Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.20 / V26.20.0) lets an already-authenticated attacker abuse insufficient validation of authentication credentials when modifying administrative accounts through the web API. By exploiting this weak credential re-verification (CWE-620), an attacker with existing access can bypass security controls and obtain unauthorized elevated privileges over the device. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authenticated SQL injection in SOPlanning lets a user holding the parameters_all privilege inject SQL through the audit retention configuration form, which is stored and then executed whenever the audit functionality is loaded by that attacker or any other user. Affected installations prior to version 1.56.01 face compromise of the underlying database, including data theft and modification. No public exploit identified at time of analysis; the flaw was reported by CERT-PL and is not listed in CISA KEV.
Arbitrary file write and information disclosure in the Cloud Foundry BOSH CLI tool (versions prior to v7.10.4) stems from insufficient sanitization of the path key inside blobs.yml, letting a crafted release blob spec escape the intended blobstore directory. When an operator syncs or downloads blobs from a malicious or tampered release, the CLI can write files to attacker-controlled locations on the host and expose sensitive files. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 8.5 (High).
Arbitrary shell command execution in gpsd's gpsprof profiling tool (through release-3.27.5) allows an attacker who controls a GPS device's subtype value to run commands as the user rendering the plot. The subtype string - taken from a DEVICES JSON log entry or an NMEA PGRMT sentence - is embedded into a generated gnuplot program's `set title` statement with only double quotes escaped, so backtick payloads execute when the victim renders the plot via the gpsprof/gnuplot workflow. This was reported by VulnCheck; a vendor fix is available (fixed at commit 4c06658), and there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in BOSH-Ecosystem bosh-windows-stemcell-builder (versions prior to v2019.98) lets a low-privilege authenticated Windows user overwrite the BOSH agent executables at C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe, which then run as NT AUTHORITY\SYSTEM on the next service restart or reboot, yielding full host control. The weakness stems from overly permissive filesystem ACLs applied by BOSH.Utils.psm1 when the stemcell is built. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary OS command execution in Vim prior to 9.2.0736 arises from the bundled PHP omni-completion script (runtime/autoload/phpcomplete.vim), which interpolates an attacker-controlled class or trait name from the edited buffer into a search() pattern executed via win_execute() without escaping. When a victim opens a crafted PHP file and invokes omni-completion, a name containing a single quote breaks out of the search string and the trailing text is honored as Ex commands, letting an attacker run shell commands through :! . There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is fixed and the mechanism is well documented in the vendor advisory.
Arbitrary Ex command execution in Vim before 9.2.0735 arises from its C omni-completion script (runtime/autoload/ccomplete.vim), which interpolates the unescaped typeref: or typename: field of a tags entry into a :vimgrep pattern passed to :execute. Because :vimgrep treats the bar character as a command separator, a crafted tag field can terminate the search pattern and append an attacker-controlled command that runs with the privileges of the editing user when a victim opens a malicious .c file and triggers C omni-completion. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.4 reflects high confidentiality, integrity, and availability impact.
Malicious firmware installation is possible on Siemens CPCI85 Central Processing/Communication firmware (versions before V26.20) and the SICORE Base System (before V26.20.0) because the firmware update mechanism fails to properly validate signatures. An attacker with high privileges and local access can push crafted, tampered firmware to achieve persistent code execution and full device compromise. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Man-in-the-middle exposure in Nozomi Networks Remote Collector arises because configuring an upstream Guardian or CMC through the n2os-tui interface generates a configuration that disables TLS certificate verification, with no option to re-enable it. Any attacker positioned on the network path between the Remote Collector and its Guardian/CMC can intercept the channel to steal the sync token, impersonate the server, inject spoofed asset or vulnerability data, or disrupt telemetry flow. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV; the vendor (Nozomi) self-reported it.
Second-order SQL injection in YesWiki v4.6.5 lets any authenticated low-privilege user execute arbitrary SQL against the wiki database through the DELETE /api/pages/{tag} endpoint. An attacker plants a page whose tag contains a SQL-breakout payload (the INSERT escapes it but stores the literal quote), makes the page non-orphaned via an {{include}} link, then triggers deletePage(), where the stored tag is concatenated unescaped into a DELETE FROM _links WHERE to_tag='$tag' query. A detailed proof-of-concept with confirmed time-based blind extraction exists; the flaw enables reading password hashes, ACLs, and private page bodies, acting as a low-priv-to-admin escalation primitive. No public evidence of active exploitation was identified at time of analysis.
Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.
Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. No public exploit identified at time of analysis; the vendor (Juniper SIRT) notes successful exploitation depends on a sequence of events outside the attacker's direct control, so this is a high-CVSS availability issue rather than a trivially reproducible one.
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV.
Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.
Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.
Directory data disclosure in PEAKUP Technology's PassGate (all versions through build 30042026) allows remote unauthenticated attackers to manipulate LDAP queries by injecting special characters into user-controlled input. Reported by TR-CERT (Turkey's national CERT), the flaw carries a CVSS 8.2 driven by high confidentiality impact with no authentication or user interaction required. No public exploit code or CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.
Arbitrary file disclosure in docuForm GmbH Client v11.11c allows a remote, low-privileged attacker to read sensitive server files through the dfm-menu_report.php component by supplying attacker-controlled path input. The NVD description asserts arbitrary code execution and the vendor gist tags it 'RCE'/'Authentication Bypass', but the concrete described capability is reading configuration files, source code, and system files, with code execution unsubstantiated in the available data. No public exploit is confirmed via a flag, though a third-party gist reference (ZeroBreach-GmbH) is published and likely carries proof-of-concept detail; EPSS is low at 0.35% (27th percentile) and the CVE is not on CISA KEV.
Remote code execution in Discourse (via the discourse-ai plugin's PDF-to-text feature) allows an attacker who can upload a crafted PDF to run arbitrary commands on the server, but only in non-default configurations where an LLM vision model is configured. The flaw is a CWE-78 OS command injection reached when uploaded PDFs are rasterized through ImageMagick, which in turn invokes an external delegate (Ghostscript) on attacker-controlled input. It is not in CISA KEV and has no public exploit identified at time of analysis; EPSS is low at 0.33% (25th percentile), and vendor patches exist across all supported release lines.
Broken object-level authorization in docuForm GmbH Client v11.11c lets an authenticated remote user manipulate the user settings component to read and modify other users' account data, with the reporter additionally claiming this can escalate to arbitrary code execution. The flaw stems from user-controlled object references (CWE-639) that the application fails to authorize against the requesting session. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile).
Authenticated remote code execution in docuForm GmbH Client v11.11c lets low-privileged users abuse the report.php file-upload component to run arbitrary code on the server. The flaw combines an authorization-bypass weakness (CWE-639) with unrestricted file upload, so an attacker with any valid account can escalate to full server compromise. No public exploit identified at time of analysis, though a third-party gist referenced in NVD may contain technical write-up material; EPSS is low (0.24%, 15th percentile) and the CVE is not in CISA KEV.
Improper access control in the Proximus b-box v8c.725A ISP gateway lets an already-authenticated low-privilege user override authorization checks and freely add, alter, or delete port forwarding (NAT) rules. Publicly available exploit code exists (GitHub PoC by Cedrico03), though it is not listed in CISA KEV and carries a low EPSS score (0.22%, 12th percentile), indicating no evidence of widespread active exploitation. The flaw effectively grants any logged-in account router-administrator control over inbound traffic routing.
Identity spoofing in Open WebUI before 0.10.0 lets an authenticated low-privileged user impersonate another account by injecting query parameters into the terminal WebSocket URL. Because backend/open_webui/routers/terminals.py built the ws_terminal upstream URL from an unencoded session_id and appended user_id as a query parameter - while the HTTP proxy path trusted an integrity-unbound X-User-Id header - an attacker can make the terminal backend resolve a different user identity, gaining that victim's terminal session context. No public exploit has been identified at time of analysis, but the fix is confirmed in v0.10.0 and the flaw is scored CVSS 8.0.
OS command injection in the wnx/laravel-backup-restore Composer package (fixed in v1.9.4) allows an attacker who can get a malicious backup archive restored to run arbitrary shell commands as the Laravel application user. The restore workflow interpolates an unescaped ZIP entry filename from the db-dumps directory directly into shell command strings (mysql, psql, sqlite3, gunzip) executed via Symfony Process::fromShellCommandline(), so shell metacharacters in the filename are interpreted by /bin/sh. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the flaw is trivially exploitable once a crafted archive reaches the restore path.
Least-privilege violation across multiple TOTOLINK SOHO router models (A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10, EX200 through firmware 20260906) stems from the /etc/boa/boa.conf configuration of the Boa web-server interface, allowing a low-privileged remote actor to gain access or information beyond their intended authorization boundary. The flaw carries CVSS 4.0 base score 7.7 with high attack complexity, and VulDB rates real-world exploitation as difficult. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated path traversal in SiYuan personal knowledge management system (versions prior to 3.7.1) lets a low-privileged user read arbitrary workspace files by abusing the /snippets/*filepath handler. Because serveSnippets in kernel/server/serve.go single-decodes the request path and joins it to the snippets directory without containment or sensitive-file checks, a request like /snippets/%2e%2e/%2e%2e/conf/conf.json returns workspace secrets and the document database. No public exploit identified at time of analysis, though the fixing commit publicly reveals the vulnerable code path.
Argument injection in bosh-cli versions before v7.10.4 lets a compromised or malicious BOSH Director inject arbitrary OpenSSH command-line options into the ssh process that the CLI spawns locally, achieving code execution on the operator's own workstation. It triggers during non-interactive SSH paths such as bosh ssh -c, bosh logs -f, and similar flows where the CLI builds an ssh command from Director-supplied data. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 7.7 (High).
Time-based blind SQL injection in Pimcore Studio Backend Bundle (before 2025.4.6 and 2026.1.6) lets an authenticated low-privilege user read arbitrary database contents, including the administrator password hash, via the DateFilter column key parameter. The POST /pimcore-studio/api/website-settings endpoint and other listing endpoints interpolate the columnFilters key field directly into SQL with manual backtick wrapping, so a backtick breaks out of quoting to append SLEEP()/IF() subqueries. No public exploit identified at time of analysis; not listed in CISA KEV and no EPSS score supplied.
Predictable SSH credential generation in Cloud Foundry's bosh-windows-stemcell-builder (versions prior to v2019.98) lets attackers brute-force the SSH login on TCP/22 because the GenerateRandomPassword function relies on a cryptographically weak random number generator, drastically shrinking the effective password keyspace. Any Windows stemcell built with an affected release ships with a guessable administrative password, so an attacker who can reach port 22 of a deployed VM can recover interactive access and full control. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV.
Path traversal in Open WebUI's terminal proxy (versions 0.9.6 through 0.9.x, fixed in 0.10.0) lets an authenticated attacker reach files and resources outside the intended proxy scope. The _sanitize_proxy_path routine in backend/open_webui/routers/terminals.py decoded incoming proxy paths exactly eight times, so a nine-times percent-encoded ../ sequence survived normalization and was decoded a final time by the upstream terminal server, defeating the traversal check. No public exploit or CISA KEV listing exists at time of analysis, but the scope-changing CVSS 3.1 score of 7.7 (S:C/C:H) signals meaningful confidentiality impact on the backend terminal component.
Authentication bypass in n8n's external identity resolution lets an attacker impersonate other users when the instance trusts more than one token-exchange issuer. Affecting n8n before 2.27.4 and version 2.28.0, the flaw stems from resolving federated identities using only the JWT sub claim while ignoring the iss claim, so a valid token from one trusted issuer whose sub matches a victim registered under a different issuer grants full access to that victim's account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the authentication-level impact (VC:H/VI:H) makes it a meaningful account-takeover risk for multi-issuer SSO deployments.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.
Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.
Broken object-level authorization in PAVO Pay (all builds through 09072026) lets remote attackers access other users' resources by substituting user-controlled identifiers (CWE-639, IDOR-class), exposing sensitive financial data with no integrity or availability impact. Reported by Turkey's national CSIRT (TR-CERT) and tracked in the ENISA EUVD, the flaw scores CVSS 7.5 driven entirely by high confidentiality impact over an unauthenticated network path. No public exploit is identified at time of analysis, but the vendor did not respond to coordinated disclosure and no fix has been released, leaving all deployments exposed.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker exhaust TCP connection resources by sending RTSP requests (DESCRIBE, SETUP, PLAY) that advertise a Content-Length header but omit the message body, wedging the RTSP parser into a permanent body-awaiting state and leaking the connection. Repeated requests permanently disable the camera's streaming service. SSVC records a public proof-of-concept and rates the attack automatable; publicly available exploit code exists (POC), though it is not listed in CISA KEV, so there is no confirmation of active exploitation.
Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.
SQL injection in SiYuan's block-search endpoint (POST /api/search/fullTextSearchBlock) before version 3.7.1 lets an unauthenticated publish-mode visitor read documents they should not see. The endpoint concatenates attacker-controlled `paths` values directly into SQL predicates used by its non-SQL search modes, enabling a UNION SELECT that projects rows from hidden documents by spoofing an allowed visible box and path. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.5 reflecting confidentiality-only impact.
Unauthorized information disclosure in Hoppscotch prior to 2026.6.0 exposes mock servers linked to private collections to the public internet without authentication. The mock server creation logic in mock-server.service.ts silently drops the caller-supplied isPublic flag, while the Prisma schema defaults isPublic to true, so servers intended to be private are created as public. An unauthenticated remote attacker who reaches the mock endpoint can retrieve sensitive API data (schemas, example payloads, headers) the owner assumed was private; no public exploit was identified at time of analysis and the flaw is not in CISA KEV.
Denial-of-service in the RTSP service of the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets remote unauthenticated attackers abruptly reset the streaming TCP connection by sending an RTSP request with an oversized field value. Rather than replying with an RFC 2326-compliant error, the service tears the connection down with a RST packet, indicating unsafe input handling in the RTSP parser that can disrupt video streaming. A public research report documenting the flaw exists on GitHub, but there is no CISA KEV listing and no confirmed active exploitation.