Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Drupal Ray Enterprise Translation contrib module lets a remote attacker forge state-changing requests that are executed with the privileges of an authenticated victim (typically a site administrator), potentially altering translation configuration and integrations. It affects module versions below 4.0.4, below 4.1.4, and below 11.0.4, and carries a vendor CVSS of 8.8. No public exploit has been identified at time of analysis and the EPSS score is very low (0.12%, 2nd percentile), indicating no observed exploitation activity.
Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.
Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.
Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. No confirmed active exploitation exists, and EPSS at 0.20% (10th percentile) reflects low observed threat pressure across the landscape, though a vendor patch has been issued per the Drupal security advisory.
Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.
Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.
{workspace}/scripts/list_search` handler validates the token's domain and action (`scripts:read`) at the route level but omits per-row filtering against the token's resource/path segment (e.g., `scripts:read:f/allowed/*`), causing the underlying SQL query to return all non-archived workspace scripts regardless of path restrictions. Affects all Windmill deployments up to version 1.714.1; no public exploit or CISA KEV listing at time of analysis, but full reproduction steps are published in the GitHub security advisory.
Server-side request forgery in Kimai 2.56.0 allows authenticated users with write access to Markdown-rendered invoice fields to force the application server to issue outbound HTTP requests to attacker-controlled or internal network destinations. The vulnerability surfaces during invoice PDF preview and generation, where user-controlled Markdown is processed through an md2html filter and handed to mPDF, which fetches embedded image URLs server-side even with safe mode enabled. A proof-of-concept was developed and responsibly disclosed to the vendor - it is not publicly available - and no active exploitation has been confirmed; however, the attack path is mechanically simple for any user with access to customer invoice text fields such as Customer.invoiceText.