Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.
Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis, and a patch commit is available upstream.
Use-after-free memory corruption in gawk's do_getline_redir() routine within io.c allows a local attacker to crash the gawk process, causing a denial of service. All gawk versions 5.4.0 and below are affected, as confirmed by CERT-PL and an upstream patch commit. No active exploitation has been identified (not in CISA KEV), and the impact is confined to availability - no confidentiality or integrity effects have been demonstrated.
Stored XSS in Tallos Chat (RD Station Conversas) allows unauthenticated attackers to inject persistent malicious JavaScript via the 'name' parameter during chat session initialization. The payload executes not only in the initiating visitor's browser but also in the browser of any support agent who joins the conversation, expanding the attack surface to privileged operator sessions within the platform. No public exploit code or active exploitation has been confirmed at time of analysis, and no EPSS data was provided.
Cross-tenant IDOR in Decidim's verification admin flow exposes government-issued identity documents belonging to participants of one organization to administrators of a different tenant on the same instance. An authenticated admin of any tenant can enumerate sequential pending_authorization_id integers in the admin URL to view, approve, or reject ID document and postal-letter verification requests that belong to entirely separate organizations. The vulnerability was confirmed through a formal security audit and detailed reproduction steps are published in the GitHub advisory; no CISA KEV listing or independent exploit code exists at time of analysis.
Server-Side Request Forgery in the Themeisle Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 5.0.4 enables authenticated low-privilege users to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations, including internal network resources. The CVSS scope change (S:C) confirms the vulnerability can reach resources outside the WordPress application boundary - such as cloud metadata endpoints, internal APIs, or services on the hosting network. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation with non-automatable attack conditions.
Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.
Incoming webhook impersonation in Mattermost allows a requester holding webhook management permissions to post content attributed to arbitrary users in teams or channels those users do not belong to. Affected deployments span three active release branches: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code exists and the vulnerability is not listed in CISA KEV; the CVSS score of 4.9 correctly reflects that exploitation is constrained by the High privilege requirement, limiting realistic risk to insider threats or compromised privileged accounts.
Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. No public exploit code or CISA KEV listing exists; vendor-released patches are available and the fix has been merged upstream.
CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.
Post ownership verification is absent in Mattermost's shared channel inbound sync handler, allowing an authenticated remote cluster to forge sync messages that modify or delete posts authored by local users or other federated remotes. Affected versions span the 10.11.x, 11.6.x, and 11.7.x release trains up to and including 10.11.19, 11.6.4, and 11.7.2 respectively. No public exploit has been identified and CISA KEV confirmation is absent, but the integrity impact is direct and the attack complexity is low once federation trust is established.
Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.
Insecure Direct Object Reference (IDOR) in Mattermost's Playbooks feature permits any authenticated team member to overwrite another user's playbook metric configuration by supplying a foreign metric ID in a crafted import or update request. Affected branches are 11.7.x through 11.7.1, 11.6.x through 11.6.4, and 10.11.x through 10.11.19, where the server authorizes metric writes based on team membership alone rather than verifying that the referenced metric ID belongs to the playbook being saved. No public exploit code has been identified and this vulnerability does not appear in CISA KEV at time of analysis.
Missing authorization in Mattermost's /share-channel slash command autocomplete handler allows any authenticated user to enumerate remote cluster connection metadata, regardless of whether they hold the manage_shared_channels permission. Affects three active release lines (11.7.x, 11.6.x, 10.11.x) and is classified under CWE-862 (Missing Authorization). No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; exploitation is constrained to authenticated users, limiting realistic blast radius to insider threat or compromised-account scenarios.
Broken access control in ThemeMove's EduMall WordPress theme (versions through 4.5.1) permits authenticated low-privileged users to invoke restricted functionality without proper authorization checks. An attacker with any valid WordPress account can bypass the intended access control tiers and trigger actions that degrade site availability. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 4.3 reflects a contained, low-severity impact limited to availability.
Broken object-level authorization in Kimai's Timesheet API (versions <= 2.56.0) allows any authenticated user with the default ROLE_USER permission to reassign their own timesheet entries to arbitrary project IDs in the database - including projects belonging to teams or customers they have no membership in. The root cause is an unconditional OR branch in the Symfony EntityType query_builder that matches any submitted project ID before team-ACL predicates are evaluated; the TimesheetVoter further compounds this by checking only timesheet ownership, never the destination project's access controls. A proof-of-concept was disclosed with the advisory (later redacted); no active exploitation has been confirmed via CISA KEV.
{id}` correctly enforces teamlead validation through `TimesheetVoter`, but the collection endpoint `GET /api/timesheets?user=<id>` omits this check entirely, creating an inconsistent authorization model (CWE-863) that allows horizontal privilege escalation within the application. A private proof-of-concept was confirmed during responsible disclosure but has not been made public; the vendor-released fix is Kimai 2.57.0.
CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.