Path traversal (CWE-22) in Fortinet FortiOS, FortiProxy, and FortiPAM enables a highly-privileged, physically-present attacker to execute unauthorized code or commands by escaping restricted directory boundaries. The vendor-supplied CVSS vector (AV:P/PR:H) constrains exploitation to scenarios requiring both physical device access and high-level credentials, making opportunistic or remote mass exploitation implausible. A proof-of-concept exists per the CVSS temporal indicator (E:P), and Fortinet has released an official fix per PSIRT advisory FG-IR-26-151; this vulnerability is not currently listed in the CISA KEV catalog.
NULL pointer dereference in Zephyr RTOS's syscall verifier allows an unprivileged user-mode thread to crash the kernel across the userspace security boundary. The z_vrfy_k_thread_name_copy() verification handler in kernel/thread.c incorrectly guards against the caller-supplied thread pointer being NULL rather than the ko pointer returned by k_object_find(), so any non-NULL but unregistered address bypasses the check and triggers a supervisor-mode NULL dereference that halts or reboots the system. Affecting Zephyr v2.0.0 through v4.4.0 when built with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled, no public exploit code and no CISA KEV listing have been identified at time of analysis, but the one-syscall reproducibility makes this straightforward to trigger in qualifying builds.
SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. No public exploit or active exploitation has been identified at time of analysis, and the CVSS base score of 5.5 reflects these mitigating factors despite the potential for database exposure.
Stored XSS in osTicket's Agent and Admin panel allows any authenticated user with ticket-submission privileges to inject persistent JavaScript that executes in privileged staff browser sessions. Affected versions span two release branches: 1.10 through 1.17.7 and 1.18.0 through 1.18.3. No public exploit identified at time of analysis per KEV, but publicly available exploit code exists on GitHub (WesWrench/CVE-2026-36214), and the CVSS scope-change rating (S:C) reflects that successful exploitation compromises Agent or Admin sessions rather than the attacker's own context.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
Adobe Experience Manager is affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
A security flaw was found in certain NETGEAR RAX models that could allow a logged-in user to send specially crafted requests to the router and run unauthorized commands. This could enable the user to make unauthorized changes to the router and affect its security and operation.
### Summary The `nebula-mgmt` Web UI host-creation path ignores both the server-wide `enrollment_token_ttl` security setting and per-network `network_config.enrollment_token_ttl` overrides. API host creation and token-regeneration paths use the configured TTL resolver, but `POST /ui/hosts` hardcodes `now.Add(24 * time.Hour)` for newly minted agent enrollment tokens. In deployments that intentionally reduce enrollment-token lifetime, any authenticated operator who can create a host through the Web UI can still mint a bearer enrollment token valid for about 24 hours. ### Details Enrollment tokens are bearer credentials for the public `POST /api/v1/enroll` endpoint: possession of a valid token allows enrolling the pending host and receiving a signed Nebula certificate/config for that host. The server configuration documents a security knob for their default lifetime and per-network overrides: - `internal/config/server.go:82` defines `EnrollmentTokenTTL` as the default lifetime for freshly minted enrollment tokens. - `internal/config/server.go:83` documents per-network overrides in `network_config` under `enrollment_token_ttl`. The API server implements and consistently uses this resolver: - `internal/api/server.go:77` defines `tokenTTLFor`, with precedence of per-network `enrollment_token_ttl`, then server default, then 24h fallback. - `internal/api/server.go:82` reads `network_config.enrollment_token_ttl`. - `internal/api/server.go:89` falls back to the configured server default. - `internal/api/hosts.go:190` through `internal/api/hosts.go:196` use `now.Add(s.tokenTTLFor(r.Context(), host.NetworkID))` for API host creation. The Web UI sibling path does not call the resolver and instead always sets a 24-hour expiry: - `internal/web/handlers.go:874` mints the raw token for `POST /ui/hosts`. - `internal/web/handlers.go:879` sets `ExpiresAt: now.Add(24 * time.Hour)`. This creates inconsistent behavior between API and Web UI host creation and bypasses an operator-configured token lifetime policy. The issue is reachable by an authenticated Web UI operator who can create hosts. Admins can create hosts in any network; non-admin operators can create hosts in networks whose CA they own. Affected version evidence: the configurable enrollment-token TTL feature was introduced by commit `6c344a6` (`feat(api): configurable enrollment-token TTL + regenerate endpoint (#75) (#79)`), and `git tag --contains 6c344a6 --sort=version:refname` returns `v0.3.0` through `v0.3.8`. Pattern checks across all release tags showed the TTL config/API resolver and the Web UI 24-hour hardcode are present in every `v0.3.x` release from `v0.3.0` to `v0.3.8`, and are not meaningfully applicable to `v0.1.x`/`v0.2.0` because the TTL policy knob was not present there. The current checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` (`git describe`: `v0.3.8-1-gd92dd9a`) remains affected. ### PoC Safe local PoC run from a clean checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` on 2026-06-12. The PoC is a temporary Go test that uses only in-memory SQLite and `httptest`; it does not start a real server and does not contact external services. 1. Create a temporary test file `internal/web/security_audit_poc_test.go` in package `web`. 2. In the test, create an in-memory Web UI with `newTestWeb(t)`, create a network `audit-poc-net` with CIDR `10.77.0.0/24`, and set `network_config.enrollment_token_ttl` to `30m`. 3. Log in as the seeded test admin through the normal Web UI helper and obtain a CSRF token from `GET /ui/hosts/new`. 4. Submit `POST /ui/hosts` with `network_id=audit-poc-net`, `name=audit-poc-host`, `nebula_ips=10.77.0.10`, `role=host`, and `kind=agent`. 5. Parse the one-shot enrollment token from the returned host-detail page and read the token row with `GetEnrollmentToken`. 6. Compare the observed expiry to the configured 30-minute network override. Command run: ```bash go test ./internal/web -run 'TestSecurityAuditPOC' -count=1 -v ``` Observed vulnerable output from this environment: ```text === RUN TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL POC_UI_TTL_BYPASS observed_token_ttl=24h0m0s configured_network_ttl=30m expires_at=2026-06-13T14:51:45Z --- PASS: TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL (0.05s) ``` The meaningful control is the API sibling: `internal/api/hosts.go:190` through `internal/api/hosts.go:196` uses `s.tokenTTLFor(...)`, and existing tests in `internal/api/hosts_token_ttl_test.go` verify API-created/regenerated enrollment tokens honor server-default and per-network TTLs. Variant review also found API regenerate-token, API re-enroll, and signed-poll rekey token minting use the resolver rather than a hardcoded 24h value. After recording the output, the temporary test file was removed and `git status --short` returned clean. The PoC was re-run after drafting this report and produced the output shown above. ### Impact An authenticated Web UI operator can bypass a configured enrollment-token lifetime policy and obtain a token valid for approximately 24 hours even when the deployment or network is configured for a much shorter lifetime such as 30 minutes. Because enrollment tokens are bearer credentials for the public enrollment endpoint, longer-than-intended validity increases the window in which a copied, logged, shared, or otherwise exposed token can be used to enroll the pending host and obtain its Nebula certificate/config. This weakens confidentiality and integrity for deployments relying on short token lifetimes to reduce enrollment-token exposure. Suggested remediation: refactor the Web UI host-creation path to use the same TTL resolution as the API path, or move the resolver into a shared package/service used by both API and Web UI. Add a regression test under `internal/web` that sets `network_config.enrollment_token_ttl = "30m"`, creates an agent host through `POST /ui/hosts`, and asserts the persisted enrollment token expires within the configured 30-minute window rather than 24 hours.
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Path traversal in Rockwell Automation's Studio 5000 Logix Designer allows an attacker who can deliver a crafted ACD project file to write arbitrary files to attacker-controlled locations on an engineer's workstation. The software fails to sanitize or validate embedded filenames during the ACD project-open procedure, enabling path traversal sequences to escape the intended extraction directory and potentially achieve code execution. No public exploit code or CISA KEV listing has been identified at time of analysis, but the ICS context makes targeted file-delivery attacks via spear-phishing or shared project repositories a realistic threat vector.
Firefox versions prior to 152.0.6 are exposed to a network-exploitable flaw requiring user interaction that yields limited confidentiality and integrity impact within the browser context. Publicly available exploit code exists, confirmed by Mozilla's own advisory language, though the vendor reports no known attacks in the wild at time of disclosure. The fix is confirmed in Firefox 152.0.6, referenced in Mozilla security advisory MFSA2026-67.
Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.
Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Eclipse Jetty fails to enforce RFC 9110/9112's requirement that the HTTP request authority (host and port) match the value in the Host header across all supported protocol versions - HTTP/1, HTTP/2, and HTTP/3. Unauthenticated network attackers can exploit this input validation gap to manipulate Host-header-derived URI constructions (particularly redirect targets on login pages), influence virtual host selection, corrupt reverse proxy routing decisions, and produce misleading access logs. No public exploit has been identified at time of analysis and the vulnerability is not in CISA KEV, but the attack surface is meaningful in any Jetty deployment that performs host-based routing or generates redirects from the Host header.
Eclipse Jetty mishandles HTTP URI path parameters containing semicolons combined with traversal sequences, delivering an unresolved path (e.g., `/public/../admin/secret.txt`) to downstream web applications instead of the canonicalized form (e.g., `/admin/secret.txt`). Web applications that delegate path-based authorization decisions to Jetty-provided paths are susceptible to confusion attacks where an attacker crafts a URI like `/public;/../admin/secret.txt` to receive a path that bypasses application-layer access controls. Jetty itself is shielded by its alias checker and will not serve restricted files directly; the integrity risk materializes only in applications that consume the unresolved path for routing or authorization logic. No public exploit code or CISA KEV listing is present at time of analysis.
Server-Side Request Forgery in Sonatype Nexus Repository 3 exposes internal network infrastructure to authenticated users holding the nexus:ssl-truststore:read permission, who can weaponize the SSL Certificate Retrieval endpoint to force the server to initiate outbound TCP connections to arbitrary hosts - including cloud metadata services, internal APIs, and otherwise firewalled systems. All versions from 3.0.0 up to (but not including) 3.94.0 are affected, and a vendor-released patch is available. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
### Summary When OIDC is enabled, `GET /ui/oidc/login` is reachable without authentication and is registered outside the Web UI rate-limited auth routes. Every request creates a fresh random OIDC state value and stores it in an in-memory map for `10m`. Expired states are swept lazily, but there is no rate limit or maximum live-state cap on the allocation path. An unauthenticated remote client can therefore grow `OIDC.states` for the full state TTL, bounded by request throughput rather than by configured auth rate limits. ### Details The OIDC login route is registered directly by `WithOIDC`: - `internal/web/web.go:153` registers `w.router.Get("/ui/oidc/login", o.HandleLogin)`. - `internal/web/web.go:154` rate-limits only `GET /ui/oidc/callback` with `w.rateLimitMiddleware("auth")`. The normal `/ui/*` route group applies rate limiting to login/register form submissions, but this direct registration happens outside that group: - `internal/web/web.go:287` through `internal/web/web.go:292` show the rate-limited local login, TOTP, and register POST routes. The OIDC login handler allocates persistent server-side state before redirecting to the configured identity provider: - `internal/web/oidc.go:105` defines `HandleLogin`. - `internal/web/oidc.go:106` creates a random state token. - `internal/web/oidc.go:112` calls `o.rememberState(state)`. - `internal/web/oidc.go:122` redirects to `o.oauth.AuthCodeURL(state)`. The state storage has a TTL but no maximum size: - `internal/web/oidc.go:24` through `internal/web/oidc.go:26` define `oidcStateTTL = 10 * time.Minute`. - `internal/web/oidc.go:353` through `internal/web/oidc.go:358` sweep expired states and then add the new state to `o.states`. - `internal/web/oidc.go:360` through `internal/web/oidc.go:373` delete only expired states. Because the route is unauthenticated and not rate-limited, a remote client can repeatedly request `/ui/oidc/login` and force live state entries to accumulate for ten minutes. OIDC must be enabled for exposure. No IdP callback, valid credentials, or user interaction is required to trigger the allocation. Affected version evidence: OIDC login support was introduced by commit `3f46685` (`feat(auth): add OIDC operator login (Keycloak/Authentik/Okta/...) (#24)`), and `git tag --contains 3f46685 --sort=version:refname` returns `v0.2.0` and every later release through `v0.3.8`. Pattern checks across all release tags showed the OIDC login route and state allocation are present in `v0.2.0` and in every `v0.3.x` release from `v0.3.0` to `v0.3.8`, and absent from `v0.1.x`. The current checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` (`git describe`: `v0.3.8-1-gd92dd9a`) remains affected. ### PoC Safe local PoC run from a clean checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` on 2026-06-12. The PoC is a temporary Go test that uses `httptest` and an in-memory OIDC object; it does not start a real server, does not contact an IdP, and uses 1000 requests only to demonstrate linear state growth. 1. Create a temporary test file `internal/web/security_audit_poc_test.go` in package `web`. 2. Create a test Web UI with `newTestWeb(t)`. 3. Install a deliberately tiny auth rate limiter: group `auth` with rate `0.001` and burst `2`. 4. Attach an `OIDC` instance with an empty `states` map and an `oauth2.Config` whose authorization endpoint is `https://idp.example.test/auth`. 5. Send 1000 unauthenticated `GET /ui/oidc/login` requests from the same `RemoteAddr` through `w.ServeHTTP`. 6. Assert no request returns `429 Too Many Requests`, then inspect `o.stateCount()`. Command run: ```bash go test ./internal/web -run 'TestSecurityAuditPOC' -count=1 -v ``` Observed vulnerable output from this environment: ```text === RUN TestSecurityAuditPOC_OIDCLoginAllocatesUnrateLimitedState POC_OIDC_STATE_GROWTH attempts=1000 live_states=1000 ttl=10m0s rate_limit_group=auth_burst_2 --- PASS: TestSecurityAuditPOC_OIDCLoginAllocatesUnrateLimitedState (0.10s) ``` The meaningful control is that local login/register/TOTP POST routes and the OIDC callback are rate-limited: `internal/web/web.go:287` through `internal/web/web.go:292` and `internal/web/web.go:154`. The PoC specifically shows the OIDC login allocation route does not share that protection. After recording the output, the temporary test file was removed and `git status --short` returned clean. The PoC was re-run after drafting this report and produced the output shown above. ### Impact In deployments with OIDC enabled, an unauthenticated remote client can cause application-layer memory growth by repeatedly requesting `/ui/oidc/login`. Each request stores a new state entry for ten minutes, and the growth is not bounded by the configured auth rate limiter or by a maximum map size. The demonstrated impact is availability degradation risk through retained in-memory state growth. The PoC used 1000 local requests to avoid disruptive load while proving the source-to-sink behavior (`1000` requests resulted in `1000` live states). Suggested remediation: apply the existing `auth` rate limiter to `GET /ui/oidc/login`, add a maximum number of live OIDC states per client and/or globally, and fail closed when the cap is reached. Add a regression test that attaches a low-burst auth limiter, sends repeated `GET /ui/oidc/login` requests from the same client, and expects `429` or bounded live-state count after the configured burst.
Exposure of sensitive information to an unauthorized actor in Windows Media allows an unauthorized attacker to disclose information over a network.
Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network.
Path traversal in openSIS Classic 9.3 exposes arbitrary server files through the legacy messaging sent-mail attachment download endpoint, exploitable by any authenticated low-privilege user. The vulnerability allows crafted sequences such as directory traversal patterns to escape the intended attachment directory and retrieve sensitive server-side files. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low authentication bar and network accessibility make this a realistic internal threat.
Privilege escalation in Checkmk's mk_sap_hana agent plugin allows a local unprivileged user to execute arbitrary commands as root by planting a process whose name mimics a SAP HANA instance. The plugin, when running as root under the RUNAS=agent configuration and lacking explicit database configuration, blindly reads the OS process list to derive SAP HANA instance identifiers and injects them unsanitized into a shell command executed with root privileges - a textbook CWE-78 OS command injection. No public exploit code or CISA KEV listing exists at time of analysis, but the attack prerequisites are achievable on any misconfigured Checkmk deployment that monitors SAP environments.
Server-Side Request Forgery in Sonatype Nexus Repository 3 allows any holder of the Capability Administration permission to redirect the server's outbound HTTP requests to arbitrary internal network addresses by supplying a crafted URL in the Webhook Global capability configuration, enabling probing of internal infrastructure. The vulnerability is patched in version 3.94.0 per Sonatype's release notes. No public exploit code exists and the vulnerability is not in CISA KEV, but risk escalates materially on instances where the anonymous role has been granted the Capability Administration permission, as this exposes the SSRF to unauthenticated actors without any configuration changes beyond that role assignment.
A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data. An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.
Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as ../, allowing creation or overwrite of sibling objects in the same bucket or path scope. This issue is fixed in version 1.74.4.
SSRF protections in Sonatype Nexus Repository 3 are bypassed when proxy repository upstream servers return HTTP redirects, allowing those redirects to target internal network addresses or cloud metadata endpoints such as AWS IMDSv1. Any user with read access to an affected proxy repository - including anonymous users if anonymous access is enabled - can receive responses from internal infrastructure, potentially leaking cloud IAM credentials or other sensitive internal data. No public exploit or CISA KEV listing has been identified at time of analysis, but the condition relies on attacker-controlled or compromised upstream servers, making this a credible supply-chain-adjacent threat in enterprises relying on external upstream repositories.
A security flaw in the router's certificate validation process was discovered in the NETGEAR XR1000 Gaming Router and certain Nighthawk models that could allow an unauthorized person to remotely access and take control of the device.
Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. No public exploit code or active exploitation (CISA KEV) has been identified, but the CVSS AC:H rating reflects the non-trivial preconditions: a specific client configuration and attacker-controlled server are both required.
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.
Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network.
Link-following vulnerability in mosaxiv clawlet up to version 0.2.10 allows local low-privileged attackers to read, write, or modify files outside intended directories by supplying symlinks to the read_file, write_file, and edit_file functions in tools/fs_ops.go. All three file-operation primitives are affected, meaning the attack surface covers both read (information disclosure) and write/edit (integrity impact) paths. No patch is planned - the upstream GitHub issue was explicitly closed as 'not planned', leaving all deployments on affected versions permanently unpatched.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Post-authentication command execution in NETGEAR Nighthawk RAX-series routers (RAX43, RAX45, RAX50, RAX54S, RAX54Sv2) permits an attacker already holding administrative credentials and adjacent network access to run unauthorized OS-level commands or code on the device. Rooted in CWE-20 (Improper Input Validation), the flaw bypasses authorization controls within the authenticated management session, yielding high integrity impact on the vulnerable system. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates proof-of-concept code exists; a vendor-released patch is available from NETGEAR.
Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally.
Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Denial of service in Windows Hyper-V allows an authorized, adjacent-network attacker to crash or disrupt the hypervisor by triggering a buffer over-read (CWE-126). Affected platforms span Windows 10, Windows 11, and Windows Server 2012 through 2025, covering a broad slice of Microsoft's enterprise footprint. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a vendor-issued patch is available via Microsoft MSRC.
FortiOS across the 7.2, 7.4, and 7.6 release trains leaks portions of device runtime memory to authenticated remote attackers via a buffer over-read in redirect response handling. Exploitation requires valid credentials but no elevated privileges, and proof-of-concept code exists (CVSS temporal E:P). An official vendor fix is confirmed available (RL:O), though unpatched instances of FortiOS 7.2.x, 7.4.0-7.4.8, and 7.6.0-7.6.2 remain at risk of sensitive memory disclosure - a consequential exposure given that FortiOS processes session tokens, credentials, and cryptographic material at runtime.
A security flaw was discovered in the NETGEAR WAX333 Access Point that could allow someone already logged in and connected to the local network to make unauthorized changes to the device's settings
Buffer over-read in Fortinet FortiOS and FortiProxy exposes sensitive memory contents to authenticated network attackers across multiple product lines including FortiPAM and FortiSwitchManager. The flaw, rooted in CWE-126 (buffer over-read), allows low-privileged remote users to read beyond allocated buffer boundaries, resulting in partial information disclosure with no integrity or availability impact. No active exploitation confirmed in CISA KEV, but the CVSS temporal vector includes E:P indicating proof-of-concept exploit code exists, and an official fix is available per RL:O.
Roundcube Webmail's TNEF (winmail.dat) decoder enters an infinite loop when processing a specially crafted TNEF attachment, causing denial of service for users on affected installations. Versions before 1.6.17 and 1.7.x before 1.7.2 are confirmed affected per the vendor advisory issued 2026-07-05. No public exploit code and no active exploitation (CISA KEV) have been identified; the CVSS vector confirms user interaction is required, limiting automatable mass exploitation.
Denial of service in Roundcube Webmail's TNEF decoder allows remote senders to crash the webmail parser by embedding a crafted compressed-RTF size field inside a winmail.dat attachment. Affected versions are all Roundcube Webmail releases before 1.6.17 and 1.7.x before 1.7.2. Release notes confirm the defect manifests as an infinite loop in the TNEF parser, meaning repeated delivery of malicious emails could degrade server availability for affected users. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.