2026-07-15
Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. There is no public exploit identified at time of analysis and the extension is not listed in CISA KEV.
Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.
Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.
Cross-context cache disclosure in Directus before 12.0.0 lets share-token holders and anonymous clients receive permission-filtered responses that were cached for a differently-scoped principal, because the cache key omits authorization context. When response caching is enabled, the key derived in api/src/utils/get-cache-key.ts covers only version, path, query, and accountability.user; since share tokens and anonymous requests both collapse to user null, requests to the same URL and query share a cache bucket and skip permission re-evaluation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is a straightforward, config-dependent information-disclosure issue fixed in 12.0.0.
Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in DataEase (open-source BI/data-visualization platform) before 2.10.23 lets an authenticated user (PR:L) abuse the /de2api/templateManage/save template-save endpoint to write attacker-controlled Base64 content to arbitrary filesystem paths. Because StaticResourceServer#saveFilesToServe extracted the filename using only a forward-slash split, crafted staticResource names containing traversal sequences or backslashes escaped the intended static-resource directory. No public exploit or CISA KEV listing is identified at time of analysis, though the fixing commit and advisory are public.
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the `picture` claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a `.svg` URL is stored as a `data:image/svg+xml;base64,...` URI that bypasses the profile-image allowlist; when an authenticated user opens the profile image endpoint the SVG is served inline with no default CSP, running JavaScript that reads `localStorage.token` for account takeover. Reported by VulnCheck with a detailed GHSA source-code advisory; no public exploit identified at time of analysis and it is not in CISA KEV.
Arbitrary file operations in ASUS Aura Wallpaper Service allow a low-privileged local user to send crafted commands that carry an attacker-controlled file path, bypassing the service's intended path restrictions and abusing its higher-privileged context. Because the service exposes a communication channel that fails to properly restrict callers or validate file names (CWE-923), a local user can read, write, or manipulate files outside the intended scope, with high impact to confidentiality, integrity, and availability; on certain ASUS models exploitation can also render a single feature unavailable. No public exploit is identified at time of analysis, and it is not listed in CISA KEV, but the CVSS 4.0 base score of 8.5 (High) reflects meaningful impact despite the local vector and high attack complexity.
Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.
OS command injection in AWS jsii-diff before 1.131.0 lets a context-dependent attacker execute arbitrary shell commands when a victim runs the tool against an attacker-controlled 'npm:' source specifier. The npm package-loading component fails to sanitize the package specifier before passing it to a shell, so a crafted specifier is interpreted as a command. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; a vendor-released patch (v1.131.0) is available.
Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.
Server-side request forgery in PraisonAI's web_crawl tool (versions before 1.6.78) allows an authenticated attacker to reach internal HTTP services and exfiltrate their response bodies. The flaw stems from a time-of-check/time-of-use gap: hostnames are validated once but re-resolved at connection time without IP pinning, so DNS rebinding defeats the SSRF allowlist. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the technique is well-documented and the vendor has released a fix in 1.6.78.
Arbitrary physical memory read/write in the ASUS System Control Interface (v3 and legacy) and ASUS Business Manager driver allows a local administrator to issue crafted IOCTL requests that bypass OS-enforced memory protections, per an ASUS-published advisory. The flaw (CWE-822, Untrusted Pointer Dereference) turns the signed ASUS driver into a read/write primitive over physical memory, enabling privilege escalation from admin to kernel and potential defense evasion. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.
Arbitrary directory deletion in DataEase, an open-source data visualization and analysis platform, allows an authenticated user (PR:L) to abuse the export-center bulk delete API by injecting path traversal sequences (../) into task identifiers, which are passed unsanitized to ExportCenterManage.delete and used to recursively delete server directories. All releases prior to 2.10.23 are affected, and the fix in 2.10.23 constrains deletion to identifiers that exist as legitimate export tasks in the database. There is no public exploit identified at time of analysis and the issue is not on the CISA KEV list, but a full commit-level patch is publicly available which lowers the barrier to reverse-engineering an exploit.
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.
Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. No public exploit identified at time of analysis; not listed in CISA KEV.
mTLS authentication bypass in the Red Hat Ansible Automation Platform (AAP) Gateway Envoy proxy allows unauthenticated remote attackers to inject spoofed events into protected Event-Driven Ansible (EDA) event streams. The non-mTLS route to EDA event streams fails to strip the client-supplied Subject HTTP header even though the source defines requestHeadersToRemove for it, so an attacker can forge a Subject value matching a legitimate client certificate's Distinguished Name and impersonate an authenticated client. No public exploit identified at time of analysis; the issue is tracked by Red Hat (CWE-290, CVSS 8.2) but is not on CISA KEV and no EPSS score was provided.
Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; ASUS self-reported and issued an advisory.
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).
Blind boolean-based SQL injection in Apache Fineract's Client Search API (GET /api/v1/clients) through version 1.14.0 lets an authenticated user who holds the view-clients permission concatenate unvalidated orderBy (and sortOrder) parameters directly into the backing SQL query. Attackers can extract arbitrary database contents one bit at a time and, on MySQL/MariaDB back ends, read arbitrary files accessible to the DB process via LOAD_FILE(). There is no public exploit identified at time of analysis, though the vendor's fix PR (#6020) ships an integration test containing a working injection payload; not listed in CISA KEV.
Memory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpoints) allow remote, unauthenticated attackers to trigger buffer-boundary violations that can compromise device confidentiality, integrity, and availability (CVSS 8.1). The flaws were internally discovered by Cisco's RoomOS engineering team during a proactive security review and are grouped under the CWE-119 buffer-error pillar; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. High attack complexity (AC:H) reduces the practical ease of exploitation despite the network-facing, no-privilege vector.
Home-directory hijacking in File Browser before 2.63.17 lets an unauthenticated attacker gain full read/write access to another user's files by registering a username that normalizes to a victim's scope. Because cleanUsername() is a many-to-one transform, distinct usernames such as team/one, team one, and team-one collapse to the same home directory, and the signup path never checked whether the derived scope was already owned. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix commit and a regression test are public, making the root cause well understood.
Unauthorized access in Dell ThinOS 10 (versions prior to 2605_10.2100) stems from an obsolete UI feature (CWE-448) that a low-privileged local attacker can abuse to bypass authentication controls. With valid low-level local access to the thin-client, an attacker can leverage the leftover interface path to reach functionality or data they should not have, yielding high confidentiality, integrity, and availability impact per the CVSS 7.8 (High) rating. No public exploit identified at time of analysis; the flaw was reported by Dell and disclosed in advisory DSA-2026-300.
Command injection in Tabby (formerly Terminus) terminal emulator before 1.0.234 lets an attacker achieve code execution by tricking a victim into dragging and dropping a crafted file whose path contains shell command-substitution metacharacters ($(...) or backticks). Because the drop handler in tabby-electron/src/pathDrop.ts inserted the raw path into the active shell without neutralizing these characters, the payload runs when the victim presses Enter. This is an incomplete-fix follow-up to CVE-2026-45038, which only addressed control characters; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Local information disclosure in Huawei HarmonyOS and EMUI stems from a flawed permission-control check in the file system, letting a local actor read data that should be access-restricted. Exploitation requires local access plus user interaction (CVSS UI:R), and Huawei's own scoring rates it high impact; no public exploit was identified at time of analysis and it is not listed in CISA KEV. Note the vendor CVSS also asserts integrity and availability impact, which the one-line description (confidentiality only) does not substantiate.
Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.
{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.
Server-side request forgery in Penpot before 2.15.0 lets an authenticated file editor coerce the backend into fetching attacker-chosen URLs via the remote image import feature, reaching internal-only endpoints that are normally unreachable from the outside. The :create-file-media-object-from-url RPC method passes a user-controlled URL to the shared HTTP client with no destination filtering (CVSS 7.7, scope-changed). No public exploit has been identified at time of analysis, but the fix in 2.15.0 is confirmed by the vendor advisory GHSA-35g2-w7f6-8v9h.
Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identity provider identity to log in as an arbitrary local user by asserting that user's email address. The flaw exists because the SSO login flow validated the IdP 'email_verified' claim only during new-user creation, but skipped it when SSO_SIGNUPS_MATCH_EMAIL=true linked an incoming IdP identity to a pre-existing local account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 1.36.0.
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. This is an authenticated (PR:L) authorization flaw with no public exploit identified at time of analysis and no CISA KEV listing; EPSS data was not provided.
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is a missing-authentication (CWE-306) authentication-bypass class issue with high confidentiality, integrity, and availability impact to the affected session.
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. No public exploit identified at time of analysis and it is not in CISA KEV; EPSS was not provided.
Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds database-configuration privileges to exfiltrate files from the Metabase server's host filesystem by injecting unsafe JDBC parameters into a MySQL or MariaDB connection. The malicious driver options coerce the JDBC client to read local host files and surface their contents through query results or connection-validation error messages. No public exploit identified at time of analysis; the flaw affects self-hosted and embedded deployments of this open-source BI platform.
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.