Privilege escalation in CRI-O (the OCI container runtime used by Red Hat OpenShift Container Platform 4 and many Kubernetes clusters) lets an attacker who can set container environment variables inject a newline into the HOME variable and append arbitrary lines to /etc/passwd, enabling creation of a rootful or otherwise privileged account inside the container. It is a bypass of the incomplete fix for CVE-2022-4318, whose HOME sanitization was insufficient. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Red Hat OpenShift GitOps (Argo CD operator) lets a tenant who controls a namespace-scoped Argo CD instance delete a ClusterRole belonging to a cluster-scoped Argo CD instance by crafting a name collision. Because the ClusterRole reconciler skips ownership validation (CWE-862), a low-privileged tenant can disrupt a higher-privileged, cluster-wide GitOps instance across the trust boundary. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the cross-tenant scope change makes it a meaningful multi-tenancy integrity concern.
Sandbox escape with SYSTEM-level code execution in Sandboxie-Plus before 1.17.6 allows a process confined inside a sandbox to run arbitrary code in an unsandboxed host process. The privileged GuiServer service trusts attacker-supplied thread and function-pointer values from a GUI window-hook registration request and dispatches them via QueueUserAPC while running as SYSTEM, defeating the core isolation guarantee of the product. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the mechanism is a full sandbox-to-host escape.
Arbitrary file read and server-side request forgery in TensorZero Gateway (pip package tensorzero, versions < 2026.6.0) let callers of the /internal/object_storage endpoint override the gateway's [object_storage] configuration via a caller-supplied storage_path JSON parameter. Using the filesystem storage type an attacker reads arbitrary files (including credential files) from the gateway host, while the s3_compatible type coerces the gateway into outbound requests to attacker-chosen internal or cloud-metadata endpoints. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitability hinges on whether the deployment has authentication enabled.
{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.
Business-logic authentication bypass in Postiz self-hosted AI social media scheduler (gitroomhq/postiz-app) before 2.21.8 lets a low-privileged authenticated user grant any organization a lifetime PRO subscription without paying. The Nowpayments IPN (Instant Payment Notification) callback handler never validated the provider's shared-secret signature and trusted the subscription/organization identifier straight from the request body, so an attacker could forge a payment-confirmation callback. No public exploit identified at time of analysis and the issue is not in CISA KEV; it was privately reported and fixed by removing the crypto-payment code path entirely.
Server-side request forgery in Penpot before 2.15.0 lets an authenticated file editor coerce the backend into fetching attacker-chosen URLs via the remote image import feature, reaching internal-only endpoints that are normally unreachable from the outside. The :create-file-media-object-from-url RPC method passes a user-controlled URL to the shared HTTP client with no destination filtering (CVSS 7.7, scope-changed). No public exploit has been identified at time of analysis, but the fix in 2.15.0 is confirmed by the vendor advisory GHSA-35g2-w7f6-8v9h.
Authentication bypass (account takeover) in Vaultwarden before 1.36.0 allows an attacker who controls a federated identity provider identity to log in as an arbitrary local user by asserting that user's email address. The flaw exists because the SSO login flow validated the IdP 'email_verified' claim only during new-user creation, but skipped it when SSO_SIGNUPS_MATCH_EMAIL=true linked an incoming IdP identity to a pre-existing local account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 1.36.0.
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. This is an authenticated (PR:L) authorization flaw with no public exploit identified at time of analysis and no CISA KEV listing; EPSS data was not provided.
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is a missing-authentication (CWE-306) authentication-bypass class issue with high confidentiality, integrity, and availability impact to the affected session.
Server-side request forgery in Directus before 12.0.0 lets an authenticated user with file-upload rights abuse the /files/import endpoint to make the server fetch internal-only services and return their responses as downloadable files. The flaw stems from an incomplete SSRF denylist in api/src/request/is-denied-ip.ts, which treated 0.0.0.0 as a keyword but never blocked the literal address, so on Linux and macOS a request to 0.0.0.0 resolves to localhost and bypasses the protection. No public exploit identified at time of analysis and it is not in CISA KEV; EPSS was not provided.
Missing authorization in the MCP Python SDK (the `mcp` PyPI package) versions 1.23.0 through 1.27.1 lets any authenticated client of a multi-client server enumerate, read the results of, consume messages from, or cancel tasks belonging to other clients. The default handlers wired up by `server.experimental.enable_tasks()` for tasks/list, tasks/get, tasks/result, and tasks/cancel key solely on the task identifier and never bind a task to the session that created it. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the upstream fix, deprecation warnings, and detailed advisory confirm the flaw; it is resolved in version 1.27.2.
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.
Cross-origin WebSocket hijacking in the Model Context Protocol Python SDK (mcp on PyPI) before 1.28.1 lets a remote web page connect to any application exposing the deprecated mcp.server.websocket.websocket_server transport, because that transport accepted handshakes without Host or Origin validation and offered no SDK-level control to restrict connecting origins. A malicious site loaded in a victim's browser can therefore open an MCP session against a locally reachable server and drive its tools. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the tags flag it as information disclosure.
Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds database-configuration privileges to exfiltrate files from the Metabase server's host filesystem by injecting unsafe JDBC parameters into a MySQL or MariaDB connection. The malicious driver options coerce the JDBC client to read local host files and surface their contents through query results or connection-validation error messages. No public exploit identified at time of analysis; the flaw affects self-hosted and embedded deployments of this open-source BI platform.
Privilege escalation via OAuth scope enforcement bypass affects Cloudreve self-hosted file management versions 4.12.0 through 4.16.0, where access tokens are issued without the client_id claim. Because the JWT verifier keys scope loading on client_id, a holder of a legitimately-issued low-scope OAuth access token can invoke APIs requiring higher scopes - file, share, workflow, user setting, WebDAV account, and potentially admin - as the enforcement layer degrades to non-scoped session authentication. No public exploit identified at time of analysis, but the root cause is confirmed by the vendor's fix commit and advisory GHSA-vgj4-345g-jcf8, with the issue resolved in 4.16.1.
Denial of service in BusyBox 1.38.0 lets attackers crash the bundled ash shell by supplying crafted input that triggers a heap-based buffer overflow (CWE-122) in the ifsbreakup() field-splitting routine of shell/ash.c. Only availability is impacted - there is no public exploit identified at time of analysis, and the EPSS score is low (0.16%, 6th percentile), indicating little observed exploitation interest so far. The NVD-assigned CVSS of 7.5 rests on a network attack vector that is not clearly supported by the description, which points to input being fed to a local shell.
Denial of service in BusyBox's AWK interpreter (editors/awk.c, commit 371fe9) lets an attacker crash the awk process by feeding it a crafted AWK script that overflows the stack inside the recursive evaluate() function. The impact is limited to availability (process crash) with no data exposure or code execution claimed; no public exploit identified at time of analysis and EPSS is very low (0.16%, 6th percentile). BusyBox is extremely widespread in embedded Linux, IoT firmware, and container base images, but exploitation requires the attacker to supply the script that awk executes, which materially narrows real-world reach.
Denial of service in BusyBox 1.38.0 stems from a heap-based buffer overflow in the evalcommand() routine of the ash shell interpreter (shell/ash.c), where crafted input corrupts heap memory and crashes the process. No public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile), indicating no observed exploitation activity. Impact is limited to availability - no confidentiality or integrity loss is claimed per the CVSS vector.
Denial of service in BusyBox 1.38.0 arises from a use-after-free in the awk_sub() routine of the AWK applet (editors/awk.c), allowing an attacker who can supply a crafted AWK script to crash the busybox awk process. The flaw is a memory-corruption bug (CWE-416) with availability-only impact and no confidentiality or integrity consequences. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and its EPSS score is low (0.14%, 4th percentile).
Pre-authentication memory-exhaustion denial of service in Pomerium's identity-aware proxy (versions >= 0.32.6, < 0.32.8) lets remote unauthenticated attackers crash or degrade the proxy by delivering a zstd decompression bomb to the pre-auth `/.pomerium/callback` endpoint. Only deployments using the stateless/hosted authenticate flow (Pomerium Zero / authenticate.pomerium.app) are affected; self-hosted stateful deployments verify an HMAC signature first and are immune. A working proof-of-concept is included in the vendor advisory, though there is no public exploit identified as weaponized in the wild and no CISA KEV listing.
Remote unauthenticated Denial of Service in Datadog's dd-trace-rb Ruby tracing library (versions before 2.32.0) allows attackers to exhaust CPU and memory by sending HTTP requests with oversized or high-cardinality W3C `baggage` headers. Because the DD_TRACE_BAGGAGE_MAX_ITEMS (64) and DD_TRACE_BAGGAGE_MAX_BYTES (8192) limits were enforced only on injection and not extraction, the tracer allocates a hash-map entry per comma-separated pair on every request. Baggage propagation is enabled by default, so any internet-facing instrumented Ruby service is exposed; no public exploit was identified at time of analysis, and this CVE is not listed in CISA KEV.
Remote denial of service in Datadog's dd-trace-go APM library lets unauthenticated attackers exhaust CPU and memory on any instrumented HTTP service by sending an oversized W3C 'baggage' header. The DD_TRACE_BAGGAGE_MAX_ITEMS (64) and DD_TRACE_BAGGAGE_MAX_BYTES (8192) safety limits were enforced only on baggage injection, not extraction, so a single crafted request with a huge number of comma-separated key-value pairs forces one hash-map allocation per pair on every request. Because baggage propagation is enabled by default, any internet-facing Go service using an affected tracer is exposed; there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote unauthenticated Denial of Service in the Datadog.Trace .NET tracing library (versions before 3.43.0) arises because W3C baggage HTTP headers are parsed on the extract path without enforcing the DD_TRACE_BAGGAGE_MAX_ITEMS (default 64) or DD_TRACE_BAGGAGE_MAX_BYTES (default 8192) limits that are only applied during injection. An attacker can send a single request with a baggage header containing an arbitrarily large number of comma-separated key-value pairs, forcing the tracer to allocate a hash-map entry per pair and exhausting CPU and memory. Because the baggage propagation style is enabled by default, any internet-facing service instrumented with an affected tracer is exposed; there is no public exploit identified at time of analysis and the CVSS is 7.5 (A:H only).
Remote unauthenticated Denial of Service in the Datadog dd-trace-js Node.js tracing library (versions < 5.100.0) allows attackers to exhaust CPU and memory by sending an HTTP request with an oversized W3C 'baggage' header. Because the DD_TRACE_BAGGAGE_MAX_ITEMS (64) and DD_TRACE_BAGGAGE_MAX_BYTES (8192) caps were enforced only on injection and not on the extraction path, the tracer allocates a hash-map entry per comma-separated pair on every request. With baggage propagation enabled by default, any internet-facing instrumented service is exposed. CVSS 3.1 base score is 7.5 (A:H); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote denial of service in Datadog's dd-trace-py Python tracing library (versions before 4.8.2) lets unauthenticated attackers exhaust CPU and memory by sending oversized W3C 'baggage' HTTP headers. The DD_TRACE_BAGGAGE_MAX_ITEMS (64) and DD_TRACE_BAGGAGE_MAX_BYTES (8192) safeguards were enforced only on baggage injection, never on extraction, so a single crafted request with a huge number of comma-separated pairs forces the tracer to allocate a hash-map entry per pair on every request. Because the baggage propagation style is enabled by default, any reachable service instrumented with an affected tracer is exposed; no public exploit identified at time of analysis.
Remote denial of service in Datadog's dd-trace-java (dd-java-agent) tracing library affects any HTTP service instrumented with a version below 1.62.0 that has W3C baggage propagation enabled, which is the default. Because the DD_TRACE_BAGGAGE_MAX_ITEMS (64) and DD_TRACE_BAGGAGE_MAX_BYTES (8192) caps were enforced only on baggage injection and not on extraction, a remote unauthenticated attacker can send a single crafted 'baggage' header with a huge number of key-value pairs or one oversized value to exhaust CPU and memory. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivially reliable (CVSS 7.5, AV:N/AC:L/PR:N).
Denial of service in TDengine time-series database versions prior to 3.4.1.15 allows unauthenticated remote attackers to crash the server by sending a malformed compressed RPC packet. The transDecompressMsg() function trusts a compression-length field without verifying the packet is large enough to contain the 8-byte STransCompMsg header, leading to an out-of-bounds read, uncontrolled/underflowed allocation, and process crash. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; a vendor fix exists in 3.4.1.15.
Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected collaboration endpoints and room-based video devices through improper handling of exceptional conditions (CWE-703). The issue was internally discovered by Cisco's RoomOS engineering team as part of a hardening release bundling multiple flaws under this identifier, carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and has no public exploit identified at time of analysis. Note that the CVSS vector reflects availability-only impact even though a source tag labels it 'Information Disclosure,' a discrepancy defenders should verify against the Cisco advisory.
Remote denial of service in Cisco RoomOS software allows unauthenticated attackers to exhaust or corrupt a resource over the network, disrupting availability of Cisco collaboration room endpoints. Disclosed as part of a Cisco-internal security hardening review under the CWE-664 resource-lifetime pillar, the flaw carries a 7.5 CVSS score with an availability-only impact (C:N/I:N/A:H). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Cisco RoomOS software allows remote, unauthenticated attackers to disrupt device availability through improperly validated input, resulting in a high availability impact (CVSS 7.5). The flaw was internally discovered during a Cisco engineering security review and shipped in a software hardening release bundling multiple CWE-20 input-validation issues. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sensitive information disclosure affects Cisco RoomOS software running on Cisco collaboration room endpoints, where missing encryption (CWE-311) exposes data to an attacker positioned on the adjacent network. An adjacent, unauthenticated attacker who can intercept or manipulate traffic could access confidential information and potentially tamper with it, though successful exploitation carries high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was internally discovered by Cisco's RoomOS engineering team during a proactive hardening review.
Symlink-following file overwrite in Microsoft AVML (Acquire Volatile Memory for Linux) before 0.17.0 lets a local attacker who can pre-plant a symlink at AVML's output path cause the tool to truncate and overwrite the symlink's target when it opens the file with O_TRUNC. Because the destructive open happens before input validation completes ('truncation-before-validation'), the target file is clobbered even for otherwise-invalid runs. No public exploit is confirmed, though a researcher gist accompanies the disclosure; the flaw is fixed in v0.17.0 by adding the O_NOFOLLOW open flag.
Server-side arbitrary code execution in TDengine time-series database (versions prior to 3.4.1.15) allows a database user holding the 'create udf' privilege to upload a malicious shared library, register it as a user-defined function (e.g. named 'eval'), and execute attacker-controlled native C code on the server by invoking that function through ordinary SQL queries. This is a privileged-user code injection issue (CWE-94) with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw is fixed in version 3.4.1.15.
Arbitrary file write in Splunk Enterprise (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, 9.3.14) and Splunk Cloud Platform lets a privileged user with the edit_local_apps and install_apps capabilities abuse the app-installation workflow to write files outside the target app directory into $SPLUNK_HOME/etc/ and its subdirectories. The flaw is a path traversal (CWE-22) that can be leveraged to overwrite Splunk configuration and system files, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated arbitrary file write in the Grav CMS Form plugin (versions before 9.1.8) allows attackers to plant PHP webshells in the web root by abusing the process.save.filename parameter. The filename is checked for path traversal before Twig rendering but never re-validated afterward, so traversal sequences reconstructed during template evaluation bypass the guard. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the flaw was disclosed by VulnCheck via a coordinated GitHub security advisory.
Credential theft in ASUS GameSDK allows a remote attacker to capture a local user's NTLM hash by luring them to a crafted web page that abuses a permissive cross-domain policy to send a UNC-path request to GameSDK's local service endpoint. The flaw affects systems running the ASUS GameSDK local service (bundled with ASUS gaming utilities) and requires the victim to visit an attacker-controlled page (UI required); no authentication is needed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the leaked NTLM material can be relayed or cracked to reach other services.
Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.
Cross-user state leakage in Lookyloo's PlaywrightCapture Python library allows one capture operation to inherit sensitive data from another when multiple Capture objects run within the same Python process. Because capture-specific settings (HTTP headers, cookies, browser storage, HTTP credentials, proxy, user-agent, geolocation) were stored as mutable class-level rather than instance-level variables, a concurrent or subsequent capture in a multi-user deployment can disclose or reuse another user's authentication cookies, credentials, and captured request data. Exploitation requires low privileges (PR:L, a legitimate user of a shared deployment); a vendor patch exists (commit 1e354b9) and no public exploit identified at time of analysis.
Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.
Cross-session message injection in the MCP Python SDK (the 'mcp' package on PyPI) prior to 1.27.2 allows an authenticated client holding a valid bearer token to hijack another principal's session on the SSE and stateful Streamable HTTP transports. Because SseServerTransport and StreamableHTTPSessionManager route inbound requests using only the session_id query parameter or Mcp-Session-Id header - never checking that the caller is the same authenticated principal who created the session - any bearer-token-authenticated client who learns a victim's session ID can inject arbitrary JSON-RPC messages into that session. There is no public exploit identified at time of analysis and no CISA KEV listing; the flaw is fixed in version 1.27.2.
Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel participant to permanently crash or wedge the server by abusing the tunnel protocol. The CVSS 4.0 vector (7.1, PR:L, VA:H) confirms an availability-only impact requiring some level of tunnel authentication, with no confidentiality or integrity effect despite a mislabeled 'Information Disclosure' tag. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Out-of-bounds heap write in Tencent's ncnn neural-network inference framework allows a crafted .param model file to corrupt heap memory when parsed by Net::load_param(). Because ParamDict::load_param() and load_param_bin() validated the parsed parameter id only against the upper bound (id >= NCNN_MAX_PARAM_COUNT), a negative id indexes before the params[] array, giving an attacker a write primitive below the allocated buffer. No public exploit is identified at time of analysis and the issue is not in CISA KEV; an upstream source-code fix is available.
Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary SQL read access in DataEase before 2.10.23 lets authenticated users abuse the SQL preview feature (/de2api/datasetData/previewSql) to run attacker-supplied queries against any configured datasource. Because DatasetDataManage.previewSql passes the decoded PreviewSqlDTO.sql straight into datasourceRequest.query and CalciteProvider.fetchResultField executes it via prepareStatement().executeQuery(), an attacker can read any table the datasource account can access and receive the rows in the preview response. No public exploit identified at time of analysis, but the fix commit and advisory are public, making the flaw easy to reverse-engineer.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
{providerId} to drive organization provisioning, effectively escalating toward organization takeover. No public exploit identified at time of analysis; the flaw is fixed in 1.6.11 which adds the missing role check.
Path traversal via improper authorization in Cloudreve's WebDAV handler lets a scoped WebDAV account escape its configured root folder, reading and listing files anywhere the server process can reach, and - with a writable credential - creating, overwriting, moving, or deleting them. All versions prior to 4.16.1 are affected. No public exploit is identified at time of analysis and it is not listed in CISA KEV, though the flaw is straightforward to trigger once a low-privileged WebDAV credential is held.