Unauthenticated information disclosure in GPUStack through version 2.2.1 lets remote attackers reach the worker port's unprotected /serveLogs and /debug endpoints to stream live inference logs - including user prompts and model completions - and to alter worker runtime configuration such as log levels and memory profiling output. Because the flaw is missing authentication (CWE-306) on network-exposed endpoints, exploitation requires no credentials and no user interaction; publicly available exploit code exists, though the issue is not listed in CISA KEV. VulnCheck reported it and the vendor fixed it in commit 4e20551.
UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.
Remote code execution in Cherry Studio 1.2.2 through 1.9.12 lets attackers who control search-provider content run arbitrary Node.js code because the SearchService loads that content into an Electron BrowserWindow with nodeIntegration enabled and contextIsolation disabled. An attacker controlling a search engine provider, search result page, or provider settings page can execute JavaScript with full Node.js privileges under the OS account running the app. Publicly available exploit code exists (VulnCheck/Mundi-Xu gist) and a vendor patch (commit 1518530) is available; the flaw is not currently listed in CISA KEV.
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.
Authentication bypass in the Shibboleth WordPress plugin before 2.5.4 lets remote unauthenticated attackers forge identity headers and log in when the HTTP header identity mode is enabled without an anti-spoofing key. Because the plugin fails open rather than closed, any request carrying identity headers is trusted as an authenticated session, and with automatic account creation plus the default administrator role mapping an attacker can provision and sign in as a brand-new administrator. Rated CVSS 8.1 (CWE-287); publicly available exploit code exists (WPScan), but it is not listed in CISA KEV.
Album ownership takeover in immich before 3.0.3 allows a user with shared-album editor access to escalate to full owner by abusing the PUT /albums/:id/user/:userId endpoint (CWE-863, Incorrect Authorization). Because the endpoint fails to enforce owner-only restrictions on role changes, an editor can demote the legitimate owner and promote themselves across two sequential requests, gaining deletion and member-eviction control over the album and its assets. Publicly available exploit code exists and a vendor patch (v3.0.3) has shipped, though it is not currently listed in CISA KEV.
Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. Publicly available exploit code exists and a vendor patch (commit 564cc30) is available, but this is not listed in CISA KEV and there is no public exploit identified as actively exploited in the wild.
Improper authorization in SpecterOps BloodHound through 9.4.0 lets any authenticated user tamper with the global custom-node graph schema by calling POST, PUT, and DELETE operations on the /api/v2/custom-nodes endpoints, which enforced only that a caller was logged in rather than that they held write permissions. Because custom node kinds are a shared, tenant-wide schema construct, a single low-privileged account can create, alter, or delete node types that affect every user and tenant on the instance. Publicly available exploit code exists and a vendor patch (commit 8f79035) is available; there is no CISA KEV listing, so exploitation is not confirmed as active.
SQL injection in Apache Fineract's Report Execution API (the runreports endpoint) in all versions up to and including 1.14.0 lets an authenticated user holding report-run permission inject arbitrary SQL through crafted report parameter values, because those values are concatenated into the generated query without sufficient validation. This yields unauthorized read access to data well beyond what the report was scoped to expose, and by extension other database contents. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; the upstream fix landed in PR #5980, which introduces a configurable InputValidator/validation-profile framework.
Missing authentication in @andrea9293/mcp-documentation-server v1.13.0 exposes its document-management Web UI/API on all network interfaces (0.0.0.0:3080) instead of localhost, letting any adjacent-network client read, add, search, and delete documents in the MCP knowledge base without credentials. Rated CVSS 8.8 (CWE-306), the flaw is exploitable by unauthenticated attackers reachable over the same LAN, VM network, Docker bridge, or VPN. A detailed proof-of-concept exists in the reporter's advisory, though there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV; the vendor fixed it in v1.13.1.
GitHub Actions expression injection in MaaAssistantArknights' dev-v2 CI (release-preparation.yml) lets an external attacker execute arbitrary shell commands on the ubuntu-latest runner by opening a non-draft fork pull request whose title begins with 'Release v'. The attacker-controlled pull_request.title was inlined directly into a run: block during opened, reopened, and ready_for_review events, so a crafted title breaks out of the sed command in the generate-changelog job. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the class is trivially weaponizable and the fix commit (cafc3946) is public. EPSS was not provided.
Authenticated remote code execution in 9Router before 0.5.2 lets a logged-in attacker run arbitrary OS commands on the host by chaining a Host-header spoof (to reach routes that are supposed to be localhost-only) with unsanitized MCP plugin arguments that flow into child_process.spawn() via the /api/mcp//sse endpoint. Rated CVSS 8.8 (CWE-78, OS command injection), it is fixed in 0.5.2; no public exploit or CISA KEV listing exists at time of analysis, though a vendor advisory and fix commit are published.
Authenticated remote code execution in LangBot (pip package 'langbot', versions <= 4.10.5) allows any logged-in user to run arbitrary OS commands on the host by registering a malicious 'STDIO' MCP server through the Extensions > MCP configuration UI. Because LangBot passes the user-supplied command straight to the MCP SDK's StdioServerParameters, which spawns it as a subprocess, an attacker who signs up or uses stolen credentials gains full host takeover. A step-by-step and video proof-of-concept is public (publicly available exploit code exists), though there is no confirmed active exploitation.
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Server-side template injection in Frappe ERPNext (versions before 15.111.0 and 16.22.0) lets an authenticated user holding only a standard operational role inject a malicious template payload into a configuration field, causing the server to render it and disclose data the user is not authorized to see. Because the flaw is rooted in an authorization failure (CWE-863), it effectively bypasses ERPNext's role/permission boundaries. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a fixed release is available from the vendor.
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugin reverse-call endpoints, because /api/invoke/* trusts tokens signed with INVOKE_TOKEN_SECRET whose default value is the literal string 'token' and which official deployment templates never set. By self-signing an HS256 JWT, an attacker can call /api/invoke/userInfo to read cross-tenant user PII via arbitrary tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. No public exploit identified at time of analysis and not listed in CISA KEV, but the trivial exploitation and hardcoded-secret root cause make this high priority for self-hosted deployments.
Arbitrary file write in Cornac's dataset-download utility (all versions before 2.6.0) lets an attacker who controls a downloaded TAR archive place files anywhere the Python process can write, because the _extract_archive() helper in cornac/utils/download.py calls archive.extractall() without validating member paths. Since Cornac's built-in dataset loaders automatically fetch and unpack archives, a poisoned or MITM'd dataset archive containing ../ traversal, absolute paths, or symlink/hardlink entries can overwrite sensitive files and potentially achieve code execution. VulnCheck reported the issue; no public exploit identified at time of analysis and it is not in CISA KEV.
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.received' events when the framework runs in AgentMail webhook mode. Because incoming payloads are trusted without validating the Svix signature (CWE-287), an attacker can POST crafted JSON to the webhook endpoint and cause configured agents to process attacker-chosen sender addresses and message bodies. A vendor patch exists (4.6.78); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invocation endpoints when the deployment runs with PRAISONAI_CALL_AUTH=disabled. Because the localhost-only safeguard derives the bind host from the client-supplied HTTP Host header, an attacker on the network can send a spoofed 'Host: 127.0.0.1' header to defeat the restriction and both enumerate and invoke registered agents. Vendor patch is available (reported by VulnCheck); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated stored cross-site scripting in the 4Analytics analytics extension for Joomla (by weeblr.com) lets a remote attacker inject persistent JavaScript through a specially crafted request, with no login required. Because the payload is stored and later rendered in a privileged context, it can escalate to full website takeover under some conditions. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
SQL injection in MetaGuru's HCM (Human Capital Management) platform lets authenticated remote attackers inject malicious SQL through specific request parameters, yielding full read/write control over the backing database and its confidentiality, integrity, and availability. The flaw was reported by TWCERT (Taiwan CERT) and carries a CVSS 4.0 base score of 8.7; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because valid low-privilege credentials are required (PR:L), risk concentrates in environments where accounts are broadly provisioned or credentials can be phished/reused.
SQL injection in EDocman, the Joomla download/document manager extension by Joomdonation, allows remote unauthenticated attackers to inject arbitrary SQL through the extension's request handling (CWE-89). The CVSS 4.0 score of 8.7 reflects high confidentiality impact with no required privileges or user interaction, meaning database contents can be extracted directly over the network. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
SQL injection in the DPCalendar extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a vulnerable parameter, per the CVSS:4.0 vector (PR:N/UI:N). With confidentiality-only impact rated High and no integrity or availability effect, the flaw primarily enables theft of Joomla database contents such as user records, session data, and configuration secrets. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal was provided.
Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.
Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable application-wide login by abusing a mass-assignment flaw in the PATCH /api/settings endpoint. Because the endpoint persists the entire request body without a field whitelist, a low-privileged user can flip security-critical settings such as requireLogin, thereby exposing sensitive routes like /api/keys and /api/providers to unauthenticated access. No public exploit identified at time of analysis; the issue is fixed in version 0.5.4.
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. No public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world exploitation appears unproven.
{deptId}. The root cause is SqlparserUtils.transFilter() returning raw, unsanitized user input for operators other than 'in'/'between', which is then string-spliced into the dashboard query via SubstitutedSql.replace(). No public exploit identified at time of analysis and it is not in CISA KEV, but the vendor GHSA advisory, fixing commit, and 2.10.23 release confirm the flaw is real and patched.
Stored SQL injection in DataEase (open source data visualization/BI tool) versions prior to 2.10.23 allows an authenticated user who can define SQL-type datasets to persist malicious SQL through variable defaultValue entries, which later execute against the backend database whenever any user with dataset read permission opens the dataset. The flaw (CWE-89) enables reading and modifying arbitrary database data, and CVSS 4.0 rates it 8.7 (High). No public exploit has been identified at time of analysis, but the upstream fix commit is public, so exploitation prerequisites are well documented.
SQL injection in DataEase before 2.10.23 lets an authenticated low-privilege user compromise the backend datasource by abusing the datasource connection-status check, where io.dataease.datasource.provider.CalciteProvider#checkStatus concatenates the user-controlled configuration.getSchema() value into getTablesSql and runs it via executeQuery. Because the schema/owner string is embedded directly into metadata queries for DB2, SQL Server, PostgreSQL, Oracle and other datasources, an attacker who can create or edit a datasource can inject arbitrary SQL and read or alter data on the connected database. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the root cause is confirmed by the vendor commit that replaces string concatenation with parameterized PreparedStatements.
Denial of service in the ws WebSocket library for Node.js (versions before 8.21.1) allows remote unauthenticated attackers to exhaust server heap memory by opening fragmented messages that are never completed. Because the fragment guard in lib/receiver.js only fires when the fragment count reaches maxFragments, an attacker can stream continuation frames (starting with a text frame carrying FIN=0) indefinitely, and each fragment is retained as a separate Buffer with per-object overhead until the process runs out of memory. No public exploit has been identified at time of analysis, and the flaw was disclosed by VulnCheck with a vendor patch already available.
Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.
Memory-exhaustion denial of service in F5 BIG-IP affects any virtual server configured with an HTTP/2 profile, where a remote unauthenticated attacker sends undisclosed crafted requests that drive Traffic Management Microkernel (TMM) memory consumption upward until TMM restarts. This is a data-plane-only issue with no control-plane exposure, and it also impacts the BIG-IP Next family (Kubernetes, SPK, CNF). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the vendor rates it CVSS 4.0 8.7 (High).
Security-policy bypass in PraisonAI before 4.6.78 renders the default Subprocess Sandbox backend inert, so administrator-defined blocked_commands, blocked_paths, blocked_imports, allow_subprocess, and allow_file_write restrictions are silently ignored. Any actor able to feed instructions into a PraisonAI agent can execute arbitrary subprocess commands, read sensitive files, and perform destructive file operations even though an explicit deny policy is configured. Reported by VulnCheck with a CVSS 4.0 base score of 8.7; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in phpMyFAQ before 4.1.5 lets a delegated administrator holding USER_ADD/EDIT/DELETE rights mint a full SuperAdmin account through the POST /admin/api/user/add endpoint, resulting in complete instance takeover. The flaw stems from a missing SuperAdmin authorization guard, allowing a lower-privileged operator to submit isSuperAdmin: true with attacker-chosen credentials and then log in as that account. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.
Broken function-level authorization in Prospero Flow CRM before 5.5.3 lets any authenticated low-privileged user (e.g. the standard 'User'/'Usuario' role) read every bank account record belonging to their company via GET /api/bank-account. The API route is guarded only by auth:api with no permission gate — unlike the web equivalent, which enforces can('read bank') — so any valid bearer token returns sensitive banking data (IBAN, SWIFT/BIC, account identifiers). A vendor patch exists (5.5.3) and the fixing commit is public; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Stored cross-site scripting in the 4Analytics privacy analytics extension for Joomla (by weeblr.com) lets unauthenticated attackers inject persistent JavaScript that executes when a victim views the AI analysis feature. Because injection requires no authentication (PR:N) but execution requires a victim to open the affected view (UI:A), an attacker can seed malicious script that later runs in a privileged operator's browser session. There is no public exploit identified at time of analysis and the extension is not listed in CISA KEV.
Server-side request forgery and credential theft in Grafana MCP Server lets an unauthenticated remote attacker steal the server's environment-configured Grafana service-account token by sending a crafted X-Grafana-URL request header, and pivot to reach arbitrary internal services including cloud metadata endpoints. The token grants the attacker the MCP server's full Grafana privileges, and the SSRF primitive exposes internal infrastructure behind the network perimeter. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed) rating and unauthenticated network vector make this a high-priority fix.
Use of a hard-coded, device-shared cryptographic private key in TP-Link Kasa EC71 v4 and EC70 v4 camera firmware lets an adjacent-network attacker impersonate the device's web management service and break its transport encryption. Because the same private key is baked into every unit's read-only filesystem, anyone who extracts it from one firmware image can passively decrypt or actively man-in-the-middle traffic to any other device on the local network without authentication. TP-Link (the reporting vendor) has released fixed firmware; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV.
Cross-context cache disclosure in Directus before 12.0.0 lets share-token holders and anonymous clients receive permission-filtered responses that were cached for a differently-scoped principal, because the cache key omits authorization context. When response caching is enabled, the key derived in api/src/utils/get-cache-key.ts covers only version, path, query, and accountability.user; since share tokens and anonymous requests both collapse to user null, requests to the same URL and query share a cache bucket and skip permission re-evaluation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is a straightforward, config-dependent information-disclosure issue fixed in 12.0.0.
Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Path-traversal remote code execution in PraisonAI (mervinpraison/praisonai) before 1.6.78 lets an authenticated agent user abuse SkillTools.run_skill_script(), which executes skill scripts without validating that the supplied path stays inside the intended working directory. Because absolute file paths are accepted, a low-privileged attacker can point the skill runner at any executable script on the host and run it. No public exploit code has been identified and it is not in CISA KEV, but the flaw was reported by VulnCheck and a GitHub Security Advisory (GHSA-c44f-37qr-gw3f) confirms the fix.
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.
Local privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-privileged local user to gain Administrator rights when the software is installed to a non-default directory, due to an insecure installer permission configuration. Absolute (formerly NetMotion) assigns this a CVSS 4.0 base score of 8.5 (High), reflecting full local compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Arbitrary file write in DataEase (open-source BI/data-visualization platform) before 2.10.23 lets an authenticated user (PR:L) abuse the /de2api/templateManage/save template-save endpoint to write attacker-controlled Base64 content to arbitrary filesystem paths. Because StaticResourceServer#saveFilesToServe extracted the filename using only a forward-slash split, crafted staticResource names containing traversal sequences or backslashes escaped the intended static-resource directory. No public exploit or CISA KEV listing is identified at time of analysis, though the fixing commit and advisory are public.
Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. No public exploit code has been identified at time of analysis and it is not in CISA KEV, but exploitation is trivial for any local process meeting the precondition.
Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Stored cross-site scripting in Open WebUI before 0.9.5 lets an attacker plant a malicious SVG as a victim's OAuth profile image and execute script in the application's origin. During OAuth login, the `picture` claim URL is fetched and its MIME type is guessed from the file extension rather than the response Content-Type, so a `.svg` URL is stored as a `data:image/svg+xml;base64,...` URI that bypasses the profile-image allowlist; when an authenticated user opens the profile image endpoint the SVG is served inline with no default CSP, running JavaScript that reads `localStorage.token` for account takeover. Reported by VulnCheck with a detailed GHSA source-code advisory; no public exploit identified at time of analysis and it is not in CISA KEV.