Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.
SQL injection in H3C SecPath F1000-C8300 (firmware up to 20260522) allows unauthenticated remote attackers to manipulate database queries via the `subject` parameter in the `/webui/?g=log_fw_nbc_mail_jsondata` web management endpoint. The vendor has confirmed the vulnerability and acknowledged a planned fix, but no patch is released as of the disclosure date. A publicly available exploit exists (hosted on Feishu), lowering the bar for exploitation significantly despite the moderate CVSS 4.0 score of 5.5.
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol knowledge and tunnel control to trigger a non-persistent denial-of-service against the server component. Both client and server software are identified as affected per the vendor's own disclosure. No public exploit code and no CISA KEV listing are confirmed at time of analysis, and the non-persistent DoS nature implies the server likely auto-recovers, constraining operational impact.
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.
Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.
Vaultwarden's SSO discovery endpoint exposed real organization SSO metadata - including organizationIdentifier values - to unauthenticated requests for arbitrary email addresses, enabling organization enumeration and authentication workflow abuse. All Vaultwarden deployments prior to 1.36.0 with SSO enabled are affected; an attacker with network access could query the `/organizations/domain/sso/verified` endpoint with any email address to harvest real org names and identifiers, then leverage those identifiers to obtain a valid pre-validation JWT through the `prevalidate()` flow without legitimate credentials. No public exploit code is identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Insufficient session invalidation in the Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 renders stolen JWT access tokens permanently valid for up to one hour post-compromise. Because tokens are issued without a jti (JWT ID) claim, the server retains no mechanism to selectively revoke them - meaning logout events, password resets, new token issuance, and even account disablement are all ineffective at terminating an active attacker's session. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the CVSS 4.0 vector (AV:N/AC:L/PR:N) reflects that any attacker already in possession of a token can trivially exploit this revocation gap over the network.
PraisonAI's MCP HTTP-stream transport silently skips authentication when no API key is configured at startup, allowing unauthenticated clients to initialize sessions, enumerate tools via tools/list, and invoke arbitrary tools via tools/call. Affected versions are all releases before 4.6.78. Compounding this, the dispatcher passes tool-call arguments directly to handlers without validating them against the advertised inputSchema, meaning a client can supply malformed or out-of-schema arguments to any registered tool. No public exploit code or CISA KEV listing has been identified at the time of analysis.
PraisonAI's tool approval caching mechanism in versions before 1.6.78 allows an attacker who influences an AI agent's behavior within a session to bypass human-in-the-loop oversight by reusing a single user-granted approval across tool calls with entirely different, unreviewed arguments. The flaw (CWE-863: Incorrect Authorization) directly undermines the security boundary that tool approval is designed to enforce, enabling arbitrary file write operations after approval of a benign operation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog; however, the CVSS 4.0 score of 6.9 with high integrity impact reflects meaningful risk for any deployment relying on tool approval as a control.
Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. No public exploit has been identified at time of analysis; vendor-released patch v5.14.0 is available and confirmed.
Stale render context retention in ViewComponent::Base allows lower-privileged users to receive privileged UI from a prior admin render when component instances are reused across requests, tenants, or threads. Affected versions 4.0.0 through 4.11.x of the rubygems/view_component package fail to reset request-scoped instance variables between render_in calls, enabling cross-user authorization bypass, stale Host header injection into generated URLs, slot child context leakage, and cross-thread context corruption. A detailed publicly available proof-of-concept confirms all four impact vectors; no KEV listing is present, but the exploitability in realistic shared-registry patterns is directly demonstrated.
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.
Zip-slip path traversal in File Browser 2.63.6–2.63.16 allows a low-privileged user with upload permission to plant a POSIX backslash-named file that the archive builder incorrectly normalizes into a directory traversal sequence, enabling arbitrary file write on any victim who downloads and extracts the generated archive. The root cause is the server-side conversion of `\` to `/` in archive entry names, which manufactures paths like `../../evil.sh` from the legal POSIX filename `..\..\evil.sh`. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack chain is straightforward for any user with upload access.
Elevation of privileges in Dell PowerScale OneFS versions 9.5.0.0-9.10.1.7 and 9.11.0.0-9.13.0.2 allows a high-privileged local attacker to escalate beyond their authorized access level due to improper privilege management (CWE-269). While the CVSS 3.1 base score of 6.7 reflects the local access and high-privilege prerequisites that constrain exploitability, the full C:H/I:H/A:H impact triad signals complete system compromise upon successful exploitation - a serious outcome for enterprise NAS infrastructure that frequently stores sensitive organizational data. No public exploit code or CISA KEV listing has been identified at time of analysis.
Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the commit diff confirms the mechanism is straightforward and the fix is available in v2.1.19.
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.
Permission control bypass in the Settings module of Huawei HarmonyOS and EMUI exposes sensitive service data to unauthorized local actors. A locally-installed application without elevated privileges can exploit the flaw (CWE-200) during user interaction with the Settings UI to read confidential configuration or service data - with a CVSS-rated High confidentiality impact (C:H). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Permission bypass in the HarmonyOS card module allows a local, unprivileged user - with required user interaction - to circumvent access controls, resulting in high availability impact alongside limited confidentiality and integrity exposure. The vulnerability affects Huawei HarmonyOS across all tracked versions per CPE data and is documented in Huawei's July 2026 security bulletin. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk constrained to local attack scenarios.
Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.
Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.
Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. No public exploit has been identified at time of analysis; vendor-released patch 4.16.1 is available.
Uncontrolled memory allocation in Huawei's vibration service crashes affected HarmonyOS and EMUI devices, resulting in a denial-of-service condition impacting device availability. The flaw is remotely triggerable with no privileges required but demands user interaction, consistent with delivery via crafted content such as a malicious application, webpage, or message that exercises the vibration API. No public exploit code or active exploitation has been identified at time of analysis, though Huawei has issued a July 2026 security bulletin addressing the issue.
Server-side request forgery (SSRF) in 9Router's Kiro API-key validation endpoint allows authenticated attackers to redirect outbound validation requests to an attacker-controlled host, exfiltrating the submitted Kiro API key via the Authorization header. Affected are all 9Router deployments prior to version 0.5.6 where the Kiro OAuth provider is configured. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the attack is low-complexity once authenticated. Vendor-released patch is available in v0.5.6.
Drive-by local filesystem exfiltration in FiftyOne versions below 1.17.0 allows any malicious website to silently read arbitrary files from a victim's machine. The FiftyOne App server unconditionally returns Access-Control-Allow-Origin: * on all responses, and the unauthenticated /media endpoint serves local filesystem files by path - together these let JavaScript on any visited webpage fetch files such as SSH keys, cloud credentials, or .env files from localhost:5151 and relay them to an attacker-controlled server. No public exploit (KEV or confirmed POC) is identified at time of analysis, but the attack requires no special tooling and is trivially reproducible in Safari and Firefox, which lack Private Network Access protections.
Stored cross-site scripting in DataEase's template static resource pipeline allows authenticated users to persist malicious JavaScript inside SVG files served at the application's same origin, executing in victims' browsers upon resource access. Versions prior to 2.10.23 are affected; the root cause is that StaticResourceServer.saveFilesToServe and saveSingleFileToServe decoded attacker-supplied Base64 content and wrote it directly to disk without validating extension, MIME type, decoded bytes, or SVG scriptability. No public exploit code or CISA KEV listing exists at time of analysis, but the stored, same-origin nature of the XSS and the low bar for triggering it (any authenticated user) make this a meaningful risk in shared or multi-tenant DataEase deployments.
Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. When combined with long-domain URL eliding, this allows precise origin spoofing; no public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.3 reflects high subsequent-system integrity and confidentiality impacts despite the attack requiring user interaction.
Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.
SSRF guard bypass in FastGPT prior to 4.15.0-beta5 enables authenticated workflow users to reach cloud metadata endpoints, loopback interfaces, and internal network services that the guard would otherwise block on direct request. The HTTP request workflow node submits the initial URL to the SSRF guard for validation, but then hands the request to axios, which follows HTTP redirects by default without re-triggering the guard - allowing an attacker-controlled redirect server to pivot the request to any internal target. No public exploit code has been identified at time of analysis, but the technique is well-understood, low-complexity once authenticated, and particularly severe in cloud-hosted deployments where IMDSv1 metadata endpoints expose IAM credentials.
Memory leak in ImageMagick's ICON decoder exposes services that process user-supplied images to a potential denial of service. Both the 7.x and 6.x release branches are affected - specifically versions before 7.1.2-26 and 6.9.13-51 respectively. An unauthenticated remote attacker (per CVSS PR:N) who can supply a crafted ICON file to an ImageMagick-processing endpoint can repeatedly trigger allocation failures that are never cleaned up, gradually exhausting process memory. No public exploit or active exploitation has been identified at time of analysis.
Memory leak in ImageMagick's YUV decoder (versions before 7.1.2-26 and 6.9.x before 6.9.13-51) enables remote denial of service by repeatedly submitting malformed YUV images that trigger a failed blob open, leaking heap memory on each decode attempt. No confidentiality or integrity impact applies; exposure is limited to availability of image-processing services that accept untrusted input. No public exploit code or active exploitation has been identified at time of analysis.
Use-after-free in ImageMagick's FreeType integration path allows remote denial of service against image processing pipelines using vulnerable 6.x or 7.x releases. When FreeType initialization fails during an image processing operation, the affected code path neglects to exit cleanly and continues referencing already-freed memory, causing process corruption or crash. No public exploit identified at time of analysis; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects meaningful preconditions required to trigger the failure path.
Unauthorized external secret disclosure in n8n before 2.28.1 allows authenticated project editors to read plaintext secret values from external secret managers by embedding references in workflow node expressions. The flaw bypasses the intended access control model: users with project editor roles - who are not granted explicit secrets access permissions - can nonetheless resolve and exfiltrate secrets via expression syntax. No public exploit or active exploitation has been identified, but the CVSS 4.0 vector assigns SC:H (high confidentiality impact on subsequent systems), reflecting that secrets stored in downstream vaults or secret managers are fully exposed to insufficiently privileged users.
Credential inference via timing side-channel is possible in Hono before 4.11.10 when the built-in `basicAuth` or `bearerAuth` middlewares are in use, due to JavaScript's short-circuit `===` string equality operator being used inside the `timingSafeEqual` function for hash comparison. Because `===` terminates on the first differing character, response times vary slightly based on how many leading characters of a credential match the stored hash, enabling an attacker to recover credentials one character at a time through statistical timing analysis. No public exploit has been identified and the vendor GHSA advisory explicitly characterizes this as a hardening improvement with low practical exploitability outside highly controlled, low-jitter network environments.
Authentication bypass in the n8n Chat Trigger node allows unauthenticated network access to protected webhook endpoints when the node is explicitly configured with n8n User Auth - a non-default operator setting. Affected releases span all 1.x builds before 1.123.22, the entire 2.0.0-2.9.2 range, and 2.10.0. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS 4.0 score of 6.3 with AT:P correctly reflects that real-world exposure is bounded by the non-default configuration prerequisite.
Input validation bypass in n8n's Guardrail node (versions before 2.10.0) allows end users interacting with affected workflows to circumvent AI safety guardrail instructions through crafted inputs, undermining workflow integrity. Any n8n deployment running a workflow that incorporates the Guardrail node is exposed; instances not using that node are entirely unaffected regardless of version. No public exploit code has been identified and this CVE does not appear in CISA KEV; a vendor-confirmed patch is available in n8n 2.10.0.
Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.
Privilege escalation to NT AUTHORITY\SYSTEM is achievable on Windows systems hosting the Pegatron Tdelo64.sys kernel-mode driver, which exposes the \\.\TdeIo device interface without enforcing caller privilege checks or validating user-supplied kernel memory addresses in its IOCTL dispatcher. Any local user can open the device interface and send crafted IOCTL requests to perform arbitrary kernel memory read and write operations, enabling full system compromise including credential theft and security product bypass. No public exploit code or CISA KEV listing has been identified at time of analysis; the vulnerability was reported to CERT/CC (VU#529388), and the provided CVSS score of 6.2 materially understates the real-world impact given the described kernel write capability.
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.
Protection mechanism failure in Dell ThinOS 10 (versions prior to 2605_10.2100) allows an unauthenticated attacker with physical device access to bypass encryption controls and gain unauthorized read and write access to data stored on the thin client. The flaw, classified as CWE-693, indicates the encryption or authentication protection subsystem can be circumvented without any credentials, consistent with the Authentication Bypass tag and CVSS PR:N rating. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the physical access constraint limits but does not eliminate risk in environments with unattended or theft-prone thin clients.
Stored cross-site scripting in Stirling-PDF's /get-info-on-pdf endpoint allows attacker-controlled JavaScript to execute in any user's browser when they view metadata of a crafted PDF file. All versions prior to 2.0.0 are affected; the CVSS scope change (S:C) indicates injected scripts operate within the application's browser origin, enabling session hijacking or unauthorized actions. No public exploit code has been identified at time of analysis and this vulnerability has not been listed in CISA KEV.
Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). No public exploit or CISA KEV listing has been identified at time of analysis, though the bypass technique is trivially reproducible from the advisory's own example.
Unvalidated chown in Samba's pam_winbind module allows a local user with narrow sudo delegation to transfer ownership of the root filesystem directory to a system account, causing system-wide denial of service on Red Hat Enterprise Linux 6 through 10. When mkhomedir is enabled and a system account has its home directory set to '/', any PAM-triggered authentication event run as that account via sudo invokes the chown without path sanitization. The resulting ownership change breaks SSH, sudo, and package-manager functionality, though the 0555 permissions on RHEL prevent write access escalation, confining the impact to high-severity availability loss. No public exploit or CISA KEV listing is identified at time of analysis.
Permission bypass in n8n's external secrets handling allows authenticated low-privilege users to exfiltrate secrets they are not authorized to access by exploiting a mismatch between the platform's static validation layer and its runtime expression engine. Affected are all n8n instances running versions before 1.123.61 (1.x branch), 2.27.4, or 2.28.1 (2.x branch) that have both an external secrets provider and Advanced Permissions configured. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the confidentiality impact is high for affected deployments given that secrets such as API keys and credentials may be fully exposed.
Cross-namespace traffic mirroring in Cilium's Gateway API implementation allows authenticated Kubernetes users holding HTTPRoute create or update permissions to duplicate HTTP traffic to arbitrary Services in any namespace, bypassing the ReferenceGrant authorization mechanism intended to enforce cross-namespace access control. Affected branches are Cilium 1.17.x before 1.17.17, 1.18.x before 1.18.11, and 1.19.x before 1.19.5. No public exploit or active exploitation has been identified at time of analysis; the attack surface is significantly narrowed by Gateway API being disabled by default and exploitation requiring elevated Kubernetes RBAC permissions.
Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue) affects all releases from 1.9.4 through 3.1.x, allowing an attacker who controls an RSS feed source configured in the dashboard to deliver a malicious anchor href that executes arbitrary JavaScript in the Dashy origin when a user clicks it. The attack requires both feed-source control and user interaction, and is confined to the Dashy application origin - meaning session tokens, cookies, or dashboard credentials are the primary targets. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 3.2.0.
Authorization bypass in FastGPT's workflow engine allows any authenticated platform user to invoke another user's private HTTP toolsets by crafting a workflow node ID in the form http-<victim_toolset_app_id>/<tool_name>. Affected versions span 4.14.17 through pre-4.15.0-beta5; the normal toolset access routes enforce ownership, but the workflow save path and the /api/v2/chat/completions runtime endpoint omit the same check, enabling cross-tenant tool execution. No public exploit code or CISA KEV listing exists at time of analysis; the AC:H vector reflects that exploitation requires prior knowledge of a victim's toolset app ID.
SQL injection in the web management interface of multiple ASUS router models enables a remotely authenticated, high-privilege user to exfiltrate confidential information by sending crafted requests that bypass the router's existing input validation. The vulnerability is limited to read-only data disclosure (no integrity or availability impact) and requires prior administrative authentication, significantly constraining real-world exploitability. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 reflects the high complexity and authentication prerequisites.
Challenge bypass in Anubis Web AI Firewall (versions 1.22.0 through pre-1.26.0-pre1) allows unauthenticated remote HTTP clients to circumvent bot-challenge enforcement by supplying a crafted X-Original-URI header. PathChecker.Check() in lib/policy/checker.go unconditionally trusted this client-controlled header over the actual request path, enabling any client to match default ALLOW rules (e.g., ^/\.well-known/.*$) and reach upstream resources without completing the Anubis challenge. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, but the bypass is trivially reproducible with a single HTTP header manipulation.
{domain}/icon.png endpoint, bypassing the server's address blocklist. The icon-fetching HTTP client in src/http_client.rs applied should_block_address() and post_resolve() checks only against standard dotted-decimal notation, leaving alternative encodings - such as 0x7f000001 or 2130706433 for 127.0.0.1 - fully unblocked. No public exploit has been identified at time of analysis, and the issue is fixed in version 1.36.0.