2026-07-16
Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. Publicly available exploit code exists (VulnCheck/geo-chen); no KEV listing at time of analysis, but the combination of unauthenticated access, cloud credential theft potential, and working POC makes this a genuine priority for any cloud-hosted TGI deployment.
The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
SQL injection in WP Job Portal WordPress plugin before 2.5.5 enables authenticated subscriber-level users to exfiltrate data from the underlying WordPress database. Because subscriber accounts are explicitly self-registerable (no admin approval required), the practical authentication barrier is near-zero for any external attacker. A publicly available exploit exists per WPScan, though EPSS at 0.18% (7th percentile) indicates limited observed exploitation to date and no CISA KEV listing at time of analysis.
Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.
Unauthorized access to private chatbot conversations in the AI Engine WordPress plugin before 3.5.5 allows any authenticated subscriber-level user to both read and overwrite other users' chat records when the discussions feature is enabled. The plugin fails to verify that a client-supplied conversation identifier belongs to the requesting user (CWE-639 IDOR), enabling session data theft and record hijacking. Public exploit code is available via WPScan, though EPSS stands at only 0.13% (3rd percentile), suggesting no widespread automated exploitation; active exploitation is not confirmed in the CISA KEV at time of analysis.
Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.
Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.
Broken access control in Perfect Support Ticketing & Document Management System through version 1.7 permits authenticated Agent-level users to manipulate the Support Agent assignment field on tickets beyond their authorized scope, including adding or removing Superadmin accounts. The vulnerability stems from missing server-side authorization checks (CWE-862), allowing role-based access controls to be circumvented entirely by any Agent assigned to a ticket. A publicly available exploit exists per VulnCheck and a GitHub PoC disclosure; no CISA KEV listing is present at time of analysis.
Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.
Out-of-bounds read in AutomationDirect Productivity Suite enables a local low-privileged attacker to corrupt kernel memory by submitting a crafted IOCTL request, resulting in high availability impact (system or application disruption) and limited kernel memory disclosure. The vulnerability affects all documented versions per the CPE wildcard and was reported by ICS-CERT, placing it squarely in the operational technology threat landscape where availability is mission-critical. No public exploit code and no CISA KEV listing exist at time of analysis, placing current exploitation risk as low but warranting prompt patching in industrial environments.
Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and enables denial-of-service on engineering workstations via a crafted IOCTL request sent by a local low-privileged attacker. Affecting all versions per CPE wildcard, the CWE-125 flaw causes the vulnerable kernel-mode driver to read memory outside intended buffer bounds, leaking sensitive kernel contents or triggering a kernel panic (BSOD). Reported by ICS-CERT under advisory ICSA-26-197-04, no public exploit code or active exploitation has been identified at time of analysis.
Cross-tenant IDOR in Roskus Prospero Flow CRM before 5.5.3 allows any authenticated user to read, modify, and delete order and order-item records belonging to other companies (tenants) by supplying sequential integer IDs to five REST API endpoints. The root cause is missing company_id scoping in Eloquent ORM queries across all Order and OrderItem controllers, making every tenant's order data globally accessible to any platform user. No public exploit code or CISA KEV entry exists at time of analysis, but exploitation requires only a valid account and standard HTTP iteration - no special tools or expertise needed.
Divide-by-zero in AutomationDirect Productivity Suite enables a local, low-privileged attacker to crash the application, resulting in a denial-of-service condition on engineering workstations used to program AutomationDirect PLCs. All versions are affected per CPE wildcard data, and the vulnerability was disclosed via CISA ICS advisory ICSA-26-197-04, indicating ICS-CERT involvement and an OT/industrial context. No public exploit or CISA KEV listing has been identified at time of analysis, and exploitation impact is limited strictly to availability - no data exfiltration or tampering is possible.
Server-side request forgery in BigBlueButton's presentation URL handling allows privileged users to probe internal network resources before version 3.0.23. The presentation URL validation failed to block site-local (RFC 1918) and link-local (169.254.x.x) address ranges, and critically, the redirect-following logic did not pin resolved IP addresses, enabling DNS rebinding attacks that bypass initial validation. No public exploit has been identified at time of analysis, and the EPSS signal is absent from provided data, but the scope-change in the CVSS vector confirms the attack crosses from the BBB application tier into the broader internal network.
Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local attacker with high OS-level privileges to execute arbitrary code in System Management Mode (SMM) - a CPU execution context operating below the operating system and hypervisor with access to all system memory. Successful exploitation allows persistent firmware-level implants that survive OS reinstallation and defeat Secure Boot and standard endpoint detection tools. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, SMM code execution represents one of the highest-impact firmware attack primitives available to an advanced threat actor.
Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local privileged attacker to corrupt power management settings within System Management Mode, a CPU execution context operating below the OS kernel at Ring -2. Successful exploitation could allow persistent firmware-level tampering that survives OS reinstalls and reboots. No public exploit has been identified at time of analysis, and exploitation requires pre-existing high OS-level privileges, substantially limiting real-world risk to post-compromise scenarios.
Lenovo Smart Connect for Windows exposes an improper access control flaw that permits a local authenticated user to read files belonging to other users on the same machine. Discovered through Lenovo's own internal security assessment and documented under advisory LEN-218281, the flaw carries a CVSS 4.0 score of 6.8 with a local, low-privilege attack vector and high confidentiality impact. No public exploit code and no CISA KEV listing exist at time of analysis, limiting immediate risk to multi-user Windows environments where Lenovo Smart Connect is installed.
Open redirect in Axivion Dashboard's OAuth/OIDC login flow allows an attacker to silently redirect an authenticated user to an arbitrary external URL after successful sign-in. All Axivion versions are affected per the wildcard CPE (cpe:2.3:a:qt:axivion:*). A threat actor can exploit this for phishing - credential harvesting or second-factor theft - by embedding a crafted login URL that terminates on a convincing look-alike site rather than the legitimate dashboard. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Lenovo BIOS firmware across dozens of consumer and gaming laptop models - Legion, IdeaPad, Yoga, ThinkBook, LOQ, and V-series - contains a missing authentication flaw in the WMI-to-SMI interface that permits a local privileged attacker to arbitrarily trigger System Management Interrupt handlers, enabling execution at the SMM firmware level below the operating system security boundary. No public exploit code has been identified at time of analysis, and CISA KEV listing is not confirmed. The practical threat is post-compromise firmware persistence: an attacker already holding OS-level administrative privileges could use this flaw to manipulate firmware behavior in ways invisible to endpoint security tools, bypassing Secure Boot or implanting persistent code in System Management Mode.
SMM memory address disclosure in Lenovo laptop BIOS firmware exposes the location of protected System Management Mode (SMRAM) regions to a local privileged attacker. Dozens of Lenovo consumer, gaming, and business laptop product lines are affected across IdeaPad, Legion, Yoga, ThinkBook, LOQ, and V-series models. While the direct impact is confidentiality-only, SMRAM address disclosure is a classic prerequisite step in firmware-level attack chains that seek to bypass address-space protections and ultimately plant persistent SMM rootkits. No public exploit has been identified at time of analysis, and exploitation is not confirmed in CISA KEV.
Use-after-free in ESET's Linux security product kernel components enables a local high-privileged attacker to trigger a kernel panic, causing a complete system crash and denial of service. Both ESET Endpoint Antivirus for Linux and ESET Server Security for Linux are affected across unspecified versions, per ESET's own customer advisory. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, server-deployed AV with kernel-level hooks makes the DoS impact operationally significant in production environments.
SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.
Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.
Uncontrolled memory allocation in Envoy Gateway's OCI image fetcher allows a low-privileged tenant to crash-loop the shared controller cluster-wide. Versions before 1.7.4 and in the 1.8.x pre-release range before 1.8.1 are affected. By submitting an EnvoyExtensionPolicy referencing a malicious OCI registry serving a tar layer with a PAX/GNU-encoded multi-terabyte header size, an attacker triggers an unrecoverable Go runtime OOM in the controller - a single-request, non-volumetric, persistent denial of service that persists across restarts until the CRD is manually deleted. No public exploit identified at time of analysis.
Deterministic nil-pointer dereference in Envoy Gateway's gatewayapi runner allows a low-privileged tenant to permanently stall controller-wide xDS and Infrastructure IR publishing by submitting a single malformed CRD. Any tenant with namespace-scoped RBAC permission to create SecurityPolicy and TCPRoute resources can trigger a panic on every reconcile cycle by omitting the spec.authorization field, requiring administrator intervention to restore control-plane operations. No exploitation confirmed in the wild (not in CISA KEV); patches are available in versions 1.7.4 and 1.8.1.
Unbounded gzip decompression in Envoy Gateway's Wasm HTTP fetch path allows a low-privileged tenant to exhaust memory in the shared controller process via a crafted gzip-bomb URL, causing persistent cross-tenant control-plane outages. Any tenant with RBAC permission to create EnvoyExtensionPolicy resources can trigger approximately 10 GiB of heap allocation from a 10 MiB compressed payload, OOM-killing the controller; because the controller restarts and immediately re-reconciles the malicious custom resource, the crash-loop is self-sustaining and affects all co-tenants until the offending policy is deleted or the controller is patched. No public exploit code has been identified at time of analysis; vendor-released patches are available in versions 1.7.4 and 1.8.1.
Plaintext credential exposure in Frogman's audit logging pipeline allows any authenticated low-privilege user holding PERM_READ access to recover passwords and extension secrets set by administrative operations. Frogman versions prior to 1.6.2 encode full tool response payloads - including the plaintext password returned by fm_reset_password and the plaintext secret returned by fm_add_extension - directly into the oc_audit_log.detail column via auditOutcome in Frogman.class.php. Because fm_audit_search was gated only at PERM_READ rather than PERM_ADMIN, any read-tier caller could query historical audit entries and extract those credentials. No public exploit code or active exploitation has been identified at time of analysis; the CVSS score of 6.5 reflects the authenticated-but-low-privilege access requirement and high confidentiality impact.
Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. This issue is not in CISA KEV and no public exploit has been identified, though the fix commit's regression tests provide a near-complete exploitation blueprint.
{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.
SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.
Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-only LOCALDELETE command, bypassing ACL enforcement entirely. Any user with a valid account on an affected server can permanently delete arbitrary mailboxes - including those they have no read, write, or administrative permissions over - simply by issuing the improperly guarded command. No public exploit has been identified at time of analysis, but the attack requires only authentication and knowledge of the command, making it low-complexity for any insider or account-compromised attacker.
Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
Cross-namespace authorization bypass in Envoy Gateway allows an authenticated user with HTTPRoute creation rights to route traffic to backend resources in foreign namespaces without the required Gateway API ReferenceGrant consent from the target namespace owner. Affected versions span all releases before 1.7.4 and the 1.8.x line before 1.8.1. The flaw is specific to extension-managed custom backendRefs: standard Gateway API backendRefs are not affected, but when extensions introduce custom backend resource types, the ReferenceGrant enforcement gate is skipped entirely, violating the multi-tenant isolation guarantee the Gateway API cross-namespace model is designed to provide. No public exploit or CISA KEV listing exists at time of analysis.
Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.
Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. No active exploitation is confirmed (not in CISA KEV), and no public proof-of-concept has been identified at time of analysis, but the attack is trivially constructible from the public advisory.
Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a malicious or attacker-influenced HTTP/1 origin server to desynchronize a strict RFC-compliant intermediary from the Mint client on shared keep-alive pooled connections. The root cause is `Mint.HTTP1.decode_body/5` using Elixir's `Integer.parse/2` for chunked transfer-encoding chunk-size parsing, which accepts RFC-forbidden leading `+` or `-` sign prefixes, causing both parties to disagree on where one HTTP response ends and the next begins. No public exploit has been identified at time of analysis, but a vendor-released patch is available in Mint 1.9.3.
Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 6.3 medium score and PR:N vector confirm that authentication is not required to reach the affected endpoints.
HCL DFXServer permits client connections over plaintext HTTP, exposing all transmitted data to interception by any attacker with a man-in-the-middle position on the network path. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) confirms remote exploitation without authentication, contingent on a user initiating an HTTP session. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the risk is structurally inherent to any deployment where HTTP remains permitted alongside or instead of HTTPS.
Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft Windows Admin Center enables network-based spoofing attacks against users who interact with attacker-controlled content. The CVSS vector (AV:N/PR:N/UI:R/S:C) confirms that an unauthenticated remote attacker can deliver a crafted payload that executes in the victim's browser context once user interaction occurs, enabling session hijacking or administrative action spoofing within the management interface. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor patch is available via the Microsoft Security Response Center.
Privilege escalation in BunkerWeb's UI and API allows a low-privileged authenticated user to inject attacker-controlled Datalog facts into signed Biscuit authorization tokens by manipulating the HTTP Host header, which was interpolated directly into the token builder string without parameterization. Affected are BunkerWeb open-source versions prior to 1.6.12 and BunkerWeb PRO prior to 0.57. No public exploit identified at time of analysis, but the public commit diff fully documents the injection mechanism, making reproduction straightforward for any authenticated low-privileged account holder.
Path traversal in Activepieces Enterprise Edition git-sync prior to 0.82.0 allows an authenticated project administrator to overwrite arbitrary files on the host filesystem, with potential impact ranging from data tampering and denial of service to remote code execution. Two distinct weaknesses compound each other: Git's symbolic-link handling was not disabled during repository cloning, and user-supplied identifiers - repository slug and the externalId fields for flows, tables, and connections - were concatenated into filesystem paths without sanitization of directory-traversal sequences. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the patch commit makes exploitation paths derivable by any skilled attacker reviewing the open-source diff.
Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). The flaw is a soundness violation - no unsafe code in the caller is required - making it particularly insidious in a memory-safe language context. No public exploit identified at time of analysis and no CISA KEV listing; the CVSS 4.0 score of 5.9 reflects the high-complexity exploitation conditions acknowledged by the vendor.
TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensitive communications by exploiting continued support for deprecated TLS 1.0 and TLS 1.1 protocols. All versions of DFXAnalytics are affected per the wildcard CPE string, with high confidentiality impact and no integrity or availability degradation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS AC:H rating reflects the prerequisite man-in-the-middle network position rather than any inherent technical barrier to exploitation once that position is achieved.
Kernel heap corruption in the illumos data-link pseudo-driver (dld) allows an unprivileged local user - including one confined to a non-global zone that owns a datalink - to panic the system or potentially escalate privileges. The flaw in drv_ioc_prop_common() exploits a classic double-copyin TOCTOU race on the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls: the kernel sizes its heap allocation from pr_valsize on the first copyin but re-reads the entire ioctl struct from the same user address a second time, allowing a concurrent thread to enlarge pr_valsize between the two reads and overflow the under-sized buffer. No public exploit code has been identified and the CVE is not listed in CISA KEV, but the upstream fix is confirmed by an illumos-gate commit.
Unintended sensitive data exposure in AWS Bedrock AgentCore Python SDK versions 1.4.8 and 1.5.0 allows any low-privileged IAM principal with CloudWatch Logs read access to retrieve verbatim user prompts and complete AI agent responses from the aws/spans log group. The SDK's OpenTelemetry instrumentation populates span attributes with raw conversational content on every invocation without filtering or masking, and these spans are automatically exported to CloudWatch, bypassing any application-layer data controls. No public exploit has been identified at time of analysis, but the exposure is systemic and requires no special tooling beyond standard AWS console or CLI access with logs read permissions; vendor-released patch version 1.5.1 is available.