2026-07-16
The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.
The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
Unauthorized mailbox access in Cyrus IMAP through 3.12.2 allows any authenticated user to read email from mailboxes they have no ACL permissions on by exploiting the GENURLAUTH command's failure to enforce access controls before issuing URLAUTH tokens. The authorization boundary between mailboxes is effectively eliminated for any user who can name a target mailbox, undermining the server's entire multi-user isolation model. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the impact is materially more significant in multi-tenant or shared-server environments than the CVSS score of 3.5 suggests.
Cyrus IMAP through version 3.12.2 fails to invalidate URLAUTH-minted URLs when the authorizer's access is subsequently revoked, allowing continued unauthorized access to delegated mailbox content. The flaw (CWE-672: Operation on Resource after Expiration or Release) affects the URLAUTH extension defined in RFC 4467, which is designed to let users grant third-party access to mailbox data without sharing credentials. No public exploit code exists and this vulnerability is not listed in CISA KEV; real-world risk is highest in environments with active IMAP delegation workflows where access revocation is security-critical, such as departing employee scenarios.
Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attacks by network-positioned adversaries. All versions per the CPE wildcard are affected, and the application fails to include the Strict-Transport-Security response header, leaving browsers without enforcement of HTTPS-only communication. No active exploitation has been identified (not in CISA KEV) and no public exploit code is known, consistent with the low CVSS score of 3.1.
Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submitting a crafted email containing an RFC 822 MIME comment whose final character is a backslash. During message parsing, the server reads past the end of the message buffer into adjacent heap memory and returns the exposed content to the requesting user, resulting in partial, non-deterministic heap disclosure. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a fix is referenced in the Cyrus IMAP 3.12.3 release notes.
Cyrus IMAP through version 3.12.2 contains an authorization flaw in its XAPPLEPUSHSERVICE (XAPS) command that lets authenticated IMAP users enumerate arbitrary mailboxes belonging to other accounts and redirect Apple Push Notification Service alerts about those mailboxes to their own device. The flaw (CWE-863, Incorrect Authorization) does not expose message content - only whether a target mailbox exists and when its modification sequence (modseq) changes - but it enables cross-account probing and unauthorized push subscription in multi-tenant IMAP deployments. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the low CVSS score of 3.1 is consistent with the limited confidentiality impact and mandatory authentication requirement.
Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication are issued without the SameSite attribute, allowing browsers to attach them to cross-origin requests. An attacker who can lure an authenticated victim to a malicious page may issue forged state-changing requests that the server honors under the victim's identity, provided the application also lacks Anti-CSRF token validation - a condition the CVE description explicitly names as the decisive amplifying factor. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world risk is further constrained by modern browser defaults (Chrome 80+ and Firefox apply SameSite=Lax by default), high attack complexity, and the required user interaction.
HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a network-positioned attacker to capture session tokens transmitted in cleartext over unencrypted HTTP channels. Authenticated sessions are at risk when traffic traverses a path the attacker can observe, such as shared networks or HTTP downgrade scenarios. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.
Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated access to harvest internal network topology details from generated server responses. The application embeds private IP addresses directly in its output, violating the CWE-200 information boundary and enabling attackers to map internal infrastructure for follow-on targeted attacks. No public exploit code exists and no active exploitation has been confirmed; the CVSS score of 2.6 reflects the significant access prerequisites that substantially limit real-world risk.
Login replay vulnerability in HCL DFXAnalytics enables a remote attacker in a man-in-the-middle network position to capture and retransmit valid authentication messages, gaining unauthorized access as a legitimate user. The application lacks message-freshness enforcement - no timestamps or nonce mechanisms are applied to bound the validity window of authentication data, a design gap classified under CWE-294. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the combination of high attack complexity and mandatory user interaction substantially limits realistic exploitation scope.