2026-07-17
Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. No public exploit has been added to CISA KEV, but the CVSS 4.0 base score of 8.7 (High) and confirmed PoC make it a credible mass-scraping risk.
Arbitrary code execution in Cursor for Windows 3.2.16 lets remote attackers run code on a developer's machine by planting a malicious git.exe in a repository's root directory. Because Cursor resolves and executes the workspace-resident git.exe at IDE startup and on a recurring timer, simply cloning and opening a crafted repository triggers execution under the current user's privileges with no explicit user action beyond opening the project. Publicly available exploit code exists and the flaw was reported by VulnCheck; there is no CISA KEV listing or active-exploitation confirmation in the data.
Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.3 lets unauthenticated visitors self-assign an arbitrary published membership tier during public registration, gaining that tier's user role - including administrator where such a tier exists. The plugin never validates that the tier submitted in the registration form is one the form actually offers, so an attacker simply tampers with the submitted tier value. Publicly available exploit code exists (reported by WPScan), though active exploitation has not been confirmed.
Session token theft in SigNoz through 0.133.0 lets unauthenticated attackers hijack any user account on instances configured with Google OAuth, SAML, or OIDC single sign-on. Because the unauthenticated sessions-context endpoint accepts an attacker-controlled 'ref' parameter that is embedded unvalidated into the SSO state/redirect, an attacker crafts a login URL that returns the victim's access and refresh tokens to an attacker-controlled host once the victim completes SSO. Reported by VulnCheck (CWE-601, open redirect), publicly available exploit code exists, though it is not listed in CISA KEV and EPSS was not provided.
The PhonePe Payment Solutions WordPress plugin before 3.1.0 does not properly verify the authenticity of incoming payment callbacks: the secret used to validate the callback signature is empty on sites configured through the current setup flow, so the expected signature reduces to an unkeyed hash of the request body that anyone can compute. This allows unauthenticated attackers to forge a payment-success notification and mark unpaid WooCommerce orders as paid without any payment being made.
Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. Publicly available exploit code exists (reported by VulnCheck); this is not listed in CISA KEV, so there is no public exploit identified beyond the released POC.
Cross-organization data disclosure in TheHive through 4.1.24 allows any authenticated user to download attachments belonging to other organizations by supplying a known content-hash identifier. The flaw is a broken object-level authorization (BOLA/IDOR) in the attachment download endpoints, where AttachmentSrv.visible acts as a pass-through datastore traversal without enforcing organization scoping. Publicly available exploit code exists (published by VulnCheck / geo-chen), though there is no public exploit identified as actively exploited in the wild (not in CISA KEV).
Improper authorization in Dendrite (the Go-based Matrix homeserver) through version 0.13.8 lets any authenticated local user delete another user's third-party identifier (3PID) bindings via the POST /account/3pid/delete endpoint, because the Forget3PID handler removes the supplied address/medium without verifying ownership. By stripping a victim's email or MSISDN binding and rebinding it through an identity server, an attacker can hijack the victim's account-recovery/password-reset flow. Publicly available exploit code exists; there is no CISA KEV listing, so this is not confirmed as actively exploited.
Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. There is no public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.
Arbitrary file write in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user create a malicious flow that points to an attacker-controlled URL returning a crafted Content-Disposition header, causing the Langflow process to write attacker-supplied content to any filesystem path it can access. Because writes can land on startup scripts, keys, or configuration files, this path-traversal (CWE-22) flaw is a realistic route to full server compromise. IBM has released a fix; no public exploit identified at time of analysis and the CVE is not in CISA KEV.
Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated remote attacker to run arbitrary code because validation is not fully enforced on Model Context Protocol (MCP) server configuration files, permitting injection of attacker-controlled commands or server definitions. IBM has published a fix advisory (node/7278932). With CVSS 8.8 (PR:L), a low-privileged user of the Langflow instance can escalate to full code execution on the host; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override arbitrary component parameters at runtime through the API, bypassing the parameter filtering logic in the apply_tweaks() function (CWE-94 code injection). Because a low-privileged authenticated account is sufficient and the impact is full compromise of confidentiality, integrity, and availability (CVSS 8.8), this maps to server-side code execution on the Langflow host. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. A working proof of concept is published in the vendor's GHSA advisory; there is no evidence of active in-the-wild exploitation (not in CISA KEV).
Sensitive configuration file disclosure in Grav CMS before 2.0.4 lets unauthenticated remote attackers bypass the bundled .htaccess protections by requesting blocked file types with uppercase or mixed-case extensions (e.g., .YAML, .PHP). The shipped rules omit the Apache [NC] flag, so extension matching is case-sensitive and fails to block case variants on case-insensitive filesystems (Windows/NTFS, macOS/HFS+, Docker volume mounts), exposing files that may hold API keys and credentials. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authorization bypass in OpenClaw versions 2026.1.20 through 2026.5.26 allows low-trust, authenticated callers to invoke the device.pair.approve feature and perform device-pairing approvals that should require stronger role-management authorization. Because the feature can be reached through configured input paths, an attacker holding only limited privileges can escalate their effective authority over device pairing, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the flaw was reported by VulnCheck and carries a CVSS 4.0 base score of 8.7.
Privilege escalation in the getgrav grav-plugin-api before 1.0.6 allows a low-privileged manager holding the api.users.write permission to become a super-admin. The createApiKey, generate2fa, and disable2fa endpoints never re-check super-admin status, so an attacker can mint API keys bound to super-admin accounts or strip 2FA from super-admin users and take over the entire Grav instance. No public exploit identified at time of analysis, but the vendor GHSA advisory and VulnCheck confirm the flaw.
Stored cross-site scripting in the ChronoForms extension for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in the browser of anyone who later views the affected page. The flaw carries a CVSS 4.0 base score of 8.7 and requires no authentication (PR:N), though a victim must load the poisoned content (UI:P). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Authorization bypass in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 lets any valid API key perform actions far beyond its intended scope. Although keys can be provisioned with a restricted scopes array (e.g. read-only), the ApiKeyAuthenticator class never reads or enforces those scopes and instead returns the owning user's full account object, so a limited key can execute any write, delete, or administrative operation the owner is entitled to. Reported by VulnCheck with no public exploit identified at time of analysis, but the flaw is trivially exploitable by any key holder against default configurations.
Reflected cross-site scripting in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets an unauthenticated remote attacker execute arbitrary JavaScript in a victim's browser by luring them to a crafted link. The flaw stems from the application reflecting an unsanitized 'portal' parameter into JavaScript emitted by the invalid_browser and invalid_browser_login handlers. No public exploit is identified at time of analysis, though the reporting researcher (SRA) has published a technical writeup, and no evidence of active exploitation exists.
Arbitrary file write in GitHub Enterprise Server (all releases before 3.22) lets an attacker who already has code execution inside the Dependabot updater container escape the intended dependency-file directory via path traversal and symlink manipulation, planting attacker-controlled files anywhere in a repository - including GitHub Actions workflows under .github/workflows/. Because path validation checked the declared rather than the effective (symlink-resolved) path, an injected workflow can run with the repository's Actions secrets when the repo uses pull_request_target or auto-merge. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; CVSS 4.0 base score is 8.6 (High).
Cross-tenant data disclosure in Google Cloud Firebase Studio (versions prior to the 2026-04-15 fix) let an authenticated user retrieve other tenants' deployed source code and sensitive data by issuing unauthorized GCS signed-URL requests. The flaw stems from a missing authorization check (CWE-862) on the object-signing path rather than a code-execution bug, so impact is confidentiality-centric. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-side request forgery in Grav CMS before 2.0.4 allows authenticated users holding the api.webhooks.write permission to register webhooks with dangerous cURL protocol handlers (file://, dict://, gopher://) that fire when webhook events trigger. By abusing these unrestricted protocols an attacker can read local files, enumerate process and service information, and pivot to internal-only network services from the trust position of the Grav server. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk is driven by the CWE-918 primitive rather than confirmed in-the-wild activity.
Arbitrary code execution in ForgeCode (tailcallhq/forgecode), an AI pair-programming CLI, occurs because the tool auto-loads and honors a repository's project-local .mcp.json at startup without asking the user. A malicious repository can define mcpServers entries with arbitrary command/args (e.g. bash -c), so simply running the forge CLI inside a cloned untrusted repo spawns attacker-chosen commands as the invoking developer. Reported by VulnCheck with a vendor patch available; no public exploit tool is identified at time of analysis, though the CVE description itself embeds a working payload example.
Unauthenticated Server-Side Request Forgery in the meta-ads-mcp Python package (versions <= 1.0.114) lets remote attackers coerce the server into fetching arbitrary attacker-chosen URLs via the upload_ad_image MCP tool's image_url parameter. The flaw is reachable when the server runs with the officially supported --transport streamable-http mode, because the pre-fetch authorization check only requires a non-empty Bearer token while real Meta credential validation happens after the outbound fetch. Publicly available exploit code exists (a working Docker PoC); this is not in CISA KEV and no EPSS score was provided, so real-world exploitation is unconfirmed, but the vulnerability enables reaching localhost services, RFC 1918 hosts, and cloud metadata endpoints such as 169.254.169.254.
Economic resource exhaustion in the ZenHive mpp Elixir library (versions 0.2.0 through 0.5.x) lets an unauthenticated remote client inflate a sponsoring fee-payer's gas cost per payment by roughly 7.4x, draining the sponsor wallet over sustained abuse. When deployed with fee_payer: true, MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim - including an oversized EIP-2930 access list - without validating length or contents, so intrinsic gas is charged for fabricated entries that touch nothing on-chain. No public exploit identified at time of analysis, but the attack is fully detailed in the vendor advisory and fixed in 0.6.0.
Fee-payer wallet draining in ZenHive mpp (Elixir) 0.2.0-0.5.x lets an unauthenticated remote client empty the sponsor's wallet in a single request when the server runs with fee_payer: true. Because MPP.Tempo.Transaction.cosign_fee_payer/3 co-signs the client-supplied gas ceilings (max_fee_per_gas / max_priority_fee_per_gas) of the 0x76 AASigned envelope without bounds checking, an attacker sets arbitrarily large per-gas rates that are billed against the server's wallet, after which it can no longer sponsor legitimate payments. No public exploit identified at time of analysis; the issue was reported by the Erlang Ecosystem Foundation (EEF) and patched in 0.6.0.
Sensitive token exposure in the Grav CMS API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 allows attackers to hijack valid admin sessions after JWT access tokens leak from URLs. Because JwtAuthenticator::extractBearerToken accepts tokens via the ?token= query string on every API route, those tokens are written verbatim into web server access logs, Referer headers, browser history, and upstream proxy/CDN logs, and any captured token grants full admin API access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 4.0 score of 8.2 reflects the high value of the leaked admin credentials.
Google OAuth2 login can be fully impersonated in the Perl module Dancer::Plugin::Auth::Google (all versions through 0.07) because its default user agent is initialised with SSL_verify_mode set to SSL_VERIFY_NONE, disabling TLS certificate validation on calls to googleapis.com. A network man-in-the-middle can intercept the OAuth2 token exchange and userinfo fetch and return a forged access_token and profile, authenticating as any Google user to the Dancer application. No public exploit is identified at time of analysis and it is not listed in CISA KEV, but an upstream fix (PR #5) is available.
Wallet-draining denial of service in ZenHive mpp (Elixir library) versions 0.2.0 through 0.5.x affects deployments configured as a Tempo fee payer (fee_payer: true), where the MPP.Methods.Tempo method co-signs and broadcasts a client-supplied EVM transaction without verifying the client's gas_limit is high enough to complete execution. An unauthenticated remote client can submit a signed transferWithMemo transaction with gas_limit set just below the required amount, causing an on-chain out-of-gas revert that still charges the sponsor's fee-payer wallet while the attacker pays nothing. There is no public exploit identified at time of analysis and this is not on CISA KEV, but repeated low-cost requests can exhaust the sponsor wallet and stop the server from funding gas for legitimate payment requests.
NoSQL injection in AhnLab EPP (Endpoint Protection Platform) Management v1.0.14.32-6249 allows an authenticated attacker to manipulate backend NoSQL queries through the eventlog/agentEvent/list endpoint, as the CVSS:3.1 vector (PR:L) indicates a low-privilege authenticated session is required. Successful exploitation yields high confidentiality and integrity impact (C:H/I:H), enabling extraction or tampering of security event-log data across the managed endpoint fleet. A public GitHub repository named for this CVE suggests exploit/PoC material may exist; it is not listed in CISA KEV and no EPSS score was provided.
Privilege escalation via incomplete privilege drop in the Python 'sh' subprocess library (versions < 2.2.4): when a root/privileged process launches a command with the _uid option, the child changes UID and primary GID but fails to clear the parent's supplementary groups via setgroups(). Any subprocess expected to run unprivileged can therefore retain sensitive parent groups (root, docker, disk, shadow, sudo), reading or writing resources those groups grant. No public exploit identified at time of analysis and it is not in CISA KEV; the fix is confirmed in release 2.2.4.
Code injection leading to remote code execution affects IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 when an attacker can influence the JDBC connection URL passed to the driver. An attacker who controls the JDBC URL (typically via an application that builds connection strings from user input) can inject malicious properties or references that cause arbitrary code to execute in the context of the connecting application/driver host. IBM has released a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in OpenClaw before 2026.5.18 lets a low-trust, authenticated caller escape the exec allowlist by abusing weak glob matching, executing or persisting actions beyond their intended authorization. Reported by VulnCheck and tracked as a path-traversal-class flaw (CWE-22), it carries a CVSS 4.0 score of 7.7 with high confidentiality, integrity, and availability impact but requires the affected exec feature to be enabled. No public exploit identified at time of analysis; there is a GitHub security advisory and a corresponding VulnCheck advisory.
Authorization bypass in OpenClaw before 2026.6.5 lets a low-privileged, authenticated caller reach admin-scoped tools and perform privileged actions they should not be authorized for. The flaw stems from insufficient policy checks on configured input paths (CWE-862, Missing Authorization), so a lower-trust principal can escalate the scope of operations available to it. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was reported by VulnCheck with a CVSS 4.0 base score of 7.7.
Privilege escalation in OpenClaw's isolated cron job feature (versions 2026.6.1 through 2026.6.8) lets a lower-trust authenticated caller reclaim execution tools that authorization policy had explicitly denied, enabling actions and persistence beyond their intended trust level. The flaw is an incorrect-authorization (CWE-863) issue rooted in misconfigured input path handling within the cron subsystem, and carries a CVSS 4.0 score of 7.7. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation and unauthorized action execution in OpenClaw before 2026.6.6 arises from incomplete environment-variable filtering in its host exec path, which fails to strip rustup startup variables before spawning processes. A low-privilege caller (PR:L) with access to lower-trust invocation paths or configured input paths can influence the child process environment to run or persist actions above their intended authorization level, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authorization bypass in OpenClaw before 2026.6.5 lets a low-trust, authenticated caller execute node exec actions beyond their approved permissions by exploiting mismatched gateway and node environment configurations. The flaw (CWE-863, Incorrect Authorization) enables privilege escalation within the approval workflow and can be used to persist or run unauthorized actions. Reported by VulnCheck with a CVSS 4.0 base of 7.7; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authorization bypass in OpenClaw before 2026.5.18 lets low-privileged, authenticated callers escalate their actions through the device-pair approval feature, executing or persisting operations beyond their intended trust level. The flaw stems from improper authorization checks (CWE-863) on device-pairing input paths, and per the CVSS 4.0 vector it fully compromises confidentiality, integrity, and availability of the affected system. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Privilege escalation via authorization bypass in OpenClaw's QQBot exec approvals feature affects builds from 2026.5.14-beta.1 up to (but not including) 2026.5.27, letting a lower-trust or non-allowlisted sender execute or persist actions beyond their intended authorization. The CVSS 4.0 vector requires low existing privileges (PR:L) and a present attack requirement (AT:P), meaning the exec approvals feature must be enabled and reachable for exploitation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a fixed release (2026.5.27) and a vendor security advisory are available.
Server-side request forgery in IBM Langflow OSS (versions 1.0.0 through 1.10.0, and Langflow 1.9.0) allows an authenticated low-privileged user to coerce the server into making attacker-controlled outbound requests, reaching internal services and exfiltrating their responses. The flaw stems from an insecure default configuration combined with incomplete enforcement of the built-in SSRF protection, meaning the safeguard can be bypassed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor patch is available.
Authorization bypass in OpenClaw's ClickClack agent-mode dispatch (versions 2026.5.10-beta.1 through 2026.6.4) allows a lower-trust caller to invoke actions that should be blocked by the toolsAllow policy, because that policy check can be skipped during dispatch. With CVSS PR:L, an already low-privileged authenticated caller (or an attacker-controlled input path) can escalate the scope of actions when the agent-mode feature is enabled and reachable. No public exploit identified at time of analysis; the issue was reported by VulnCheck and fixed in 2026.6.5.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the network-facing, no-authentication nature makes it trivially reproducible against affected sites.
Remote denial of service in the h2o HTTP server (all versions prior to commit 9265bdd) allows unauthenticated attackers to exhaust server memory by combining HPACK header-decompression amplification with Slowloris-style HTTP/2 stream stalling. By opening many streams that stall mid-request, an attacker forces the server to retain large volumes of amplified decoded header state, degrading or crashing the service. There is no public exploit identified at time of analysis, and the CVSS 7.5 (A:H only) reflects an availability-only impact with no confidentiality or integrity effect.
Sensitive file disclosure in the Wazuh Manager (versions 4.0.0-4.10.3 and 4.11.0-4.14.4) allows a malicious enrolling agent to exfiltrate manager secrets by abusing the group parameter during enrollment. The authd enrollment daemon fails to filter path traversal ("..") sequences in the agent-selected group name, so remoted later builds shared-configuration paths that reach /var/ossec/etc and stream files such as client.keys, ossec.conf, and internal certificates to the attacker-controlled agent. There is no public exploit identified at time of analysis, but the network-reachable, unauthenticated CVSS 7.5 profile makes this a meaningful confidentiality risk for exposed manager enrollment services.
Denial of service in Wazuh's analysis engine (wazuh-analysisd) lets an unauthenticated remote attacker permanently halt SIEM alert processing on Wazuh manager versions 1.0.0 through 4.14.4. Because the official wazuh/wazuh-docker deployment ships with password-less agent enrollment enabled by default, an attacker can register as an agent and send a crafted rootcheck event that overflows a fixed 30-byte heap buffer, crashing the daemon while the dashboard and API keep showing stale data - silently blinding the SIEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary file read in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated attacker retrieve sensitive files - including the JWT signing key - via path traversal (CWE-22), then forge valid authentication tokens to impersonate any user, including administrators. This turns a read-only file disclosure into a full authentication-bypass and account-takeover primitive. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; a vendor patch is available per IBM's advisory.
Uncontrolled memory consumption in IBM PowerVM NovaLink lets a remote, unauthenticated attacker send a specially-crafted request that drives the server to exhaust memory resources, degrading or halting availability of the virtualization management layer. The CVSS 3.1 base score is 7.5 (High) with an availability-only impact and no confidentiality or integrity effect. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and a vendor patch is available.
Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) allows remote unauthenticated attackers to reach a critical function that lacks any authentication check, exposing confidential data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H) indicates trivial network exploitation with high confidentiality impact but no integrity or availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by Turkey's national CERT (TR-CERT / USOM).
Session hijacking in SEPPmail Secure Email Gateway and SEPPmail Cloud before 15.0.4.2 lets an attacker who can observe traffic replay a victim's GINA web portal session because the session token is exposed both in the URL and in an HTTP header. Because the token travels in the request URL, it can leak into proxy logs, browser history, and Referer headers, enabling account takeover of the secure-message portal. There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is 'Unproven' (E:U); the vendor CVSS 4.0 base score is 7.5.
Sensitive information disclosure in iKAS Technology Inc.'s E-Commerce platform (all versions through build 03062026) allows remote unauthenticated attackers to retrieve embedded sensitive data returned in server responses. Classified under CWE-201, the flaw causes confidential data to be inserted into data sent to clients, exposing it without authentication or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Turkey's national CSIRT (TR-CERT/USOM).