2026-07-17
Full SYSTEM-level code execution in Broadcom's Symantec IT Management Suite (ITMS) 8.7.3 is reachable by any non-administrator interactive user via a DCOM and Windows Task Scheduler logic chain, requiring no network access and no memory corruption. The attack is confined to the local host, meaning a standard user account with an interactive session on the ITMS server is sufficient to achieve unrestricted SYSTEM privileges. No public exploit has been identified at time of analysis, though Broadcom's advisory carries the highest urgency rating (U:Red) and the CVSS 4.0 supplemental metric AU:Y indicates the exploitation steps can be automated once understood.
Local privilege escalation via a misconfigured WMI provider in Broadcom's Symantec IT Management Suite (Altiris) exposes SYSTEM-readable files to any local standard user. The AltirisAgent_Stream WMI class fails to re-impersonate the calling user when servicing queries, reverting to the LocalSystem context instead - allowing unprivileged local users to bypass filesystem ACLs and read files that are restricted to SYSTEM or Administrator accounts, including configuration files, service logs, and stored secrets. No public exploit has been identified at time of analysis, though the technique is mechanically straightforward for any authenticated local user; the Broadcom advisory (SA 37995) is the authoritative disclosure source.
Directory traversal via the unsanitized 'family' parameter in the Kirki plugin for WordPress (all versions up to and including 6.0.13) enables authenticated users holding editor-level access or above to delete arbitrary directories on the server filesystem, risking data loss and site unavailability. Reported by Wordfence, the flaw originates in insufficient path validation within FontService.php and GlobalDataController.php, which process the 'family' parameter without canonicalization or boundary enforcement. No public exploit code exists and no CISA KEV listing is present at time of analysis, but the potential for irreversible filesystem destruction makes this a meaningful risk on any WordPress site granting editor access to untrusted accounts.
Network policy bypass via Server-Side Request Forgery (SSRF) in OpenClaw's sandbox exec-server allows lower-trust callers to route HTTP requests to internal network destinations that OpenClaw policy is explicitly configured to block. All OpenClaw installations before version 2026.6.6 are affected. The CVSS 4.0 vector scores subsequent-system confidentiality impact as High (SC:H), reflecting that successfully bypassed network policies expose internal infrastructure - not the OpenClaw host itself - to unauthorized access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Server-side request forgery in OpenClaw's browser snapshot routes allows lower-privileged authenticated users to bypass the platform's network policy controls and reach internal destinations that should be blocked. Affected versions span 2026.4.14 through 2026.5.25; the fix shipped in 2026.5.26 per the vendor's GitHub security advisory. No public exploit code has been identified and this CVE is not listed in CISA KEV, though the CVSS 4.0 subsequent-system confidentiality rating of High reflects the real potential for lateral access to sensitive internal services.
Unauthorized role removal in Keycloak's admin REST API allows a delegated administrator to strip privileged child roles from composite roles they are not authorized to manage, corrupting the role hierarchy and revoking access for users and administrators who depend on those composite roles. Affected products span Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and Red Hat JBoss EAP Expansion Pack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; however, in multi-tenant enterprise deployments where delegated administration is common, the integrity impact to IAM role structures is operationally significant.
Broken access control in Keycloak's organization management component allows a delegated administrator holding only organization management permissions to exploit the invitation API to provision new user accounts and inject unauthorized members into organizations. The attacker generates an invitation for a fabricated email address, then retrieves the secret registration link directly via the API - bypassing the email delivery step entirely - and uses it to self-register accounts without possessing user management permissions. No public exploit has been identified at time of analysis; exploitation is gated by the PR:H requirement (delegated administrator credentials), limiting realistic threat actors to insider or compromised-admin scenarios.
Forced browsing vulnerability in HCL DevOps Loop allows authenticated low-privileged users to access restricted administrative endpoints by directly navigating to protected URLs without proper authorization enforcement. The application fails to validate that the requesting user holds sufficient privileges before serving administrative responses, enabling unauthorized access to admin functionality over the network. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the WP ERP WordPress plugin (versions through 1.17.6) allows authenticated attackers with subscriber-level access to create arbitrary company locations in the ERP database. The flaw stems from a missing authorization check in the plugin's Admin AJAX handler, as identified by Wordfence and corroborated by source code references at includes/Admin/Ajax.php. No public exploit code or CISA KEV listing exists at time of analysis, but the low privilege bar (any registered WordPress user) on a network-accessible endpoint makes opportunistic abuse straightforward on sites with open user registration.
Rate limit bypass in Wazuh's /events endpoint allows authenticated network users to inject events into analysisd beyond the administrator-configured global rate limit. A logic error in CheckRateLimitsMiddleware.dispatch() causes the endpoint-specific counter (hardcoded at 30 requests/min) to unconditionally overwrite the result of the global rate limit check, meaning the global max_request_per_minute threshold is silently ignored for this endpoint. Versions 4.6.0 through 4.14.4 are affected; no public exploit code has been identified and the issue is not listed in CISA KEV.
Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.
OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Sensitive credential exposure in the keycloak-services authentication configuration endpoint allows view-only administrators to retrieve unmasked third-party service secrets, such as reCAPTCHA secret keys, through the administrative API. Affected deployments include Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and the JBoss EAP Expansion Pack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; however, the confidential nature of the exposed values - functional API credentials for third-party services - elevates the practical impact beyond what the CVSS score of 4.3 might initially suggest.
Brute-force lockout bypass in Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow allows an attacker holding valid OAuth client credentials to redeem previously approved authentication requests and obtain access and refresh tokens for a user account that has since been locked. This is an incomplete fix for CVE-2026-9798: the brute-force protection check was applied to the CIBA initiation handler but was never added to the token redemption handler, creating a gap that persists after the earlier patch. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Keycloak's default-groups REST endpoint and realm representation expose hidden group names and identifiers to delegated administrators who hold realm-viewing permissions but lack explicit group-viewing authorization. Affected products span Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and Red Hat JBoss EAP Expansion Pack. No public exploit code exists and CISA KEV listing is absent at time of analysis; the CVSS 4.3 Medium rating accurately reflects constrained impact limited to metadata disclosure.
CORS misconfiguration in HCL DevOps Loop enables authenticated network-adjacent attackers to perform unauthorized cross-origin requests against the application. The improper CORS policy potentially allows untrusted domains to read application responses, exposing session-bound resources to attacker-controlled origins. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the tag 'Authentication Bypass' suggests resource exposure can undermine access control assumptions.
Credential redaction bypass in OpenClaw before version 2026.6.1 allows lower-privileged local users to extract sensitive credentials through the trajectory export feature by exploiting misconfigured input paths or improperly accessible export functionality. The product's redaction controls fail to enforce trust boundaries, causing credentials that should remain opaque to lower-trust callers to surface in export output. No public exploit has been identified at time of analysis; exploitation requires local access, low privileges, and user interaction, which constrains realistic risk despite the high confidentiality impact when conditions are met.