Monthly
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.
Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).
Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier makes it broadly relevant in enterprise Splunk deployments with many standard users.
In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Information disclosure in Canon EOS Network Setting Tool version 1.5.0 and earlier stems from an insecure default FTP configuration that transmits credentials and image data in cleartext over the network. Remote attackers positioned on the network path can intercept the unencrypted FTP traffic to capture authentication material and uploaded photographs. No public exploit identified at time of analysis, but the vulnerability is published with a Canon PSIRT advisory and CVSS 4.0 base score of 7.1.
Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
NVIDIA Display Driver for Linux exposes a denial-of-service condition in the Multi-Instance GPU (MIG) partition management subsystem, rooted in insecure default initialization of memory subsystem routing resources (CWE-1188). A local authenticated user - with low privileges on a Linux system running MIG-enabled Tesla, GeForce, RTX/Quadro/NVS, or Virtual GPU Manager driver branches - can trigger a hang or data corruption during partition reconfiguration, potentially disrupting all GPU workloads sharing the affected physical GPU. No public exploit code exists and this vulnerability is not in CISA KEV; EPSS sits at 0.01% (2nd percentile), indicating no observed mass exploitation at time of analysis.
Authentication bypass in Grafana OSS Auth Proxy allows remote attackers to circumvent IPv6 allow-list restrictions because the feature applies a /32 default mask to IPv6 addresses instead of the appropriate /128, dramatically widening the trusted address space and potentially admitting unauthorized clients into authenticated sessions. The flaw is confined to the Auth Proxy authentication path - Okta, SAML, and LDAP integrations are unaffected - and at this time there is no public exploit identified at time of analysis, with EPSS at 0.03% and SSVC marking exploitation as 'none.'
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.
Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.53% (40th percentile).
Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier makes it broadly relevant in enterprise Splunk deployments with many standard users.
In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Information disclosure in Canon EOS Network Setting Tool version 1.5.0 and earlier stems from an insecure default FTP configuration that transmits credentials and image data in cleartext over the network. Remote attackers positioned on the network path can intercept the unencrypted FTP traffic to capture authentication material and uploaded photographs. No public exploit identified at time of analysis, but the vulnerability is published with a Canon PSIRT advisory and CVSS 4.0 base score of 7.1.
Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
Authentication bypass in phpMyFAQ versions prior to 4.1.3 lets remote unauthenticated attackers create and modify FAQ entries, categories, and questions through the REST API v4.0 by submitting an empty x-pmf-token header that matches the default empty api.apiClientToken value. The flaw stems from strict string comparison logic that cannot distinguish an unconfigured token from an attacker-supplied empty one, exposing every default installation. No public exploit identified at time of analysis, but the GHSA advisory includes a detailed proof-of-concept walkthrough.
NVIDIA Display Driver for Linux exposes a denial-of-service condition in the Multi-Instance GPU (MIG) partition management subsystem, rooted in insecure default initialization of memory subsystem routing resources (CWE-1188). A local authenticated user - with low privileges on a Linux system running MIG-enabled Tesla, GeForce, RTX/Quadro/NVS, or Virtual GPU Manager driver branches - can trigger a hang or data corruption during partition reconfiguration, potentially disrupting all GPU workloads sharing the affected physical GPU. No public exploit code exists and this vulnerability is not in CISA KEV; EPSS sits at 0.01% (2nd percentile), indicating no observed mass exploitation at time of analysis.
Authentication bypass in Grafana OSS Auth Proxy allows remote attackers to circumvent IPv6 allow-list restrictions because the feature applies a /32 default mask to IPv6 addresses instead of the appropriate /128, dramatically widening the trusted address space and potentially admitting unauthorized clients into authenticated sessions. The flaw is confined to the Auth Proxy authentication path - Okta, SAML, and LDAP integrations are unaffected - and at this time there is no public exploit identified at time of analysis, with EPSS at 0.03% and SSVC marking exploitation as 'none.'