Monthly
Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.
Improper input validation in the Perl module Net::CIDR::Set through version 0.20 allows attackers to bypass network access controls by submitting network masks containing Unicode digits (e.g., Arabic-Indic numerals like U+0661) or leading zeros that are silently ignored or misinterpreted. The CVSS 7.3 score reflects low-impact compromise across confidentiality, integrity, and availability via the network, with no public exploit identified at time of analysis. Applications using this module for ACL or firewall-like decisions may grant access to wider IP ranges than intended.
Net::CIDR::Set versions through 0.20 for Perl incorrectly accepts Unicode digits in IP addresses and CIDR netmasks, enabling network access controls to silently permit broader address ranges than intended. Applications relying on this library to enforce IP-based allowlists or blocklists may inadvertently grant or deny access to incorrect network ranges when Unicode look-alike digits (e.g., Arabic-Indic U+0661 instead of ASCII '1') are supplied as input. With no public exploit identified at time of analysis and SSVC exploitation status of none, this is a medium-severity library flaw requiring patch deployment rather than emergency response, but the automatable nature of the attack vector warrants prompt remediation in access-control-sensitive deployments.
Symfony's polyfill-intl-idn library (versions 1.17.1–1.38.0) silently accepts malformed Punycode ACE labels — specifically `xn--` prefixed labels whose decoded payload is empty or contains only ASCII characters — which native PHP ext-intl correctly rejects. This divergence allows attackers to craft domain names such as `poc.xn--kc1zs4-.com` that the polyfill normalizes to `poc.kc1zs4.com`, causing hostname blacklist bypasses and inconsistent URL parsing in applications that rely on the polyfill for canonicalization or security-sensitive hostname comparisons. The flaw directly enables server-side request forgery (SSRF) in affected deployments, mirrors the pattern established by CVE-2024-12224, and no public exploit has been identified at time of analysis beyond the proof-of-concept inputs included in the vendor advisory.
Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).
Net::CIDR::Lite before version 0.24 accepts CIDR mask values with extraneous leading zeros (such as '/00' or '/01'), causing them to parse identically to their unpadded equivalents ('/0' or '/1'). This permits attackers to bypass IP-based access control lists by supplying alternate representations of the same network prefix, potentially granting unauthorized access to restricted resources. The vulnerability affects all Perl installations using vulnerable versions of this library and is rated with CVSS 6.5 (moderate integrity and availability impact). No active exploitation has been confirmed by CISA, but the flaw is automatable and exploitable remotely without authentication.
Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing attackers to bypass IP-based access control lists by supplying malformed addresses that are re-encoded differently by the parser. Inputs with trailing newlines or non-ASCII digit characters pass validation but resolve to unintended IP addresses, causing find() and bin_find() functions to incorrectly match or miss addresses. This affects network security controls that rely on CIDR matching for authorization decisions.
Cache key collision in Mercure hub TopicSelectorStore enables authorization bypass through crafted topic names. Attackers can poison the match result cache by exploiting underscore-based key concatenation, causing private updates to be delivered to unauthorized subscribers or blocking legitimate deliveries. Affects Go package github.com/dunglas/mercure prior to version 0.22.0. Exploitation requires ability to subscribe to the hub or publish updates with specially crafted topic/selector combinations. No public exploit identified at time of analysis.
Policy parser vulnerability in xdg-dbus-proxy prior to 0.1.7 allows authenticated local users to bypass eavesdrop restrictions and intercept D-Bus messages by exploiting improper whitespace handling in policy rule parsing. The proxy fails to normalize eavesdrop policy directives, permitting attackers to craft malformed policies (e.g., eavesdrop ='true' with spacing variations) that evade the eavesdrop=true access control checks. No public exploit code has been identified at time of analysis.
Zscaler Client Connector on Windows contains an incorrect startup configuration that permits limited traffic to bypass inspection under rare circumstances, resulting in potential information disclosure and integrity compromise. The vulnerability affects all versions of the product and requires user interaction to exploit, with a CVSS score of 5.4 reflecting the combination of network-based attack vector, low complexity, and low impact on confidentiality and integrity. No evidence of active exploitation or public exploit code has been identified.
Open redirect / OAuth redirect_uri validation bypass in the Aqara Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) allows remote attackers to coerce the IdP into redirecting authorization responses to attacker-controlled hosts due to lax domain-matching logic. With user interaction the flaw can be abused to steal OAuth authorization codes or tokens issued to legitimate Aqara client applications, enabling account takeover of Aqara smart-home accounts. No public exploit identified at time of analysis, though a referenced GitHub repository (xn0tsa/theres-no-place-like-home) and the runZero advisory describe the issue publicly.
Improper input validation in the Perl module Net::CIDR::Set through version 0.20 allows attackers to bypass network access controls by submitting network masks containing Unicode digits (e.g., Arabic-Indic numerals like U+0661) or leading zeros that are silently ignored or misinterpreted. The CVSS 7.3 score reflects low-impact compromise across confidentiality, integrity, and availability via the network, with no public exploit identified at time of analysis. Applications using this module for ACL or firewall-like decisions may grant access to wider IP ranges than intended.
Net::CIDR::Set versions through 0.20 for Perl incorrectly accepts Unicode digits in IP addresses and CIDR netmasks, enabling network access controls to silently permit broader address ranges than intended. Applications relying on this library to enforce IP-based allowlists or blocklists may inadvertently grant or deny access to incorrect network ranges when Unicode look-alike digits (e.g., Arabic-Indic U+0661 instead of ASCII '1') are supplied as input. With no public exploit identified at time of analysis and SSVC exploitation status of none, this is a medium-severity library flaw requiring patch deployment rather than emergency response, but the automatable nature of the attack vector warrants prompt remediation in access-control-sensitive deployments.
Symfony's polyfill-intl-idn library (versions 1.17.1–1.38.0) silently accepts malformed Punycode ACE labels — specifically `xn--` prefixed labels whose decoded payload is empty or contains only ASCII characters — which native PHP ext-intl correctly rejects. This divergence allows attackers to craft domain names such as `poc.xn--kc1zs4-.com` that the polyfill normalizes to `poc.kc1zs4.com`, causing hostname blacklist bypasses and inconsistent URL parsing in applications that rely on the polyfill for canonicalization or security-sensitive hostname comparisons. The flaw directly enables server-side request forgery (SSRF) in affected deployments, mirrors the pattern established by CVE-2024-12224, and no public exploit has been identified at time of analysis beyond the proof-of-concept inputs included in the vendor advisory.
Privilege escalation in Go's golang.org/x/net/idna package (all versions before 0.55.0) stems from ToASCII and ToUnicode accepting Punycode labels that decode to an ASCII-only label, so ToUnicode("xn--example-.com") returns "example.com" instead of an error. Applications that perform authorization checks on an ASCII hostname and then convert it to Unicode can be tricked into permitting a name that the direct check would have rejected. This is a library-level flaw (CVSS 9.6, scope-changed) reported by the Go team; there is no public exploit identified at time of analysis and EPSS is very low (0.04%, 14th percentile).
Net::CIDR::Lite before version 0.24 accepts CIDR mask values with extraneous leading zeros (such as '/00' or '/01'), causing them to parse identically to their unpadded equivalents ('/0' or '/1'). This permits attackers to bypass IP-based access control lists by supplying alternate representations of the same network prefix, potentially granting unauthorized access to restricted resources. The vulnerability affects all Perl installations using vulnerable versions of this library and is rated with CVSS 6.5 (moderate integrity and availability impact). No active exploitation has been confirmed by CISA, but the flaw is automatable and exploitable remotely without authentication.
Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing attackers to bypass IP-based access control lists by supplying malformed addresses that are re-encoded differently by the parser. Inputs with trailing newlines or non-ASCII digit characters pass validation but resolve to unintended IP addresses, causing find() and bin_find() functions to incorrectly match or miss addresses. This affects network security controls that rely on CIDR matching for authorization decisions.
Cache key collision in Mercure hub TopicSelectorStore enables authorization bypass through crafted topic names. Attackers can poison the match result cache by exploiting underscore-based key concatenation, causing private updates to be delivered to unauthorized subscribers or blocking legitimate deliveries. Affects Go package github.com/dunglas/mercure prior to version 0.22.0. Exploitation requires ability to subscribe to the hub or publish updates with specially crafted topic/selector combinations. No public exploit identified at time of analysis.
Policy parser vulnerability in xdg-dbus-proxy prior to 0.1.7 allows authenticated local users to bypass eavesdrop restrictions and intercept D-Bus messages by exploiting improper whitespace handling in policy rule parsing. The proxy fails to normalize eavesdrop policy directives, permitting attackers to craft malformed policies (e.g., eavesdrop ='true' with spacing variations) that evade the eavesdrop=true access control checks. No public exploit code has been identified at time of analysis.
Zscaler Client Connector on Windows contains an incorrect startup configuration that permits limited traffic to bypass inspection under rare circumstances, resulting in potential information disclosure and integrity compromise. The vulnerability affects all versions of the product and requires user interaction to exploit, with a CVSS score of 5.4 reflecting the combination of network-based attack vector, low complexity, and low impact on confidentiality and integrity. No evidence of active exploitation or public exploit code has been identified.