Monthly
Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
A permission control vulnerability in the projection module of Huawei HarmonyOS and EMUI allows local attackers with physical access to bypass authorization checks and disclose sensitive information. The flaw affects confidentiality through improper permission enforcement in a physical-access attack vector requiring user interaction. No active exploitation has been confirmed, and patch availability has not been independently verified from the provided reference.
HarmonyOS and EMUI theme setting modules fail to enforce proper permission controls, allowing local attackers with user interaction to read sensitive system information across security boundaries. The vulnerability requires physical or local access and user interaction but can compromise confidentiality of protected data; CVSS 6.9 reflects moderate-to-high real-world risk due to local attack surface and CVSS vector showing high confidentiality impact (C:H) despite lower integrity and availability consequences.
Unexpected injection event vulnerability in the multimodalinput module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
Permission control vulnerability in the distributed clipboard module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
CVE-2025-53168 is a security vulnerability (CVSS 5.7) that allows the peer device. Remediation should follow standard vulnerability management procedures.
A vulnerability, which was classified as critical, has been found in Dreamer CMS up to 4.1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as critical, was found in Thecosy IceCMS 2.0.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
A permission control vulnerability in the projection module of Huawei HarmonyOS and EMUI allows local attackers with physical access to bypass authorization checks and disclose sensitive information. The flaw affects confidentiality through improper permission enforcement in a physical-access attack vector requiring user interaction. No active exploitation has been confirmed, and patch availability has not been independently verified from the provided reference.
HarmonyOS and EMUI theme setting modules fail to enforce proper permission controls, allowing local attackers with user interaction to read sensitive system information across security boundaries. The vulnerability requires physical or local access and user interaction but can compromise confidentiality of protected data; CVSS 6.9 reflects moderate-to-high real-world risk due to local attack surface and CVSS vector showing high confidentiality impact (C:H) despite lower integrity and availability consequences.
Unexpected injection event vulnerability in the multimodalinput module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
Permission control vulnerability in the distributed clipboard module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.
CVE-2025-53168 is a security vulnerability (CVSS 5.7) that allows the peer device. Remediation should follow standard vulnerability management procedures.
A vulnerability, which was classified as critical, has been found in Dreamer CMS up to 4.1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability, which was classified as critical, was found in Thecosy IceCMS 2.0.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.