Monthly
ViewComponent preview routes allow authenticated attackers to invoke inherited helper methods including render_with_template, enabling rendering of internal Rails templates and exposure of secrets, configuration, and debug data not otherwise routable. The vulnerability requires authenticated access (CVSS PR:L) and affects versions 3.0.0 through 4.8.x; it is confirmed by proof-of-concept code in the vendor repository and requires preview routes to be externally exposed.
Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Arubaos contains a vulnerability that allows attackers to an authenticated malicious actor to create or modify arbitrary files and execute (CVSS 7.2).
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Open OnDemand is an open-source HPC portal. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.
ViewComponent preview routes allow authenticated attackers to invoke inherited helper methods including render_with_template, enabling rendering of internal Rails templates and exposure of secrets, configuration, and debug data not otherwise routable. The vulnerability requires authenticated access (CVSS PR:L) and affects versions 3.0.0 through 4.8.x; it is confirmed by proof-of-concept code in the vendor repository and requires preview routes to be externally exposed.
Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Arubaos contains a vulnerability that allows attackers to an authenticated malicious actor to create or modify arbitrary files and execute (CVSS 7.2).
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Open OnDemand is an open-source HPC portal. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.