Monthly
ViewComponent preview routes allow authenticated attackers to invoke inherited helper methods including render_with_template, enabling rendering of internal Rails templates and exposure of secrets, configuration, and debug data not otherwise routable. The vulnerability requires authenticated access (CVSS PR:L) and affects versions 3.0.0 through 4.8.x; it is confirmed by proof-of-concept code in the vendor repository and requires preview routes to be externally exposed.
Authorization bypass in Mendix Studio Pro through 11.8.0 Beta exposes all stored records to anonymous users due to undocumented role inheritance behavior. Applications built with affected Mendix versions silently grant anonymous users access to entity data despite no explicit permissions configured, allowing unauthenticated remote attackers to read and modify confidential records. DIVD discovered this architectural flaw through VerySecureApp, indicating potentially widespread impact across the Mendix application ecosystem. Exploitation confirmed as attack surface exposure (CVSS E:A modifier), though not yet listed in CISA KEV.
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Arubaos contains a vulnerability that allows attackers to an authenticated malicious actor to create or modify arbitrary files and execute (CVSS 7.2).
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Open OnDemand is an open-source HPC portal. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.
ViewComponent preview routes allow authenticated attackers to invoke inherited helper methods including render_with_template, enabling rendering of internal Rails templates and exposure of secrets, configuration, and debug data not otherwise routable. The vulnerability requires authenticated access (CVSS PR:L) and affects versions 3.0.0 through 4.8.x; it is confirmed by proof-of-concept code in the vendor repository and requires preview routes to be externally exposed.
Authorization bypass in Mendix Studio Pro through 11.8.0 Beta exposes all stored records to anonymous users due to undocumented role inheritance behavior. Applications built with affected Mendix versions silently grant anonymous users access to entity data despite no explicit permissions configured, allowing unauthenticated remote attackers to read and modify confidential records. DIVD discovered this architectural flaw through VerySecureApp, indicating potentially widespread impact across the Mendix application ecosystem. Exploitation confirmed as attack surface exposure (CVSS E:A modifier), though not yet listed in CISA KEV.
Local privilege escalation in DeepCool DeepCreative software version 1.2.7 and earlier allows unauthenticated attackers to execute arbitrary code with elevated privileges through malicious file processing. The vulnerability stems from insecure permission configuration (CWE-277) requiring user interaction to open a crafted file. Public exploit research exists on GitHub (uncle-hash repository), though CISA has not confirmed active exploitation. CVSS 7.8 indicates high severity, but EPSS data unavailable; SSVC framework rates technical impact as total with no confirmed exploitation and non-automatable attack path.
macOS systems running versions prior to Tahoe 26.3 contain an improper permissions restriction that allows local applications to read sensitive user data without authorization. A threat actor with local access could exploit this vulnerability to exfiltrate protected information. A patch is currently unavailable for affected systems.
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).
Arubaos contains a vulnerability that allows attackers to an authenticated malicious actor to create or modify arbitrary files and execute (CVSS 7.2).
SpiceDB is an open source database system for creating and managing security-critical application permissions. Rated low severity (CVSS 2.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Open OnDemand is an open-source HPC portal. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure inherited permissions for some Intel(R) Rapid Storage Technology Application before version 20.0.1021 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
An insecure permission vulnerability exists in the Agasta Easytouch+ version 9.3.97 The device allows unauthorized mobile applications to connect via Bluetooth Low Energy (BLE) without authentication. Once an unauthorized connection is established, legitimate applications are unable to connect, causing a denial of service. The attack requires proximity to the device, making it exploitable from an adjacent network location.