Monthly
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.
A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
The Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. Site owners using Wagtail's API can avoid the vulnerability by adding [authentication](https://docs.wagtail.org/en/stable/advanced_topics/api/v2/configuration.html#authentication) to the Documents and Images APIs. Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks Vishal Shukla @shukla304 for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Many thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to modify read-only GPU memory and files through improper system call handling. Affects DDK versions 1.17 through 25.3 RTM across multiple release branches. Attack requires local access and low-level privileges but no user interaction (CVSS: 7.3). EPSS data not available; no active exploitation confirmed (SSVC: none); no public POC identified at time of analysis. Vulnerability stems from insufficient validation of GPU memory reservation protections, enabling authenticated local users to bypass kernel-enforced memory access controls.
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
WORM protection bypass in Samba's vfs_worm VFS module allows authenticated share users to defeat data retention controls by renaming a newly created file over an existing WORM-protected file. Affected users are those operating Samba deployments that have explicitly enabled the vfs_worm module for write-once, read-many data protection - such as compliance, archival, or audit log shares. An attacker with low-privilege write access can silently overwrite files that should be immutable post-grace-period, with high integrity impact (CVSS I:H). No public exploit or CISA KEV listing is identified at time of analysis.
A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
The Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. Site owners using Wagtail's API can avoid the vulnerability by adding [authentication](https://docs.wagtail.org/en/stable/advanced_topics/api/v2/configuration.html#authentication) to the Documents and Images APIs. Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks Vishal Shukla @shukla304 for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Wagtail thanks Seoyoung Kang @seoyoung-kang who is from AhnLab and also an independent security researcher for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix. No workaround is available. Many thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue. If there are any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.org/en/stable/support.html) * Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).
Cryptobox external sharing feature leaks information via sharing link URLs that enables offline brute-force attacks against access codes. Remote unauthenticated attackers with knowledge of a sharing link can retrieve sufficient data from the server to conduct offline enumeration of the associated access code, compromising the confidentiality of shared content. No public exploit code has been identified, but the low attack complexity and network accessibility make this a practical vulnerability.
Local privilege escalation in MediaTek chipsets (MT6765, MT8893, MT8791T, and 19 others) due to missing permission checks in geniezone allows attackers with System privilege to escalate their access without user interaction. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but EPSS score of 0.02% (4th percentile) and SSVC 'none' exploitation status indicate this vulnerability has not been observed in active, widespread exploitation despite the low barrier to exploitation from privileged context.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to modify read-only GPU memory and files through improper system call handling. Affects DDK versions 1.17 through 25.3 RTM across multiple release branches. Attack requires local access and low-level privileges but no user interaction (CVSS: 7.3). EPSS data not available; no active exploitation confirmed (SSVC: none); no public POC identified at time of analysis. Vulnerability stems from insufficient validation of GPU memory reservation protections, enabling authenticated local users to bypass kernel-enforced memory access controls.