Monthly
Wasmtime's WASI filesystem implementation allows a sandboxed WebAssembly guest to overwrite host files that were intentionally exposed as read-only preopens. The wasmtime-wasi component checks directory-level permissions during hard-link creation (path_link) and rename (path_rename) operations but fails to verify that the source and destination preopens carry matching FilePerms flags - meaning FilePerms::READ enforcement is bypassed at the operation level. Affected versions span multiple major release trains (prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1); no public exploit code or CISA KEV listing is present at time of analysis, but the scope change from guest sandbox to host filesystem makes this a meaningful sandbox-escape class defect.
CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.
Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. An attacker with a pre-existing role assignment can continue to bypass PSA policies enforced at the project level, defeating administrative intent and potentially deploying workloads that violate the cluster's security posture. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Unauthenticated information disclosure in the wpForo Forum WordPress plugin versions prior to 3.0.2 allows remote attackers to bypass access controls and read forum content that should be restricted. The flaw stems from improper permission preservation (CWE-281), letting unauthenticated users access data intended only for authorized members. No public exploit identified at time of analysis, but a vendor patch is available via Patchstack advisory.
Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.
Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.
OpenHarmony v6.0 and prior versions expose sensitive information to local low-privileged attackers due to improper preservation of permissions (CWE-281). A locally authenticated attacker with standard user privileges can exploit this flaw to leak confidential data - achieving high confidentiality impact - without requiring elevated rights or user interaction. No public exploit code or active exploitation has been identified at time of analysis, but the low complexity and no-interaction-required nature of the attack make it straightforward to exploit once access is obtained.
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.
{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 None.
Wasmtime's WASI filesystem implementation allows a sandboxed WebAssembly guest to overwrite host files that were intentionally exposed as read-only preopens. The wasmtime-wasi component checks directory-level permissions during hard-link creation (path_link) and rename (path_rename) operations but fails to verify that the source and destination preopens carry matching FilePerms flags - meaning FilePerms::READ enforcement is bypassed at the operation level. Affected versions span multiple major release trains (prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1); no public exploit code or CISA KEV listing is present at time of analysis, but the scope change from guest sandbox to host filesystem makes this a meaningful sandbox-escape class defect.
CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.
Privilege persistence in SUSE Rancher allows project users to retain Pod Security Admission (PSA) permissions even after an administrator revokes those permissions from a RoleTemplate, due to a missing cleanup step in the legacy Project Role Template Binding (PRTB) reconciler. Affected versions are Rancher 2.13.0 through 2.13.7 and 2.14.0 through 2.14.3. An attacker with a pre-existing role assignment can continue to bypass PSA policies enforced at the project level, defeating administrative intent and potentially deploying workloads that violate the cluster's security posture. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Unauthenticated information disclosure in the wpForo Forum WordPress plugin versions prior to 3.0.2 allows remote attackers to bypass access controls and read forum content that should be restricted. The flaw stems from improper permission preservation (CWE-281), letting unauthenticated users access data intended only for authorized members. No public exploit identified at time of analysis, but a vendor patch is available via Patchstack advisory.
Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU guest drivers) allows an authenticated local user to abuse improper permission handling in a kernel mode layer handler, enabling code execution, privilege elevation, and data tampering. CVSS 7.8 reflects high impact across confidentiality, integrity, and availability, but the attack vector is local and authenticated. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC marks technical impact as total.
Unauthorized note disclosure in Joplin server versions 3.5.2 and prior allows authenticated former share recipients to retrieve notes after sharing has been revoked, via two compounding logic errors in the ChangeModel delta API. The first flaw attaches full item content to delta responses without re-verifying current share status; the second incorrectly compresses create → delete event sequences into a NOOP rather than a delete, causing the API to synthesize a create event with full note content for deleted items when those events span separate delta pages. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but confidentiality impact is rated High given that full note content is returned to unauthorized recipients.
OpenHarmony v6.0 and prior versions expose sensitive information to local low-privileged attackers due to improper preservation of permissions (CWE-281). A locally authenticated attacker with standard user privileges can exploit this flaw to leak confidential data - achieving high confidentiality impact - without requiring elevated rights or user interaction. No public exploit code or active exploitation has been identified at time of analysis, but the low complexity and no-interaction-required nature of the attack make it straightforward to exploit once access is obtained.
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to invoke Gateway and Internal Service APIs without proper permission enforcement, enabling unauthorized operations on sensitive REST API endpoints. The vulnerability affects multiple WSO2 products including API Control Plane, Universal Gateway, and Traffic Manager. CVSS 6.3 (network-accessible, low complexity, requires valid user credentials) indicates moderate severity with clear lateral privilege escalation potential in multi-tenant environments.
{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 None.