Monthly
Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.
Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.
Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Keycloak's Account REST API remains partially accessible even when explicitly disabled via the `--features-disabled=account,account-api` flag, allowing authenticated users to read and modify account data through five unprotected endpoints under `/account/v1alpha1/` that lack the required `checkAccountApiEnabled()` access control gate present in four sibling endpoints within the same service class.
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.
A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.
Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.
Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.
Forced browsing exposure in IBM Datacap and IBM Datacap Navigator 9.1.7 through 9.1.9 allows a highly privileged local user to access application resources and functionality not surfaced in the UI by constructing direct URL requests, bypassing the intended UI-driven access control model. The impact is limited to partial confidentiality disclosure (C:L) with no integrity or availability consequence, and no exploitation has been confirmed - no public exploit code exists and this CVE is absent from the CISA KEV catalog. IBM has released a patch addressing all affected versions.
Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.
Broken access control in the admin-ui-ext component of Red Hat Build of Keycloak permits an authenticated delegated administrator to exploit missing granular permission checks on bulk role-removal endpoints, stripping highly privileged roles from arbitrary users or groups within the Keycloak realm. Affected deployments are those using Keycloak's delegated administration model with the admin-ui-ext extension active; exploitation is bounded by the PR:H CVSS requirement, meaning an attacker must already hold delegated admin credentials. No public exploit has been identified and the vulnerability is not listed in CISA KEV, placing real-world risk in the moderate range with highest relevance to environments with partially trusted delegated administrators.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Keycloak's Account REST API remains partially accessible even when explicitly disabled via the `--features-disabled=account,account-api` flag, allowing authenticated users to read and modify account data through five unprotected endpoints under `/account/v1alpha1/` that lack the required `checkAccountApiEnabled()` access control gate present in four sibling endpoints within the same service class.
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.
A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.
Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.