Monthly
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Local privilege escalation in Phoenix Contact PLCnext controllers (AXC F 1152/1252/2152/3152, AXC F 2000 EA, RFC 4072R/4072S, EPC 1522, BPC 9102S, VL3 UPC 2440 EDGE) and the virtual PLCnext Control 500/1000/2000/3000 product lines before firmware 2026.0.3 allows a low-privileged local user to plant or modify configuration and application files in user-writable filesystem locations that a privileged service later consumes, gaining elevated privileges. The flaw (CWE-427) is rated CVSS 4.0 8.7 (High) but carries a very low EPSS of 0.03% (9th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.
Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.
Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.
{id}/archive` or `docker cp -`. The daemon resolves the decompression binary (e.g., `unpigz`, `xz`) from the container's filesystem rather than the host's, so a trojanized binary baked into the image runs with daemon privileges. No public exploit identified at time of analysis, and the issue is not in the CISA KEV catalog.
Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.
DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.
Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Untrusted search path in Espressif's shared-github-dangerjs GitHub Action prior to 1.0.1 allows a fork pull request, when processed by a pull_request_target workflow, to substitute attacker-controlled binaries and Node.js modules for the action's own code. Exploitation yields code execution inside the action container with access to repository secrets and write-scoped GITHUB_TOKEN, with no public exploit identified at time of analysis.
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Local privilege escalation in Phoenix Contact PLCnext controllers (AXC F 1152/1252/2152/3152, AXC F 2000 EA, RFC 4072R/4072S, EPC 1522, BPC 9102S, VL3 UPC 2440 EDGE) and the virtual PLCnext Control 500/1000/2000/3000 product lines before firmware 2026.0.3 allows a low-privileged local user to plant or modify configuration and application files in user-writable filesystem locations that a privileged service later consumes, gaining elevated privileges. The flaw (CWE-427) is rated CVSS 4.0 8.7 (High) but carries a very low EPSS of 0.03% (9th percentile). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Uncontrolled search path in Qt Network's OpenSSL TLS backend on Unix allows a high-privileged local attacker to inject a rogue CA certificate by placing a crafted certificate file in the application's working directory, causing Qt-based applications to treat it as a trusted system authority. Affected across multiple long-term support branches: Qt 5.x through 5.15.19, Qt 6.0-6.5.x through 6.5.9, Qt 6.6-6.8.x through 6.8.3, and Qt 6.9.x through 6.9.1 on Unix platforms. No public exploit identified at time of analysis, and CVSS 4.0 rates this at 1.8, reflecting substantial preconditions that severely limit real-world impact.
Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.
Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.
{id}/archive` or `docker cp -`. The daemon resolves the decompression binary (e.g., `unpigz`, `xz`) from the container's filesystem rather than the host's, so a trojanized binary baked into the image runs with daemon privileges. No public exploit identified at time of analysis, and the issue is not in the CISA KEV catalog.
Arbitrary code execution in AMD optional tools occurs through DLL injection during unsafe OpenSSL initialization, allowing local authenticated attackers with low-privilege user access and user interaction to execute malicious code with high impact to confidentiality, integrity, and availability. The vulnerability stems from insecure library loading (CWE-427) where the affected AMD utilities fail to validate DLL search paths during OpenSSL library initialization. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once local access is obtained.
DLL hijacking in Bytello Share (Windows Edition) installer prior to version 5.13.0.4246 allows local attackers to execute arbitrary code with the privileges of the installing user. The installer insecurely loads DLLs from its current directory, enabling attackers who can place a malicious DLL in the same location to achieve code execution when a user runs the installer. EPSS probability is very low (0.01%, 3rd percentile) with no active exploitation identified, suggesting this requires significant local access prerequisites that limit real-world risk despite the high CVSS score.
Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.