Monthly
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.
Local arbitrary code execution in Adobe Creative Cloud Desktop lets a low-privileged user run code in the context of the current user by exploiting an uncontrolled search path (CWE-427) — the class of flaw where an application loads a library or executable from an attacker-influenced directory. Adobe (CVE-2026-48272) rates it CVSS 7.8, but the vector is local with high attack complexity and requires existing low-level privileges, and exploitation depends on conditions beyond the attacker's control. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a defense-in-depth patch rather than an emergency.
Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because SAProuter typically runs as a persistent network gateway service, successful exploitation can compromise a strategically positioned host in an SAP landscape.
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.
Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.
Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. No public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitation requires local file placement plus a victim executing the installer (UI:A).
Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary code execution in the HYPER SBI 2 installer (SBI Securities' online trading application) allows a local attacker to run code with the invoking user's privileges by planting a crafted DLL in the installer's directory. The flaw stems from insecure DLL search-path loading (CWE-427) and requires the victim to launch the installer from an attacker-influenced folder. No public exploit has been identified at time of analysis; the issue was reported by JPCERT/CC and published via JVN.
Local arbitrary code execution in Adobe Creative Cloud Desktop lets a low-privileged user run code in the context of the current user by exploiting an uncontrolled search path (CWE-427) — the class of flaw where an application loads a library or executable from an attacker-influenced directory. Adobe (CVE-2026-48272) rates it CVSS 7.8, but the vector is local with high attack complexity and requires existing low-level privileges, and exploitation depends on conditions beyond the attacker's control. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a defense-in-depth patch rather than an emergency.
Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because SAProuter typically runs as a persistent network gateway service, successful exploitation can compromise a strategically positioned host in an SAP landscape.
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.
Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.
Local privilege escalation in Foxit PDF Editor and Foxit PDF Reader (Windows) lets a low-privileged user place executable files that a high-privilege process later runs directly, yielding code execution as NT AUTHORITY\SYSTEM. The flaw stems from an untrusted search path (CWE-427) where the application loads and executes attacker-writable binaries without validating their origin. There is no public exploit identified at time of analysis, EPSS is low (0.11%, 2nd percentile), and SSVC reports no observed exploitation, so this is a locally-exploitable escalation rather than a remotely wormable threat.
Local privilege escalation to arbitrary code execution affects Fuji Electric's Pupsman UPS management software in all versions prior to 3.9.0, where the installer insecurely loads a DLL from its own directory. A local attacker who can drop a malicious DLL into the folder containing the installer can have it executed with SYSTEM privilege the next time the installer is run. No public exploit identified at time of analysis and the flaw is not in CISA KEV; exploitation requires local file placement plus a victim executing the installer (UI:A).
Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.