Monthly
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a high-privileged administrator holding Implementations entitlements to run untrusted code outside the sandbox. By placing payload logic in a Groovy class static initializer, the attacker reaches a non-sandboxed execution path, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 6th percentile), consistent with a privilege-gated, not mass-scanned, issue.
Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.
Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 fail to enforce cross-namespace isolation for middleware references nested inside Chain middlewares, allowing actors with permission to create CRDs in their own namespace to bypass the allowCrossNamespace=false restriction and apply middleware from arbitrary namespaces. This authorization bypass affects Kubernetes clusters relying on namespace isolation controls and can enable unauthorized reuse of security-sensitive middleware policies across namespace boundaries.
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.
Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level access tokens. The SingleUseObjectProvider's lack of type and namespace isolation permits attackers to forge valid authorization codes remotely, though exploitation requires high complexity (AC:H). No public exploit identified at time of analysis, with CVSS 7.4 indicating high confidentiality and integrity impact but no availability disruption.
Red Hat OpenShift AI llama-stack-operator permits unauthorized cross-namespace access to Llama Stack service endpoints due to missing NetworkPolicy enforcement, enabling authenticated users in one namespace to view or modify sensitive data in another user's Llama Stack instances. CVSS 8.1 (High) reflects high confidentiality and integrity impact with low-privilege authenticated network access. No public exploit identified at time of analysis, though the authentication bypass weakness (CWE-653) is architecturally straightforward to leverage once cluster access is obtained.
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a high-privileged administrator holding Implementations entitlements to run untrusted code outside the sandbox. By placing payload logic in a Groovy class static initializer, the attacker reaches a non-sandboxed execution path, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 6th percentile), consistent with a privilege-gated, not mass-scanned, issue.
Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.
Traefik versions prior to 2.11.43, 3.6.14, and 3.7.0-rc.2 fail to enforce cross-namespace isolation for middleware references nested inside Chain middlewares, allowing actors with permission to create CRDs in their own namespace to bypass the allowCrossNamespace=false restriction and apply middleware from arbitrary namespaces. This authorization bypass affects Kubernetes clusters relying on namespace isolation controls and can enable unauthorized reuse of security-sensitive middleware policies across namespace boundaries.
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.
Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level access tokens. The SingleUseObjectProvider's lack of type and namespace isolation permits attackers to forge valid authorization codes remotely, though exploitation requires high complexity (AC:H). No public exploit identified at time of analysis, with CVSS 7.4 indicating high confidentiality and integrity impact but no availability disruption.
Red Hat OpenShift AI llama-stack-operator permits unauthorized cross-namespace access to Llama Stack service endpoints due to missing NetworkPolicy enforcement, enabling authenticated users in one namespace to view or modify sensitive data in another user's Llama Stack instances. CVSS 8.1 (High) reflects high confidentiality and integrity impact with low-privilege authenticated network access. No public exploit identified at time of analysis, though the authentication bypass weakness (CWE-653) is architecturally straightforward to leverage once cluster access is obtained.
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.