Monthly
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.
The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.
UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.
The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
Information disclosure in lm-sys FastChat up to version 0.2.36 allows remote unauthenticated attackers to manipulate the add_text function in the Arena Side-by-Side View Handler, resulting in incorrect control flow that exposes sensitive data. The vulnerability has publicly available exploit code and affects the web-based arena comparison interface. A partial fix was applied in commit 34eca62 to gradio_block_arena_named.py, but three additional affected files remain unpatched.
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.
Connection slot exhaustion in Deadwood (MaraDNS 3.5.0036) allows remote unauthenticated attackers to cause denial of service by triggering lookups for zones with unresolvable authoritative nameserver addresses. This resource exhaustion vulnerability (CWE-670) has CVSS 7.5 severity and EPSS data indicates low exploitation probability. No public exploit identified at time of analysis, though the attack mechanism appears straightforward given the network-accessible attack vector with low complexity.
Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.
The EqualsUri function in uriparser before version 1.0.2 incorrectly classifies structurally distinct URIs as equivalent due to flawed absolutePath comparison logic when a host is present. An attacker can craft two different URIs that the library treats as identical, potentially bypassing URI-based access control checks or authentication mechanisms that rely on URI comparison. The vulnerability affects all versions before 1.0.2 and requires local access with high attack complexity; the impact is limited to integrity (logic bypass) with no confidentiality or availability impact.
UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.
The cut utility in uutils coreutils fails to suppress non-delimited lines when the -s (only-delimited) option is used with a newline character as the delimiter, causing unfiltered data to be passed to downstream processes. Affected versions prior to 0.8.0 exhibit this logic error, which has low real-world impact due to local-only attack vector and partial technical scope, though it violates strict data filtering contracts that scripts may depend upon.
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. The OIDC token cache for the FHIR client connections used an inverted time comparison (isBefore instead of isAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired. This vulnerability is fixed in 2.1.0.
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
Information disclosure in lm-sys FastChat up to version 0.2.36 allows remote unauthenticated attackers to manipulate the add_text function in the Arena Side-by-Side View Handler, resulting in incorrect control flow that exposes sensitive data. The vulnerability has publicly available exploit code and affects the web-based arena comparison interface. A partial fix was applied in commit 34eca62 to gradio_block_arena_named.py, but three additional affected files remain unpatched.
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.
Connection slot exhaustion in Deadwood (MaraDNS 3.5.0036) allows remote unauthenticated attackers to cause denial of service by triggering lookups for zones with unresolvable authoritative nameserver addresses. This resource exhaustion vulnerability (CWE-670) has CVSS 7.5 severity and EPSS data indicates low exploitation probability. No public exploit identified at time of analysis, though the attack mechanism appears straightforward given the network-accessible attack vector with low complexity.
Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.