Monthly
Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.
Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.
Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.
Information disclosure in Arista EOS on platforms with hardware IPsec support can occur when physical interface flaps or specific agent restarts cause IPsec tunnels to re-establish while reusing existing Security Associations, leading to sequence number mismatches between endpoints. The CVSS 4.0 base score of 8.2 reflects high confidentiality impact reachable over the network, though attack requirements (AT:P) indicate specific preconditions must be met. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.
OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.
Apache::Session versions through 1.94 for Perl re-creates deleted sessions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.
Order data corruption and permanent deletion in Sylius affects authenticated customers across versions prior to 2.0.18, 2.1.15, and 2.2.6 due to a stale-state race condition in the cart LiveComponent. When an order transitions to STATE_COMPLETED while a customer's cart page remains open in a browser tab, subsequent cart actions - clearing, removing items, or adjusting quantities - are applied to the completed order rather than a fresh cart, irreversibly deleting or mutating finalized order records. No public exploit code has been identified at time of analysis, but the attack is trivially reproducible by any authenticated customer without specialized tooling, as the attacker can deliberately engineer the race condition by completing checkout in one tab while exploiting the stale cart in another.
Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.
Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. No public exploit identified at time of analysis and the issue is not present in CISA KEV.
Information disclosure in Arista EOS on platforms with hardware IPsec support can occur when physical interface flaps or specific agent restarts cause IPsec tunnels to re-establish while reusing existing Security Associations, leading to sequence number mismatches between endpoints. The CVSS 4.0 base score of 8.2 reflects high confidentiality impact reachable over the network, though attack requirements (AT:P) indicate specific preconditions must be met. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Authenticated users in Mattermost 11.5.x through 11.5.1 and 10.11.x through 10.11.13 can modify post attachments, properties, and pin status beyond the configured edit time window. The vulnerability bypasses the PostEditTimeLimit control via patch and update API endpoints, allowing indefinite modification of non-message post metadata after the intended edit window expires. CVSS 3.1 (Low) reflects network vector with high complexity and low-privilege requirements, while no public exploit or CISA KEV listing exists at time of analysis.
OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.
Apache::Session versions through 1.94 for Perl re-creates deleted sessions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Bearer token revocation bypass in OpenClaw gateway allows attackers to authenticate using rotated-out tokens until process restart. OpenClaw gateway HTTP and WebSocket handlers captured bearer authentication configuration at startup, failing to re-resolve credentials after SecretRef rotation. Attackers possessing a previously valid token can maintain unauthorized gateway access to /v1/* endpoints, /tools/invoke, plugin routes, and canvas upgrade paths even after operators rotate secrets, believing the old token is revoked. Fixed in version 2026.4.15. CVSS 9.2 reflects network-accessible attack with high complexity; no public exploit identified at time of analysis.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.