Monthly
Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. Reported by ASRG with no public exploit code and no CISA KEV listing; specific timing and protocol details have been withheld pending vendor remediation.
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.
OpenStack Horizon 25.6 and 25.7 before 25.7.3 allows unauthenticated remote attackers to exhaust session storage backend resources through repeated requests that trigger write operations prior to authentication, causing denial of service. This is a regression of CVE-2014-8124 and is assigned CVSS 5.3 (network-based, low complexity, no authentication required).
Integer overflow in Little CMS (lcms2) version 2.18 and earlier allows local attackers to trigger a buffer overflow via CubeSize calculation in cmslut.c, where the overflow check occurs after rather than before multiplication. This can result in memory corruption leading to information disclosure or denial of service with low complexity requirements. No active exploitation in CISA KEV confirmed at time of analysis, but proof-of-concept technical details are publicly available.
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
Local denial of service in systemd 258 through 259 allows unprivileged users to trigger an assertion failure by interacting with service units configured with Delegate=yes and no explicit User setting, causing the systemd daemon to crash. The vulnerability requires local access and specific unit configuration but poses moderate risk to system availability with a CVSS score of 4.7 and no active exploitation currently identified.
Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.
PIN screen authentication bypass in the 2025 Indian Motorcycle Scout Bobber + Tech Infotainment / Digital Round display allows a physically proximate attacker to reach the fully unlocked user interface without entering a PIN. The system's boot-sequence logic (CWE-696) uses the mere presence of Wireless Control Module (WCM) CAN bus traffic as a proxy for immobilizer-fitment, and silently drops the PIN gate when no WCM messages appear - a condition an attacker can manufacture by suppressing the WCM via a CAN bus-off technique during the boot window. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
PIN entry bypass in the Indian Motorcycle Scout Bobber + Tech 2025 infotainment system allows an attacker with physical proximity to the vehicle to access the fully unlocked infotainment interface without entering the correct PIN. The root cause (CWE-696, Incorrect Behavior Order) is that the system treats the presence of Wireless Control Module (WCM) CAN bus traffic during its startup boot window as a proxy for immobilizer detection, and skips PIN enforcement entirely when no WCM messages are observed - a condition an attacker can manufacture by silencing the WCM. Reported by ASRG with no public exploit code and no CISA KEV listing; specific timing and protocol details have been withheld pending vendor remediation.
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to exhaust conductor resources by supplying file:///dev/zero as an image URL, triggering unbounded checksum calculations that never terminate. All Ironic versions from 0 through 35.x prior to commit a3f6d73 are affected. No public exploit independently confirmed but SSVC data indicates proof-of-concept exists; EPSS sits at 0.01% (2nd percentile), consistent with low widespread exploitation likelihood despite the poc signal.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.
OpenStack Horizon 25.6 and 25.7 before 25.7.3 allows unauthenticated remote attackers to exhaust session storage backend resources through repeated requests that trigger write operations prior to authentication, causing denial of service. This is a regression of CVE-2014-8124 and is assigned CVSS 5.3 (network-based, low complexity, no authentication required).
Integer overflow in Little CMS (lcms2) version 2.18 and earlier allows local attackers to trigger a buffer overflow via CubeSize calculation in cmslut.c, where the overflow check occurs after rather than before multiplication. This can result in memory corruption leading to information disclosure or denial of service with low complexity requirements. No active exploitation in CISA KEV confirmed at time of analysis, but proof-of-concept technical details are publicly available.
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
Local denial of service in systemd 258 through 259 allows unprivileged users to trigger an assertion failure by interacting with service units configured with Delegate=yes and no explicit User setting, causing the systemd daemon to crash. The vulnerability requires local access and specific unit configuration but poses moderate risk to system availability with a CVSS score of 4.7 and no active exploitation currently identified.