Monthly
Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.
Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
HP OfficeJet Pro printers running affected firmware versions are susceptible to denial of service attacks through malformed Internet Printing Protocol (IPP) requests that prevent proper TCP connection establishment. An unauthenticated remote attacker can trigger this condition to disrupt printer availability, though no patch is currently available to mitigate the vulnerability.
chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. [CVSS 6.5 MEDIUM]
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.
Denial of service in Samsung Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3 stems from multiple improper exceptional-condition handling paths exposed during JavaScript execution: a null pointer dereference when resolving error values in nested eval/throw/finally scenarios, an integer underflow in TypedArray.copyWithin() triggered by resizable ArrayBuffer coercion, and an unguarded assertion failure when array objects transition unexpectedly from fast to slow mode. Attack vector is local and requires user interaction (UI:R), with impact confined entirely to availability - crashing the host process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Control-flow disruption in XiangShan open-source RISC-V processor allows local authenticated attackers to trigger denial of service through malformed CSR operations that fail to properly invoke trap handlers. Affected commits from November 2024 contain improper exception handling in the NewCSR subsystem that can leave the processor core in a hung state when targeting non-existent CSR addresses. GitHub issue #3959 and pull request #3966 document the flaw and proposed fix. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability. No public exploit code identified and not listed in CISA KEV, suggesting primarily theoretical risk limited to specialized RISC-V development environments.
Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.
2N Access Commander application version 3.4.2 and prior returns HTTP 500 Internal Server Error responses when receiving malformed or manipulated requests, indicating improper handling of invalid input and potential security or availability impacts. [CVSS 6.5 MEDIUM]
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
iPhone Mirroring in iOS and iPadOS allows an attacker with physical device access to bypass UI protections and capture screenshots containing sensitive information that should remain hidden during the mirroring session. The vulnerability stems from insufficient state management in the user interface, enabling unauthorized viewing of private data on the iPhone while it is being mirrored to a Mac. No patch is currently available for this medium-severity issue.
HP OfficeJet Pro printers running affected firmware versions are susceptible to denial of service attacks through malformed Internet Printing Protocol (IPP) requests that prevent proper TCP connection establishment. An unauthenticated remote attacker can trigger this condition to disrupt printer availability, though no patch is currently available to mitigate the vulnerability.
chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]
EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. [CVSS 6.5 MEDIUM]
The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.