Monthly
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker to crash the node's RPC task by injecting a signed PeerContact with an empty addresses list into the libp2p peer discovery layer. The crash is deferred: the malicious contact is accepted and stored silently, but any subsequent call to get_address_book - from an RPC client or web client - triggers an unconditional Rust panic via .expect() on an empty iterator. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and network-accessible vector make casual exploitation plausible against any exposed node operator workflow.
Forceful browsing in the Drupal Node View Permissions module exposes restricted node content to unauthenticated network attackers under high-complexity conditions. Affected are all installations running versions 0.0.0-1.7.0 (branch 1.x) and 2.0.0-2.0.1 (branch 2.x) of the module. The vulnerability is classified as information disclosure only - no integrity or availability impact - and carries a CVSS 3.7 (Low) score; no public exploit code exists and no confirmed active exploitation has been reported (not in CISA KEV), with EPSS placing exploitation probability at 0.01%.
Denial-of-service in Samsung's Escargot JavaScript engine (commit 590345cc) stems from multiple unhandled exceptional conditions - including a null error-value dereference during nested eval/throw/finally sequences, integer underflow in TypedArray.copyWithin after runtime buffer resize, an unhandled out-of-memory condition in the garbage collector, and an invalid fast-mode array assertion during spread operations. Exploitation requires local access and user interaction (AV:L/UI:R per CVSS), crashing or aborting the Escargot runtime process. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available as GitHub PR #1565 but no tagged release version has been confirmed.
Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.
Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
ELECOM wireless LAN access point models WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S fail to validate the language parameter in administrative pages, allowing remote attackers to break the admin interface for logged-in users via malicious web pages. The vulnerability requires user interaction (viewing a malicious page while authenticated to the access point) and results in denial of service of the administrative interface rather than data exposure or unauthorized access. No public exploit code has been identified at time of analysis.
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component.
Authorization bypass in Clerk JavaScript SDKs allows authenticated users to proceed past combined authorization checks they should fail. When developers use has() or auth.protect() with multiple authorization dimensions (e.g., role + reverification, permission + billing feature, or billing plan + permission), the predicate incorrectly returns true for users who satisfy only a subset of the required conditions. Sessions and authentication remain secure, but gated actions may execute for under-privileged users. Patches released across all affected SDK packages (Core 2 and Core 3) with no API changes. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger in production code patterns explicitly outlined in the vendor advisory.
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker to crash the node's RPC task by injecting a signed PeerContact with an empty addresses list into the libp2p peer discovery layer. The crash is deferred: the malicious contact is accepted and stored silently, but any subsequent call to get_address_book - from an RPC client or web client - triggers an unconditional Rust panic via .expect() on an empty iterator. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and network-accessible vector make casual exploitation plausible against any exposed node operator workflow.
Forceful browsing in the Drupal Node View Permissions module exposes restricted node content to unauthenticated network attackers under high-complexity conditions. Affected are all installations running versions 0.0.0-1.7.0 (branch 1.x) and 2.0.0-2.0.1 (branch 2.x) of the module. The vulnerability is classified as information disclosure only - no integrity or availability impact - and carries a CVSS 3.7 (Low) score; no public exploit code exists and no confirmed active exploitation has been reported (not in CISA KEV), with EPSS placing exploitation probability at 0.01%.
Denial-of-service in Samsung's Escargot JavaScript engine (commit 590345cc) stems from multiple unhandled exceptional conditions - including a null error-value dereference during nested eval/throw/finally sequences, integer underflow in TypedArray.copyWithin after runtime buffer resize, an unhandled out-of-memory condition in the garbage collector, and an invalid fast-mode array assertion during spread operations. Exploitation requires local access and user interaction (AV:L/UI:R per CVSS), crashing or aborting the Escargot runtime process. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available as GitHub PR #1565 but no tagged release version has been confirmed.
Mattermost Desktop App can be crashed remotely by malicious server administrators or plugin developers exploiting insufficient isolation of server-rendered content. Authenticated attackers with low-privilege server access who can control rendered content (via compromised server, malicious plugin, or modified server responses) can invoke window.close() to terminate the desktop client, causing a client-side denial of service. EPSS data not available; no public exploit code identified at time of analysis. CVSS 3.5 (Low severity) reflects limited impact scope - disruption to individual user sessions rather than system-wide compromise.
Client-side denial-of-service in Mattermost allows remote attackers to crash user browsers via maliciously crafted SVG files embedded in OpenGraph metadata or Markdown images. The vulnerability affects Mattermost Server versions 11.5.0-11.5.1, 10.11.0-10.11.13, and 11.4.0-11.4.3, where the server fails to validate proxied image response bodies. Attackers exploit this by serving SVG files with misleading Content-Type headers (e.g., image/png) that bypass validation, causing resource exhaustion when rendered in victim browsers. CVSS rates this 4.3 (Medium) with network attack vector requiring user interaction, while EPSS data is not available. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
ELECOM wireless LAN access point models WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S fail to validate the language parameter in administrative pages, allowing remote attackers to break the admin interface for logged-in users via malicious web pages. The vulnerability requires user interaction (viewing a malicious page while authenticated to the access point) and results in denial of service of the administrative interface rather than data exposure or unauthorized access. No public exploit code has been identified at time of analysis.
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (low) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Remote code execution in Firefox ESR allows unauthenticated network attackers to achieve complete system compromise via malformed audio/video content. Mozilla has released patches in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Despite a critical CVSS 9.8 score and SSVC rating of 'total' technical impact with automatable exploitation, EPSS assigns only 0.01% exploitation probability (1st percentile), and no public exploit or active exploitation has been identified. The severity stems from the unauthenticated network attack vector against a boundary condition flaw in media playback - a user-facing feature in a widely-deployed browser component.
Authorization bypass in Clerk JavaScript SDKs allows authenticated users to proceed past combined authorization checks they should fail. When developers use has() or auth.protect() with multiple authorization dimensions (e.g., role + reverification, permission + billing feature, or billing plan + permission), the predicate incorrectly returns true for users who satisfy only a subset of the required conditions. Sessions and authentication remain secure, but gated actions may execute for under-privileged users. Patches released across all affected SDK packages (Core 2 and Core 3) with no API changes. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger in production code patterns explicitly outlined in the vendor advisory.