Monthly
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.
Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.
Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.
Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.
Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.
Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.
Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.
SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution due to improper enforcement of behavioral workflow sequences (CWE-841). Low-privileged authenticated users can circumvent intended access controls by exploiting gaps in workflow state validation, enabling integrity-impacting operations they should not be permitted to perform. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible attack vector and low complexity lower the bar for exploitation by any credentialed user.
Payment status replay in pretix-mollie allows unauthenticated attackers to obtain multiple valid event tickets by reusing a single legitimate Mollie payment confirmation. The plugin fails to bind payment status responses to their originating transaction, so a successful payment callback for order A can be submitted against order B. No active exploitation or public proof-of-concept has been identified at time of analysis; a vendor patch was released on 2026-06-25 in version 2026.5.2.
Payment response replay vulnerability in the pretix-oppwa integration allows a remote attacker to reuse a legitimate Oppwa payment confirmation from one transaction to authorize separate, unpaid orders - effectively obtaining multiple valid event tickets with a single payment. All known versions of the pretix-oppwa plugin (cpe:2.3:a:pretix:pretix-oppwa:*) are affected. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the business logic bypass enables direct financial fraud for event organizers. A vendor patch was released in conjunction with Pretix version 2026-5.2.
Payment response replay in the pretix-computop integration allows an unauthenticated network attacker to obtain multiple valid event tickets by paying only once. The Pretix Computop plugin fails to bind successful payment status responses to their originating transaction, so a response captured from a completed payment can be submitted against any other pending order. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified, though the vendor disclosed the issue alongside a fix on 2026-06-25.
Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.
Denial-of-service in the Erlang HTTP client library Ninenines gun (versions 2.0.0 through 2.3.x) lets a malicious or compromised HTTP/1.1 server force any gun client into raw protocol mode by returning an unsolicited 101 Switching Protocols response, after which the server can flood the client owner process with unbounded gun_data messages and exhaust BEAM VM memory. No public exploit identified at time of analysis, but the fix is trivial and the issue is reachable from any plain HTTP/1.1 request to an attacker-controlled host. CVSS 4.0 8.7 reflects the unauthenticated, network-reachable, high-availability-only impact.
Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22.
TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. CVSS 8.7 severity reflects the network-accessible attack surface and direct violation of cryptographic protocol invariants (CWE-841: Improper Enforcement of Behavioral Workflow). No public exploit identified at time of analysis, though the protocol-level flaw in a widely-used cryptographic library presents significant risk to certificate-based access control mechanisms.
SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.