Monthly
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.
Traffic amplification in Netty's QUIC codec (io.netty:netty-codec-classes-quic versions 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to weaponize Netty-based QUIC servers as DDoS reflectors. The default NoQuicTokenHandler's validateToken() unconditionally returns 0, which the server misinterprets as a successfully Retry-validated client address, bypassing RFC 9000's 3× anti-amplification limit and causing the server to reflect full-size handshake flights (including certificates) toward a spoofed victim IP. No public exploit identified at time of analysis, but the fix is published in Netty 4.2.15.Final.
Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.
TCP packet injection vulnerability in Anviz CrossChex Standard allows adjacent network attackers to manipulate or disrupt client/server communications without authentication. The application fails to verify the source of TCP packets, enabling attackers on the same network segment to inject malicious traffic and alter application behavior or cause denial of service. CISA ICS-CERT reported this affecting physical access control and time attendance systems. EPSS data not available; no confirmed active exploitation or public exploit code identified at time of analysis.
Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.
Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. [CVSS 3.7 LOW]
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.
Traffic amplification in Netty's QUIC codec (io.netty:netty-codec-classes-quic versions 4.2.0.Final through 4.2.14.Final) allows remote unauthenticated attackers to weaponize Netty-based QUIC servers as DDoS reflectors. The default NoQuicTokenHandler's validateToken() unconditionally returns 0, which the server misinterprets as a successfully Retry-validated client address, bypassing RFC 9000's 3× anti-amplification limit and causing the server to reflect full-size handshake flights (including certificates) toward a spoofed victim IP. No public exploit identified at time of analysis, but the fix is published in Netty 4.2.15.Final.
Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.
Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10 allows authenticated attackers to trigger processing of media content from arbitrary URLs on a victim's device, potentially invoking OS-controlled custom URL scheme handlers to disclose limited information. No active exploitation has been observed in the wild, and CISA SSVC indicates no known exploitation path despite the network attack vector.
TCP packet injection vulnerability in Anviz CrossChex Standard allows adjacent network attackers to manipulate or disrupt client/server communications without authentication. The application fails to verify the source of TCP packets, enabling attackers on the same network segment to inject malicious traffic and alter application behavior or cause denial of service. CISA ICS-CERT reported this affecting physical access control and time attendance systems. EPSS data not available; no confirmed active exploitation or public exploit code identified at time of analysis.
Remote code execution in OpenClaw Android application (versions before 2026.3.22) allows unauthenticated attackers to execute arbitrary code through an unvalidated WebView JavascriptInterface. Attackers craft malicious web pages that invoke the exposed canvas bridge, executing instructions within the application's Android context when users interact with untrusted content. The vulnerability requires user interaction but no authentication, enabling high-severity compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.
Easy Chat Server 3.1 contains a denial of service vulnerability that allows remote attackers to crash the application by sending oversized data in the message parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. [CVSS 3.7 LOW]