Core
Monthly
Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.
Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.
Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; vendor advisory GHSA-cm5v-547m-qh5h confirms the fix in 2025.5.0.
Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted,. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-user attribute structure leakage in API Platform Core's JSON:API and HAL serializers exposes the schema layout of security-gated properties to lower-privileged users through improper cache reuse. Versions from 2.6.0 up to 4.1.29, 4.2.26, and 4.3.12 are affected across the core, hal, and json-api packages. The component structure computed for a higher-privileged user's request can be served from cache to a subsequent lower-privileged user's request, bypassing the per-request evaluation of #[ApiProperty(security: ...)] predicates. No public exploit identified at time of analysis; vendor-released patches are available.
Type confusion in API Platform Core's AbstractItemNormalizer allows authenticated API consumers to corrupt relational data by supplying IRIs pointing to resources of the wrong type during write operations (POST/PUT/PATCH). The root cause is that getResourceFromIri() omits the $operation context when calling IriConverter::getResourceFromIri(), silently bypassing the is_a type guard at IriConverter.php:86. All 4.1.x, 4.2.x, and 4.3.x releases prior to the patched versions are affected; no public exploit or CISA KEV listing has been identified at time of analysis.
Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. No public exploit has been identified at time of analysis, and the issue is not in CISA KEV; vendor advisory GHSA-cm5v-547m-qh5h confirms the fix in 2025.5.0.
Location spoofing in the Home Assistant Android companion app prior to 2026.5.3 allows any co-installed application - even one with zero runtime permissions - to forge the device's reported GPS position by broadcasting a crafted Google Play Services LocationResult to an unprotected exported BroadcastReceiver. The forged coordinates are forwarded to the user's Home Assistant server as the device's real location, defeating Android's developer-mode Mock Location gate and enabling abuse of zone-based automations such as unlocking doors, disarming alarms, or opening garages. No public exploit identified at time of analysis, and the issue is patched in 2026.5.3 by unexporting LocationSensorManager and introducing a thin RequestAccurateLocationReceiver proxy that drops attacker-supplied extras.
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted,. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.