Monthly
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.
Arbitrary file write in Pega Browser Extension allows remote attackers to compromise system integrity when Robot Runtime users visit malicious websites while running automations in Chrome or Edge. Affects Pega Robotic Automation versions 22.1 and R25. Attack requires user interaction (navigating to attacker-controlled site) but no authentication. No public exploit identified at time of analysis, though attack complexity is low once user visits malicious site.
GPS spoofing vulnerability in JXL 9 Inch Car Android Double Din Player (Android 12.0) allows unauthenticated remote attackers to inject falsified GPS signals that the infotainment system accepts as legitimate, forcing incorrect or static location reporting. Exploitation requires no user interaction and achieves high integrity and availability impact through manipulation of navigation data. No public exploit identified at time of analysis. CVSS 9.1 reflects network-accessible attack vector with low complexity.
BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.
Meesho Online Shopping App versions up to 27.3 on Android implement risky cryptographic algorithms in the /api/endpoint component (com.meesho.supply), enabling remote attackers to disclose sensitive information without authentication. The vulnerability has CVSS 6.3 severity with public exploit code availability, though exploitation requires high attack complexity. This impacts the confidentiality of user data processed through affected API endpoints.
OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).
Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.
Hard-coded cryptographic key exposure in Investory Toy Planet Trouble App up to version 1.5.5 on Android allows local attackers with limited privileges to access the Firebase API key embedded in the assets/google-services-desktop.json file, potentially enabling unauthorized authentication and data access. The vulnerability has a CVSS score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists.
Server-side request forgery in mixelpixx Google-Research-MCP allows authenticated remote attackers to craft malicious URLs passed to the extractContent function, enabling them to make arbitrary HTTP requests from the affected server. The vulnerability affects the Model Context Protocol Handler component, has a publicly available exploit, and receives a CVSS 5.3 score with moderate exploitation likelihood. The vendor has not responded to disclosure attempts, and the project uses rolling releases, making patch tracking difficult.
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.
Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.
PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.
Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Dialogue App versions 4.3.0 through 4.3.2 on Android use a hard-coded cryptographic key in the SEGMENT_WRITE_KEY parameter within res/raw/config.json, allowing local authenticated attackers to perform unauthorized data injection and user profile manipulation on the device. The vulnerability has a CVSS score of 1.9 (minimal severity) but publicly available exploit code exists; however, the low CVSS score reflects the local-only attack vector and limited impact scope. The vendor has not responded to early disclosure notifications.
GRID Organiser App versions 1.0.0 through 1.0.5 on Android expose a hard-coded cryptographic key used for the SegmentWriteKey parameter in the res/raw/app.json component file, enabling local attackers with user-level privileges to manipulate argument values and potentially perform data injection and user profile manipulation. The vulnerability has a CVSS v4.0 score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists, though active exploitation has not been confirmed by CISA.
Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.
UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.
Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.
Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward and publicly documented in GitHub advisory GHSA-8mcf-rp68-xhfg. Vendor-released patch: version 26.2.0-beta.5.
Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in
Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.
Out-of-bounds read in WebCodecs component of Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via specially crafted HTML pages. The vulnerability affects all Chrome versions below the patched release and requires only HTML delivery (no authentication); exploitation could disclose sensitive data from the browser process memory, though the Chromium project assessed this as Medium severity.
Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.
Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.
Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.
Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.
Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.
Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.
Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.
Information disclosure in ANGLE (graphics abstraction layer) within Google Chrome prior to version 146.0.7680.178 enables remote attackers to leak cross-origin data through crafted HTML pages. The vulnerability affects all Chrome versions before the patched release and requires only network access and user interaction (visiting a malicious page), posing a moderate real-world risk to users who may inadvertently access attacker-controlled content.
Remote code execution via heap buffer overflow in Google Chrome's GPU component affects all versions prior to 146.0.7680.178, allowing attackers to execute arbitrary code by crafting malicious HTML pages. The vulnerability requires only a remote attacker with no special privileges or user authentication; users need only visit a compromised or attacker-controlled website. No CVSS score was assigned by NVD, though Chromium classified it as High severity. Patch availability confirmed from vendor.
Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.
Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution in Google Chrome prior to version 146.0.7680.178 exploits object corruption in the V8 JavaScript engine, allowing attackers to execute arbitrary code within the Chrome sandbox via a specially crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries a High Chromium security severity rating.
Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. Chromium security team classified this as High severity; no public exploit code or active exploitation has been confirmed at the time of analysis.
Authorization policy bypass in OpenClaw messaging extensions allows unauthenticated remote attackers to circumvent sender allowlist restrictions and interact with bots without authorization. The vulnerability affects OpenClaw versions prior to 2026.3.28, specifically impacting Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy during resolution. With CVSS 9.8 (critical severity, network-accessible, no authentication required) and EPSS data unavailable, this represents a significant access control failure. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction.
Arbitrary file read in Gotenberg versions prior to 8.29.0 allows unauthenticated remote attackers to bypass URL deny-list protections and access sensitive container files via case-variant URI schemes. The default deny-list regex `^file:(?!//\/tmp/).*` only matches lowercase 'file:', but Chromium normalizes mixed-case schemes (FILE://, File://, fILE://) to lowercase after the deny-list check, enabling access to /etc/passwd, environment variables, and configuration files. This bypasses the incomplete fix for CVE-2024-21527. Vendor-released patch available in version 8.29.0. POC confirmed in GitHub advisory. EPSS exploitation probability is low (0.02%) despite public POC, suggesting limited real-world targeting to date.
Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.
Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.
Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.
Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. A vendor-released patch is available in version 2026.01, with EPSS data unavailable and no confirmed active exploitation at time of analysis.
PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.
Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Memory corruption through out-of-bounds writes in Android-ImageMagick7 prior to version 7.1.2-11 enables local attackers to achieve arbitrary code execution with user interaction. The vulnerability affects Google's implementation of ImageMagick and carries a CVSS score of 7.8, indicating high severity with complete confidentiality, integrity, and availability impact. A patch is available for affected users.
A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.
This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in Android-ImageMagick7 versions before 7.1.2-11 that allows attackers to inject malicious scripts through crafted image inputs or related user-controlled data. Attackers with network access and no authentication required can exploit this vulnerability to execute arbitrary JavaScript in the context of affected applications, leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 6.1 (Medium) with cross-site scope, and a patch is available from the vendor, though no confirmed active exploitation in KEV or public proof-of-concept code has been widely documented.
This vulnerability is a memory leak (CWE-401) in Android-ImageMagick7, a port of ImageMagick for Android, that allows remote attackers to cause denial of service by exhausting memory resources. The issue affects all versions of MolotovCherry Android-ImageMagick7 prior to version 7.1.2-11. With a CVSS score of 7.5 and a network-based attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), attackers can remotely trigger high-impact availability disruption, though there is no current evidence of active exploitation or public proof-of-concept.
Memory leaks in MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11 allow remote attackers to cause denial of service by exhausting available memory without authentication. The vulnerability stems from improper memory management that fails to release resources after use, potentially crashing applications or rendering devices unresponsive.
Android-ImageMagick7 versions prior to 7.1.2-11 are vulnerable to integer overflow that allows local attackers with user interaction to cause a denial of service condition. The vulnerability requires local access and user interaction to trigger, making it a lower-risk but still exploitable flaw in image processing operations. A patch is available for affected installations.
Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.
A NULL pointer dereference vulnerability exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-10 that allows local attackers with user interaction to trigger a denial of service condition by crashing the application. The vulnerability affects the Android-ImageMagick7 library (CWE-476) and requires local access and user interaction to exploit, resulting in high availability impact but no confidentiality or integrity compromise. A patch is available from the vendor via GitHub pull request #183.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.
Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.
Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.
The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.
The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.
The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.
The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.
A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.
EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.
The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.
Arbitrary file write in Pega Browser Extension allows remote attackers to compromise system integrity when Robot Runtime users visit malicious websites while running automations in Chrome or Edge. Affects Pega Robotic Automation versions 22.1 and R25. Attack requires user interaction (navigating to attacker-controlled site) but no authentication. No public exploit identified at time of analysis, though attack complexity is low once user visits malicious site.
GPS spoofing vulnerability in JXL 9 Inch Car Android Double Din Player (Android 12.0) allows unauthenticated remote attackers to inject falsified GPS signals that the infotainment system accepts as legitimate, forcing incorrect or static location reporting. Exploitation requires no user interaction and achieves high integrity and availability impact through manipulation of navigation data. No public exploit identified at time of analysis. CVSS 9.1 reflects network-accessible attack vector with low complexity.
BatchCheck API calls in OpenFGA 1.8.0 through 1.13.1 can bypass authorization policies when multiple permission checks target the same object, relation, and user combination, allowing authenticated attackers with limited privileges to gain unauthorized access to protected resources. The vulnerability stems from improper handling of duplicate check parameters in batch operations and is fixed in version 1.14.0.
Meesho Online Shopping App versions up to 27.3 on Android implement risky cryptographic algorithms in the /api/endpoint component (com.meesho.supply), enabling remote attackers to disclose sensitive information without authentication. The vulnerability has CVSS 6.3 severity with public exploit code availability, though exploitation requires high attack complexity. This impacts the confidentiality of user data processed through affected API endpoints.
OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).
Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.
Hard-coded cryptographic key exposure in Investory Toy Planet Trouble App up to version 1.5.5 on Android allows local attackers with limited privileges to access the Firebase API key embedded in the assets/google-services-desktop.json file, potentially enabling unauthorized authentication and data access. The vulnerability has a CVSS score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists.
Server-side request forgery in mixelpixx Google-Research-MCP allows authenticated remote attackers to craft malicious URLs passed to the extractContent function, enabling them to make arbitrary HTTP requests from the affected server. The vulnerability affects the Model Context Protocol Handler component, has a publicly available exploit, and receives a CVSS 5.3 score with moderate exploitation likelihood. The vendor has not responded to disclosure attempts, and the project uses rolling releases, making patch tracking difficult.
Interrupt storm in Linux kernel dpaa2-switch driver occurs when a bounds check rejects an out-of-bounds if_id in the IRQ handler but fails to clear the interrupt status, causing repeated spurious interrupts. This denial-of-service condition affects the NXP DPAA2 Ethernet switch driver on systems running vulnerable Linux kernel versions. An attacker with the ability to trigger malformed frames or hardware state transitions could exhaust CPU resources through interrupt flooding.
Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.
Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.
PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.
Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Dialogue App versions 4.3.0 through 4.3.2 on Android use a hard-coded cryptographic key in the SEGMENT_WRITE_KEY parameter within res/raw/config.json, allowing local authenticated attackers to perform unauthorized data injection and user profile manipulation on the device. The vulnerability has a CVSS score of 1.9 (minimal severity) but publicly available exploit code exists; however, the low CVSS score reflects the local-only attack vector and limited impact scope. The vendor has not responded to early disclosure notifications.
GRID Organiser App versions 1.0.0 through 1.0.5 on Android expose a hard-coded cryptographic key used for the SegmentWriteKey parameter in the res/raw/app.json component file, enabling local attackers with user-level privileges to manipulate argument values and potentially perform data injection and user profile manipulation. The vulnerability has a CVSS v4.0 score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists, though active exploitation has not been confirmed by CISA.
Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.
UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.
Local privilege escalation via command injection in TECNO Pova7 Pro 5G AssistFeedbackService allows unprivileged Android applications to execute arbitrary code with system privileges. The vulnerability affects all TECNO Pova7 Pro 5G firmware versions and requires local app installation but no user interaction or special permissions beyond app execution capability. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored XSS via HTML entity-encoded javascript: URLs in SVG files in phpMyFAQ enables privilege escalation from editor to admin. The regex-based sanitizer in SvgSanitizer.php fails to detect entity-encoded payloads like javascript: (javascript:), allowing any user with edit_faq permission to upload malicious SVGs that execute arbitrary JavaScript in admin browsers. Publicly available proof-of-concept demonstrates both basic XSS and complete admin account creation, with confirmed working exploitation in Chrome 146 and Edge.
Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.
Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward and publicly documented in GitHub advisory GHSA-8mcf-rp68-xhfg. Vendor-released patch: version 26.2.0-beta.5.
Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in
Stored cross-site scripting (XSS) in Notesnook mobile versions prior to 3.3.17 allows remote attackers to execute arbitrary JavaScript in the share editor WebView by injecting malicious HTML through unescaped clip metadata (title, subject, or link-preview data). When a victim opens the Notesnook share flow and selects Web clip, the attacker's payload executes with access to local context and user data. No public exploit code or active exploitation has been confirmed, though the vulnerability requires user interaction to trigger.
Out-of-bounds read in WebCodecs component of Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via specially crafted HTML pages. The vulnerability affects all Chrome versions below the patched release and requires only HTML delivery (no authentication); exploitation could disclose sensitive data from the browser process memory, though the Chromium project assessed this as Medium severity.
Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.
Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.
Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.
Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.
Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.
Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.
Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.
Information disclosure in ANGLE (graphics abstraction layer) within Google Chrome prior to version 146.0.7680.178 enables remote attackers to leak cross-origin data through crafted HTML pages. The vulnerability affects all Chrome versions before the patched release and requires only network access and user interaction (visiting a malicious page), posing a moderate real-world risk to users who may inadvertently access attacker-controlled content.
Remote code execution via heap buffer overflow in Google Chrome's GPU component affects all versions prior to 146.0.7680.178, allowing attackers to execute arbitrary code by crafting malicious HTML pages. The vulnerability requires only a remote attacker with no special privileges or user authentication; users need only visit a compromised or attacker-controlled website. No CVSS score was assigned by NVD, though Chromium classified it as High severity. Patch availability confirmed from vendor.
Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.
Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.
Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution in Google Chrome prior to version 146.0.7680.178 exploits object corruption in the V8 JavaScript engine, allowing attackers to execute arbitrary code within the Chrome sandbox via a specially crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries a High Chromium security severity rating.
Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.
Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.
Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.
Integer overflow in Google Chrome's Codecs component prior to version 146.0.7680.178 enables remote code execution and arbitrary memory read/write operations when a user visits a malicious HTML page. The vulnerability affects all versions before the patch release and requires no user interaction beyond visiting a crafted webpage. Chromium security team classified this as High severity; no public exploit code or active exploitation has been confirmed at the time of analysis.
Authorization policy bypass in OpenClaw messaging extensions allows unauthenticated remote attackers to circumvent sender allowlist restrictions and interact with bots without authorization. The vulnerability affects OpenClaw versions prior to 2026.3.28, specifically impacting Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy during resolution. With CVSS 9.8 (critical severity, network-accessible, no authentication required) and EPSS data unavailable, this represents a significant access control failure. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction.
Arbitrary file read in Gotenberg versions prior to 8.29.0 allows unauthenticated remote attackers to bypass URL deny-list protections and access sensitive container files via case-variant URI schemes. The default deny-list regex `^file:(?!//\/tmp/).*` only matches lowercase 'file:', but Chromium normalizes mixed-case schemes (FILE://, File://, fILE://) to lowercase after the deny-list check, enabling access to /etc/passwd, environment variables, and configuration files. This bypasses the incomplete fix for CVE-2024-21527. Vendor-released patch available in version 8.29.0. POC confirmed in GitHub advisory. EPSS exploitation probability is low (0.02%) despite public POC, suggesting limited real-world targeting to date.
Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.
Stored cross-site scripting (XSS) in Quads Ads Manager for Google AdSense plugin for WordPress up to version 2.0.98.1 allows authenticated attackers with Contributor-level or higher permissions to inject malicious scripts into ad metadata fields that execute in the browsers of all site visitors, potentially enabling session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for authenticated access and user interaction (page visit), but the stored nature and broad audience impact elevate real-world risk. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.
Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.
Cross-site scripting in Home Assistant's mobile phone remaining charge time sensor allows authenticated attackers to inject malicious scripts via crafted sensor names imported from Android Auto. Affecting Home Assistant versions 2025.02 through 2026.00, this vulnerability requires low attack complexity and privileged access but relies on user interaction to execute stored XSS payloads. A vendor-released patch is available in version 2026.01, with EPSS data unavailable and no confirmed active exploitation at time of analysis.
PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.
Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A memory management vulnerability in the Linux kernel's netfilter nf_tables subsystem can be triggered through fault injection during set flush operations, causing a kernel warning splat when memory allocation fails under GFP_KERNEL conditions. This vulnerability affects Linux kernel versions across distributions and is exploitable by local attackers with network namespace capabilities, potentially leading to kernel warnings and denial of service through memory exhaustion attacks. While no CVSS score or active exploitation in the wild has been reported, the vulnerability was discovered through syzbot fuzzing with fault injection, indicating it requires specific conditions to trigger but represents a real kernel stability issue that has been patched.
A command injection vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Memory corruption through out-of-bounds writes in Android-ImageMagick7 prior to version 7.1.2-11 enables local attackers to achieve arbitrary code execution with user interaction. The vulnerability affects Google's implementation of ImageMagick and carries a CVSS score of 7.8, indicating high severity with complete confidentiality, integrity, and availability impact. A patch is available for affected users.
A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.
This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in Android-ImageMagick7 versions before 7.1.2-11 that allows attackers to inject malicious scripts through crafted image inputs or related user-controlled data. Attackers with network access and no authentication required can exploit this vulnerability to execute arbitrary JavaScript in the context of affected applications, leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 6.1 (Medium) with cross-site scope, and a patch is available from the vendor, though no confirmed active exploitation in KEV or public proof-of-concept code has been widely documented.
This vulnerability is a memory leak (CWE-401) in Android-ImageMagick7, a port of ImageMagick for Android, that allows remote attackers to cause denial of service by exhausting memory resources. The issue affects all versions of MolotovCherry Android-ImageMagick7 prior to version 7.1.2-11. With a CVSS score of 7.5 and a network-based attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), attackers can remotely trigger high-impact availability disruption, though there is no current evidence of active exploitation or public proof-of-concept.
Memory leaks in MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11 allow remote attackers to cause denial of service by exhausting available memory without authentication. The vulnerability stems from improper memory management that fails to release resources after use, potentially crashing applications or rendering devices unresponsive.
Android-ImageMagick7 versions prior to 7.1.2-11 are vulnerable to integer overflow that allows local attackers with user interaction to cause a denial of service condition. The vulnerability requires local access and user interaction to trigger, making it a lower-risk but still exploitable flaw in image processing operations. A patch is available for affected installations.
Memory corruption through out-of-bounds write in Android-ImageMagick7 before version 7.1.2-10 enables remote code execution when a user processes a malicious image file. An attacker can exploit this vulnerability over the network without authentication to achieve complete system compromise including data theft, modification, and denial of service. A patch is available for affected Android devices running vulnerable versions of the ImageMagick library.
A NULL pointer dereference vulnerability exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-10 that allows local attackers with user interaction to trigger a denial of service condition by crashing the application. The vulnerability affects the Android-ImageMagick7 library (CWE-476) and requires local access and user interaction to exploit, resulting in high availability impact but no confidentiality or integrity compromise. A patch is available from the vendor via GitHub pull request #183.
Remote code execution in Google Chrome's Federated Credential Management (FedCM) prior to version 146.0.7680.165 enables unauthenticated attackers to execute arbitrary code within the browser sandbox through a malicious HTML page. This use-after-free vulnerability in memory management affects Chrome on all supported platforms and requires only user interaction to trigger. A patch is available in Chrome 146.0.7680.165 and later.
Out-of-bounds memory write in Google Chrome's font handling prior to version 146.0.7680.165 enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can exploit an integer overflow vulnerability to achieve complete system compromise with high integrity and confidentiality impact. Patches are available for Chrome and affected Debian systems.
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
This vulnerability is an out-of-bounds memory read flaw in the WebAudio API implementation within Google Chrome prior to version 146.0.7680.165. A remote attacker can craft a malicious HTML page to trigger the vulnerability and read sensitive memory contents, leading to information disclosure. Although no CVSS score or EPSS data is provided, the Chromium security severity is rated as High, and the vulnerability affects all users of vulnerable Chrome versions until patching.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
Google Chrome's WebGL implementation contains a heap buffer overflow that enables remote attackers to read arbitrary memory by serving a specially crafted HTML page to users prior to version 146.0.7680.165. This network-based vulnerability requires only user interaction and affects Chrome on all platforms, granting attackers access to sensitive data in the browser's memory. A patch is available and should be applied immediately given the high severity and potential for exploitation.
Out of bounds memory read in Google Chrome's CSS parser prior to version 146.0.7680.165 allows remote attackers to access sensitive memory contents through a malicious HTML page. The vulnerability requires user interaction and affects Chrome on multiple platforms including Debian systems, enabling attackers to potentially leak confidential data with high impact on confidentiality and integrity.
Unauthenticated remote attackers can exploit a heap buffer overflow in Google Chrome's WebAudio component (versions prior to 146.0.7680.165) by hosting malicious HTML pages that trigger out-of-bounds memory writes. This vulnerability enables arbitrary code execution with full system compromise potential. A patch is available from Google and Debian.
An Insecure Direct Object Reference (IDOR) vulnerability exists in New API versions prior to 0.11.4-alpha.2, a large language model gateway and AI asset management system. Authenticated users can bypass authorization checks on the video proxy endpoint (GET /v1/videos/:task_id/content) to access video content belonging to other users and cause the server to authenticate to upstream AI providers (Google Gemini, OpenAI) using credentials derived from tasks they do not own. The vulnerability stems from a single unguarded function call that queries tasks by task_id alone without validating user ownership, contrasting sharply with all other task-lookup functions in the codebase that properly enforce ownership checks.
An arbitrary file-write vulnerability exists in Pega Browser Extension (PBE) affecting Pega Robot Studio developers using versions 22.1 or R25 who automate Google Chrome and Microsoft Edge browsers. A threat actor can craft a malicious website that, when visited by a developer during interrogation mode in Robot Studio, executes arbitrary file-write operations on the developer's system. This vulnerability does not affect end-user Robot Runtime deployments, limiting its blast radius to development environments.
King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.
The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.
The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.
The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.
The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.
A time-based SQL injection vulnerability exists in the WP Maps - Store Locator plugin for WordPress through version 4.9.1, allowing unauthenticated attackers to extract sensitive database information via the insufficiently sanitized 'orderby' parameter. With a CVSS score of 7.5 (High), this vulnerability requires no privileges or user interaction and can be exploited remotely over the network. No KEV listing or EPSS data is provided, but the vulnerability has been publicly disclosed by Wordfence with technical details and code references available.
EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.
The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.