Information Disclosure

HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

Hard-coded credentials embedded in Klinika XP and KlinikaXP Insertino applications allow unauthorized attackers to gain access to internal services, most critically the FTP server hosting application update packages. An attacker exploiting these credentials could upload malicious update files that would be distributed to client machines as legitimate updates, enabling supply-chain compromise and widespread system compromise. The vulnerability affects KlinikaXP versions before 5.39.01.01 and KlinikaXP Insertino versions before 3.1.0.1; no CVSS score, EPSS data, or active KEV status is currently available, but the attack complexity is low and requires no privileges, making this a high-priority issue despite the missing CVSS assessment.

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 lacks rate limiting and account lockout mechanisms on its authentication interface, enabling attackers to conduct brute-force attacks against user credentials without operational resistance. This vulnerability affects the Nebula 300+ device family as confirmed through CPE matching. An attacker with network access to the authentication interface can enumerate valid accounts and attempt unlimited password guesses, potentially compromising administrative or user-level access to the device.

The Nexxt Solutions Nebula 300+ wireless router stores sensitive administrative credentials and WiFi pre-shared keys in plaintext within exported configuration backup files, enabling information disclosure through CWE-256 (Plaintext Storage of Password). This vulnerability affects firmware versions through 12.01.01.37 and allows an attacker who gains access to a backup file to immediately obtain full administrative and wireless network access without requiring cryptographic attacks. No CVSS score, EPSS data, or active KEV designation is currently available, but the plaintext credential exposure represents a critical risk for any environment relying on configuration backups.

A hidden functionality vulnerability exists in the /goform/setSysTools endpoint of Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37, allowing unauthenticated remote attackers to enable a Telnet service that exposes a privileged diagnostic management interface. This significantly expands the attack surface and enables further device compromise through an unencrypted network protocol. No CVSS score, EPSS data, or KEV status is currently available, but the severity is elevated given the remote nature of exploitation and the direct access to privileged diagnostic functions.

The Shenzhen HCC Technology MPOS M6 PLUS device running firmware version 1V.31-N contains a cleartext transmission vulnerability in its Cardholder Data Handler component that allows attackers on the local network to intercept sensitive information. An attacker with network access can manipulate the affected component to force transmission of cardholder data in cleartext, compromising payment card information. A publicly available proof-of-concept exists on GitHub, and the vulnerability has a CVSS score of 3.1 (low severity) due to high attack complexity requirements, though the exploitation difficulty rating suggests real-world risk depends heavily on network proximity and attacker capabilities.

Keycloak contains an information disclosure vulnerability in the identity-first login flow when Organizations are enabled, where differential error messages allow remote attackers to enumerate valid user accounts without authentication. The vulnerability affects Red Hat Build of Keycloak across multiple versions, and while the CVSS score is low (3.7), the attack requires only network access with no user interaction. This user enumeration flaw could facilitate credential stuffing, phishing, or social engineering campaigns by confirming the existence of target accounts.

A hidden function in the CLI prompt of multiple WAGO industrial and lean managed switches allows unauthenticated remote attackers to escape the restricted interface and gain root access to the underlying Linux operating system. This results in complete device compromise with a maximum CVSS score of 10.0. The vulnerability affects over a dozen WAGO switch models used in industrial automation environments, and was disclosed by CERT@VDE.

This vulnerability in Intel EPT (Extended Page Tables) paging code within Xen allows information disclosure through a use-after-free condition in cached EPT state management. When paging structures are freed before cached EPT state is flushed, stale entries can persist in the EPT cache pointing to memory ranges outside the guest's intended ownership, enabling unauthorized memory access. Xen across multiple versions is affected, with Ubuntu tracking the issue at medium priority across 7 releases and Debian across 7 releases, making this a widespread concern for virtualization infrastructure.

King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. A proof-of-concept exists and the vulnerability has moderate real-world risk due to its low attack complexity and local attack vector.

A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. A proof-of-concept exploit is available (https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586), and the CVSS score of 8.7 with Proof-of-concept Exploitation status indicates active research interest.

The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functions that allows attackers to recover private DSA keys through nonce bias exploitation. Versions 7.0.0 through 11.1.0 are affected. A proof-of-concept is publicly available (referenced in GitHub Gist), demonstrating the attack feasibility, and the vulnerability requires no authentication or user interaction for remote exploitation.

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. A proof-of-concept exploit exists as indicated by the CVSS exploitability metric and public GitHub references demonstrating the attack technique.

A cryptographic signature verification vulnerability exists in the jsrsasign JavaScript library before version 11.1.1 that allows attackers to forge DSA signatures and X.509 certificates. The vulnerability affects DSA domain-parameter validation in KJUR.crypto.DSA.setPublic, enabling complete bypass of signature verification by supplying malicious domain parameters (g=1, y=1, r=1). A proof-of-concept exploit is publicly available (CVSS:3.1 E:P rating) demonstrating active exploitation feasibility, though the attack complexity is rated high and no KEV listing indicates limited widespread exploitation to date.

A code injection vulnerability exists in yangzongzhuan RuoYi versions up to 4.8.2 within the Quartz Job Handler component, specifically in the /monitor/job/ endpoint where the invokeTarget parameter is improperly sanitized. An authenticated attacker with high privileges can remotely inject and execute arbitrary code on the affected system. A proof-of-concept has been publicly disclosed on GitHub (M0onc/RuoYi-Quartz-RCE), and the vendor has not responded to early disclosure notifications, increasing the real-world exploitation risk despite the moderate CVSS score of 4.7.

XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.

A business logic vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the generateUserStripe function of the Checkout Handler component, where manipulation of the priceId parameter can lead to unauthorized modification of transaction data. An authenticated remote attacker can exploit this vulnerability to alter billing information or trigger unintended payment processing logic, potentially causing financial discrepancies or service abuse. With a CVSS score of 4.3 and low attack complexity, this vulnerability represents a moderate risk requiring prompt attention despite the low impact rating.

A DLL search path vulnerability exists in the TextShaping.dll library component of Flos Freeware Notepad2 version 4.2.25. An authenticated local attacker with low privileges could exploit this uncontrolled search path element (CWE-427) to execute arbitrary code with elevated privileges by placing a malicious DLL in the application's search path, achieving high impact to confidentiality, integrity, and availability. The vendor was contacted but did not respond, and exploitation is rated as difficult with high attack complexity.

PuTTY versions up to 0.83 contain a weak authentication vulnerability in the Ed25519 signature verification function (eddsa_verify in crypto/ecc-ssh.c) that allows remote attackers to potentially forge or manipulate digital signatures due to improper validation of Ed25519 signature components. While a public proof-of-concept exploit exists and the vulnerability affects signature verification, the real-world impact remains unproven, with CVSS 3.7 (low severity) and EPSS probability indicating exploitation is difficult and requires high complexity. The vendor (PuTTY developers) has already released a patch addressing this issue.

Flos Freeware Notepad2 version 4.2.25 contains an uncontrolled search path vulnerability (DLL hijacking) in the PROPSYS.dll library. A local attacker with low privileges could exploit this to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability, though the attack complexity is high and exploitation is considered difficult. The vendor did not respond to early disclosure attempts.

A cryptographic signature verification flaw exists in tinyssh's Ed25519 signature handler (crypto_sign_ed25519_tinyssh.c) that allows improper validation of signatures, potentially enabling an attacker to forge or bypass signature checks. Affected versions of janmojzis tinyssh up to 20250501 are impacted, with the vulnerability requiring local execution and high attack complexity. A public exploit has been disclosed, and vendor patches are available in version 20260301.

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.

SPIP versions 4.4.10 through 4.4.12 contain a privilege escalation vulnerability that allows authenticated users with limited permissions to assign administrator privileges to themselves or other accounts through improper handling of the STATUT field during author data structure editing. An attacker with login credentials and user interaction can exploit this to gain full administrative control, leading to complete compromise of the CMS instance. The vulnerability was patched in version 4.4.13.

The Simple Food Ordering System through version 1.0 allows unauthenticated remote attackers to access sensitive database files through improper access controls in the Database Backup Handler component. Public exploit code exists for this vulnerability, which could enable attackers to retrieve database backups containing sensitive information. Configuration changes are recommended as no patch is currently available.

A code injection vulnerability exists in vanna-ai vanna up to version 2.0.2, specifically in the exec function of the /src/vanna/legacy file. This authenticated remote code injection allows attackers with login credentials to execute arbitrary code with limited impact on confidentiality, integrity, and availability. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, making this an active concern for deployed instances.

The Task Manager plugin for WordPress contains an arbitrary file read vulnerability in the callback_get_text_from_url() function that allows authenticated attackers with Subscriber-level privileges and above to read sensitive files from the server. This information disclosure vulnerability affects all versions up to and including 3.0.2 of the eoxia Task Manager plugin. The vulnerability has a CVSS score of 6.5 and presents moderate real-world risk due to its low attack complexity and the prevalence of WordPress installations, though exploitation requires valid user credentials.

The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.

The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with Subscriber-level access to modify arbitrary users' WeChat shop metadata by exploiting a permission validation flaw. The vulnerability affects all versions up to and including 5.1.2, where the permission callback validates one parameter (openid) but the actual modification function uses a different attacker-controlled parameter (userid) without cross-validation. Attackers can exploit this via the REST API to alter storeinfo, storeappid, and storename fields for any user account, potentially disrupting store operations or impersonating legitimate shop owners.

The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. With a CVSS score of 5.3 (medium severity), an CVSS vector indicating network accessibility with low attack complexity and no authentication required, and confirmed vulnerability references in the official WordPress plugin repository, this vulnerability poses a significant integrity risk to e-commerce sites using the affected plugin.

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the browser trace and download output path handling that allows local attackers with limited privileges to escape the managed temporary root directory and overwrite arbitrary files on the system. An attacker can create symbolic links to redirect file writes outside the intended sandbox, resulting in information disclosure and potential system compromise through arbitrary file modification. A patch is available from the vendor, and this vulnerability requires local access with low privileges to exploit, making it a medium-severity concern for multi-user systems.

This vulnerability affects Automated Logic's WebCTRL Premium Server, which transmits BACnet protocol data in cleartext without encryption. An attacker positioned on the network can sniff sensitive service information including File Start Position, File Data, and proprietary PLC update formats using tools like Wireshark, enabling both information disclosure and potential integrity attacks through modification of intercepted traffic. With a CVSS score of 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this represents a significant exposure for building automation systems.

An information disclosure vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to enumerate private group membership by observing directory result changes when manipulating the exclude_groups parameter. This enables attackers to determine whether specific users are members of private groups without authentication, representing a direct privacy violation. The vulnerability does not appear to be actively exploited in the wild (no KEV status indicated), but patches are available from the vendor.

A web-based mapping platform exposes charging station authentication identifiers publicly, allowing unauthenticated network-based attackers to access sensitive credential information without any user interaction required. The vulnerability affects IGL Technologies eparking.fi application and enables attackers to obtain authentication material that could be leveraged for unauthorized access to charging infrastructure. There is no indication of active exploitation in the wild or public proof-of-concept code, but the vulnerability represents a direct exposure of authentication secrets (CWE-522) with moderate real-world impact.

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an information disclosure vulnerability where IP addresses of flagged users are exposed to any user with access to the review queue, including those without proper authorization. This allows unauthorized access to sensitive network information that should be restricted to administrators. The vulnerability has a CVSS score of 3.5 (low severity) with no known public exploits or KEV designation, but represents a clear privacy and data protection issue in moderation workflows.

A signature bypass vulnerability exists in the barebox bootloader's FIT (Flattened Image Tree) image verification mechanism. The hashed-nodes property, which lists which FIT nodes were signed, is not itself part of the cryptographic hash, allowing an attacker with high privileges and local access to modify this property and trick the bootloader into loading malicious images that were never signed. This affects barebox versions 2016.03.0 through 2025.09.2 and 2025.10.0 through 2026.03.0, with patches available in versions 2025.09.3 and 2026.03.1.

Authentication identifiers for electric vehicle charging stations are publicly exposed through web-based mapping platforms, allowing unauthenticated network-based access to sensitive authentication data. The vulnerability affects CTEK ChargePortal and enables attackers to obtain charging station credentials without requiring any privileges or user interaction. This information disclosure can lead to unauthorized access to charging infrastructure and potential manipulation of charging sessions.

Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.

Parse Server's LiveQuery component fails to enforce query depth limits on WebSocket subscription requests, allowing attackers to send deeply nested logical operators that trigger excessive recursion and CPU consumption. This affects Parse Server deployments where the LiveQuery WebSocket endpoint is accessible to untrusted clients (pkg:npm/parse-server). A patch is available from the vendor with no known workarounds, and while no EPSS score or KEV listing is present, the availability of proof-of-concept code in the patch references suggests exploitation details are publicly documented.

The h3 web framework contains a path-matching vulnerability in its mount() method that fails to enforce path segment boundaries when checking if requests fall under a mounted sub-application's prefix. This allows attackers to trigger middleware intended for a path like /admin on unrelated routes such as /admin-public or /administrator, potentially polluting request context with unintended privilege flags and leading to authorization bypass. A proof-of-concept is available demonstrating context pollution across mount boundaries, and the vulnerability affects all h3 v2 applications using mount() with prefix-vulnerable path configurations.

MinIO AIStor's Security Token Service (STS) AssumeRoleWithLDAPIdentity endpoint contains two combined vulnerabilities that enable LDAP credential brute-forcing: distinguishable error messages allowing username enumeration (CWE-204) and missing rate limiting (CWE-307). All MinIO deployments through the final open-source release with LDAP authentication enabled are affected. Unauthenticated network attackers can enumerate valid LDAP usernames, perform unlimited password guessing attacks, and obtain temporary AWS-style STS credentials granting full access to victim users' S3 buckets and objects.

An unauthenticated SQL injection vulnerability exists in the AVideo platform's RTMP on_publish callback, allowing remote attackers to extract the entire database via time-based blind SQL injection. The vulnerability affects the wwbn_avideo composer package and can be exploited without authentication to steal user password hashes, email addresses, and API keys. A detailed proof-of-concept is publicly available in the GitHub Security Advisory, and the vulnerability has a CVSS score of 7.5 (High) with network attack vector and low complexity.

AVideo platform contains an unauthenticated file upload vulnerability in the aVideoEncoderChunk.json.php endpoint that allows remote attackers to exhaust disk space and cause denial of service. Any unauthenticated attacker can upload arbitrarily large files to the server's /tmp directory with no size limits, rate limiting, or cleanup mechanism, and the CORS wildcard header enables browser-based distributed attacks. A detailed proof-of-concept is publicly available demonstrating parallel upload attacks that can fill disk space and crash server services.

Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. The vulnerability has been patched in v1.42.3 and no active exploitation has been reported in the wild, though the attack vector is straightforward and does not require special privileges.

An information disclosure vulnerability in Parse Server's LiveQuery functionality allows attackers to infer the values of protected fields by monitoring whether update events are generated when those fields change, effectively creating a binary oracle that reveals field modifications despite the field values themselves being stripped from event payloads. The vulnerability affects Parse Server npm package across multiple versions, and while no public exploit code or active exploitation has been documented, the attack requires only standard subscription capabilities without elevated privileges. The vendor has released patches that validate the watch parameter against protected fields at subscription time, mirroring existing where clause protections.

Parse Server's LiveQuery WebSocket interface contains an authorization bypass vulnerability that allows any authenticated user to subscribe to real-time object updates regardless of Class-Level Permission pointer field restrictions. Affected products include the parse-server npm package, where authenticated attackers can receive real-time updates for all objects in classes that should be restricted by readUserFields and pointerFields CLP settings, bypassing intended access controls that are correctly enforced in the REST API. No public proof-of-concept or active exploitation (KEV) has been reported at this time.

An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.

The GNU C Library (glibc) versions 2.34 through 2.43 contain a vulnerability in the gethostbyaddr and gethostbyaddr_r functions that can return invalid DNS hostnames violating DNS specification requirements when using a configured nsswitch.conf with the DNS backend. This affects any application or system service relying on reverse DNS lookups through glibc, potentially leading to information disclosure or incorrect hostname resolution. While no CVSS score, EPSS probability, or active exploitation status has been publicly assigned, the vulnerability represents a data integrity issue in a foundational system library affecting millions of Linux systems.

A DNS response parsing vulnerability exists in the GNU C Library (glibc) versions 2.34 through 2.43 affecting the gethostbyaddr and gethostbyaddr_r functions. When a malicious or compromised DNS server returns a crafted response that violates the DNS specification, the library may incorrectly treat non-answer sections (such as authority or additional sections) as valid answers, leading to buffer overflow and information disclosure. The vulnerability is classified as a read buffer over-read (CWE-125) and does not currently have a published CVSS score, EPSS metric, or confirmed KEV status, though the underlying mechanism suggests moderate real-world risk in environments with untrusted or attacker-controlled DNS infrastructure.

A CORS misconfiguration vulnerability in mcp-memory-service allows any malicious website to perform cross-origin requests to the HTTP API. Versions prior to 10.25.1 of mcp-memory-service from doobidoo are affected, particularly when the HTTP server is enabled with anonymous access, allowing attackers to read, modify, and delete all stored memories without authentication. No KEV listing or public exploitation indicators are currently reported, though the vulnerability's simplicity and the availability of a GitHub security advisory suggest proof-of-concept development would be straightforward.

An integrity check vulnerability in Cryptomator for Android prior to version 1.12.3 allows attackers to tamper with the vault configuration file, enabling a man-in-the-middle attack against the Hub key loading mechanism. Attackers who can modify the vault.cryptomator file can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate tokens from users unlocking Hub-backed vaults. With a CVSS score of 7.6 and requiring low attack complexity with user interaction, this vulnerability poses a moderate risk to affected users in environments where vault configuration files can be altered.

A man-in-the-middle vulnerability in Cryptomator for iOS versions prior to 2.8.3 allows attackers who can modify the vault.cryptomator configuration file to intercept authentication tokens by substituting malicious API endpoints while maintaining legitimate authentication endpoints. This affects users unlocking Hub-backed vaults in environments where attackers have write access to vault configuration files. No evidence of active exploitation (not in CISA KEV) has been reported, and patches are available.

Cryptomator's Hub-based unlock flow contains a protocol downgrade vulnerability that allows the application to communicate with Hub endpoints over plaintext HTTP instead of enforcing HTTPS. Cryptomator versions prior to 1.19.1 are affected, exposing OAuth bearer tokens, key-loading traffic, and endpoint-level trust decisions to network interception and tampering by active attackers. This is a verified GitHub security advisory with patches available in version 1.19.1, though no EPSS score or KEV listing indicates limited evidence of active exploitation.

Cryptomator versions prior to 1.19.1 contain an integrity check vulnerability that allows attackers to tamper with the vault.cryptomator configuration file, enabling man-in-the-middle attacks during Hub key loading. Attackers can mix legitimate authentication endpoints with malicious API endpoints to exfiltrate access tokens from users unlocking Hub-backed vaults in environments where vault configuration files can be modified. The CVSS score of 7.6 indicates high severity with network attack vector requiring low privileges and user interaction, though no active exploitation (KEV) or public POC has been reported at this time.

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

A critical arbitrary method execution vulnerability affects Graphiti's JSONAPI write functionality, allowing attackers to invoke any public method on underlying model instances, classes, or associations through crafted JSONAPI payloads. Applications using Graphiti (a Ruby gem for building JSON:API compliant APIs) that expose write endpoints to untrusted users are affected, particularly versions prior to 1.10.2. The vulnerability scores CVSS 9.1 (Critical) with network-based exploitation requiring no authentication or user interaction, enabling both high integrity and availability impacts.

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Gainsight Assist contains an information disclosure vulnerability where user email addresses (PII) are exposed in base64-encoded format within the OAuth callback URL's state parameter. This affects all versions of Gainsight Assist and allows unauthenticated remote attackers to extract sensitive personal information with no user interaction required. The vulnerability has a CVSS score of 5.3 (moderate) with confirmed disclosure via Rapid7, and patch availability has been documented in vendor advisories.

Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections that allows network attackers to conduct man-in-the-middle (MITM) attacks by exploiting disabled TLS certificate verification. This vulnerability affects Devolutions Server versions prior to 2026.1, enabling attackers positioned on the network path to intercept and manipulate WinRM communications without detection. The vulnerability is classified under CWE-295 (Improper Certificate Validation) and carries significant information disclosure and server compromise risks, particularly in environments where PAM propagation relies on WinRM for credential delivery and privileged session management.

Traefik's BasicAuth middleware contains a timing attack vulnerability that enables username enumeration through observable response time differences between valid and invalid usernames. An unauthenticated network attacker can distinguish existing usernames from non-existent ones by measuring response latency-valid usernames trigger ~166ms bcrypt operations while invalid usernames return in ~0.6ms, creating a ~298x timing differential. Affected versions include Traefik 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1; patches are available in versions 2.11.41, 3.6.11, and 3.7.0-ea.2.

A PHP Local File Inclusion vulnerability exists in the ThemeREX Melania WordPress theme, allowing remote attackers to include and execute arbitrary local files on the server. All versions up to and including 2.5.0 are affected. The CVSS score of 8.1 indicates high severity with network-based attack vector, though attack complexity is rated as high; there is no evidence of active exploitation (not in KEV) or public proof-of-concept at this time.

PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() function that allows attackers to read 1-2 bytes of adjacent heap memory when processing SIP messages with multipart bodies or SDP content. The vulnerability affects all applications using PJSIP to process incoming SIP messages, as the flaw does not require authentication or user interaction and can be triggered remotely over the network. While the CVSS score of 6.9 reflects moderate severity with low confidentiality impact, the low attack complexity and remote exploitability make this a practical concern for SIP-based communication systems.

The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.

A resource management flaw in the Linux kernel's netfilter nf_tables subsystem fails to properly iterate over all pending catchall elements during transaction processing, leading to incomplete cleanup when a map holding catchall elements is destroyed. This affects Linux kernel versions across multiple stable branches and can result in memory corruption, information disclosure, or denial of service when crafted netfilter rule transactions are processed. The vulnerability is not known to be actively exploited in the wild, but the presence of multiple stable branch patches and specific affected kernel versions indicates kernel maintainers have treated this as a material flaw requiring coordinated remediation.

A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.

This vulnerability exists in the Linux kernel's netfilter xt_IDLETIMER module, where revision 0 rules can cause a kernel panic by attempting to reuse timer objects created by revision 1 with ALARM semantics. An attacker with the ability to insert netfilter rules (requiring CAP_NET_ADMIN or equivalent privileges) can trigger uninitialized timer_list access, leading to debugobjects warnings and kernel panic when panic_on_warn=1 is enabled. No active exploitation in the wild has been reported, but patches are available across multiple stable kernel versions.

A use-after-free race condition exists in the Linux kernel's macvlan driver within the macvlan_common_newlink() error handling path. When a macvlan device creation fails after the network device becomes visible to the RCU (Read-Copy-Update) subsystem, the caller's subsequent free_netdev(dev) can race with ongoing packet forwarding operations, causing kernel memory corruption and potential information disclosure. This vulnerability affects Linux kernel versions 5.10 through 6.19 and later, and while no public exploit exists, the issue is reproducible via crafted netlink commands that trigger concurrent device creation and packet transmission.

A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables subsystem where a set element can be published and removed without waiting for RCU grace period completion, allowing concurrent RCU readers to access freed memory. This affects all Linux kernel versions across multiple stable branches (4.10 and later) as indicated by the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. An attacker with local access to manipulate netfilter rules could trigger information disclosure or denial of service by exploiting the race condition during batch insertion of elements into a full netfilter set.

The Yi Technology YI Home Camera 2 version 2.1.1_20171024151200 contains a cryptographic signature verification vulnerability in its HTTP firmware update handler, specifically in the home/web/ipc file component. An attacker can exploit this remotely (network-accessible) to bypass firmware integrity checks and potentially install malicious firmware, though the attack complexity is high and exploitation is considered difficult. A public exploit is available, significantly increasing risk despite the high complexity barrier.

Yi Technology YI Home Camera 2 (version 2.1.1_20171024151200) contains a hard-coded cryptographic key vulnerability in its WPA/WPS component that allows attackers to disclose sensitive information through local network access. While the exploit has been publicly disclosed and proof-of-concept code is available, the attack requires high complexity and difficult exploitability, limiting real-world risk to local network environments only. The vendor was notified early but provided no response, leaving users without an official patch.

The tar-rs Rust library versions 0.4.44 and below contain a logic flaw where PAX (POSIX.1-2001) size headers are conditionally skipped when the base tar header size is nonzero, causing the library to parse tar archives differently than other standard tar implementations like Go's archive/tar. This discrepancy allows an attacker to craft malicious tar archives that appear different when unpacked by tar-rs versus other parsers, potentially leading to information disclosure or file confusion attacks. The vulnerability affects any application using tar-rs to parse untrusted archives and expecting consistent behavior with other tar parsers, with a moderate CVSS score of 5.1 indicating low attack complexity and network accessibility.

WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).

The Membership Plugin - Restrict Content for WordPress contains an unvalidated redirect vulnerability in the 'rcp_redirect' parameter that allows unauthenticated attackers to redirect users to arbitrary external sites via password reset emails. Affected versions include all releases up to and including 3.2.24. This vulnerability has a CVSS score of 4.3 (low-to-moderate severity) and requires user interaction, limiting its immediate exploitation impact but creating a viable phishing vector for credential harvesting or malware distribution.

PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.

phpseclib versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 are vulnerable to a padding oracle timing attack when using AES in CBC mode, allowing attackers to decrypt sensitive data through cryptanalysis of response timing differences. This information disclosure vulnerability affects any PHP application using the vulnerable phpseclib library for AES-CBC encryption. Although no CVSS score, EPSS data, or confirmed active exploitation (KEV status) are currently available, the presence of a verified fix and security advisory indicates this is a legitimate cryptographic weakness requiring attention.

Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contains an information disclosure vulnerability in the ComposerController#mentions endpoint that reveals hidden group membership to any authenticated user capable of messaging the group. An attacker can exploit this by supplying hidden-membership group names and probing arbitrary usernames to infer membership based on whether the user_reasons field returns 'private', effectively bypassing group member-visibility controls designed to protect sensitive group information. This vulnerability is not known to be actively exploited in the wild (KEV status unknown), carries a moderate CVSS score of 5.3 reflecting low confidentiality impact with low attack complexity, and requires prior authentication.

Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an authorization bypass vulnerability in the user actions endpoint that allows authenticated users to access other users' private activity data. An attacker with valid login credentials can enumerate and view private user actions without proper permission checks, resulting in information disclosure. This is a moderate-severity issue with a CVSS score of 5.3 that requires authentication to exploit but has no known active exploitation or public proof-of-concept at this time.

An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.

Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.

Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.

Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.

Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.

A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.

Information disclosure in lz4_flex compression library versions 0.11.5 and below and 0.12.0 allows attackers to read sensitive data from uninitialized memory or previous decompression operations through crafted LZ4 input that triggers out-of-bounds reads in the block-based decompression API. The vulnerability affects Ubuntu and Debian systems using vulnerable versions of lz4_flex, particularly when the safe-decode feature is disabled. No patch is currently available, leaving affected systems exposed to potential exposure of cryptographic keys and other sensitive data.

Kargo versions 1.4.0-1.6.3, 1.7.0-1.7.8, 1.8.0-1.8.11, and 1.9.0-1.9.4 contain a Server-Side Request Forgery vulnerability in http and http-download promotion steps that allows authenticated attackers to access cloud instance metadata endpoints and exfiltrate sensitive credentials like IAM keys. An attacker with permissions to create or modify Stages or Promotion resources can exploit this by crafting malicious manifests with full control over request headers and methods, bypassing cloud provider SSRF protections. Currently, no patch is available for this vulnerability.