Information Disclosure

UiPress Lite versions through 3.5.09 contain a missing authorization vulnerability (CWE-862) that allows authenticated users to exploit incorrectly configured access control security levels, enabling privilege escalation or unauthorized resource access. An attacker with low-level user credentials can bypass authorization checks to access or modify functionality restricted to higher-privilege roles. The vulnerability has a CVSS score of 6.3 with network-based attack vector requiring only low privileges, indicating moderate real-world exploitability.

The Download Manager plugin for WordPress contains a missing capability check in the 'reviewUserStatus' function that allows authenticated subscribers and above to access sensitive user information without proper authorization. Affected versions include all releases up to and including 3.3.49, enabling attackers with minimal privileges to retrieve email addresses, display names, and registration dates for any user on the site. While the CVSS score of 4.3 is moderate and the vulnerability requires authentication, the ease of exploitation and the breadth of exposed personal data present a meaningful information disclosure risk for WordPress installations using this plugin.

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain an information disclosure vulnerability where sensitive configuration data is stored in plaintext or insufficiently protected files readable by unprivileged local users. An attacker with local filesystem access can read these configuration files to extract sensitive information such as credentials, API keys, or system parameters, potentially enabling lateral movement or further compromise of the SIEM infrastructure. A patch is available from IBM, and this vulnerability should be prioritized for organizations running affected QRadar versions as SIEM systems are high-value targets.

IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-tenant information disclosure vulnerability that allows an authenticated attacker with access to one tenant account to retrieve hostname data belonging to other tenants. The vulnerability has a CVSS score of 5.0 with low attack complexity and requires only user-level privileges, making it a practical risk in multi-tenant deployments. A patch is available from IBM, and there is no indication of active exploitation in the wild or public proof-of-concept code.

OpenClaw versions prior to 2026.3.1 contain a post-approval executable rebind vulnerability in the system.run approval mechanism that fails to pin executable identity when argv[0] is not a full path. An attacker with local access and low privileges can modify PATH environment variables after an operator approves a command execution to redirect the approval to execute a different binary, achieving arbitrary command execution with the privileges of the OpenClaw process. The vulnerability has a moderate CVSS score of 6.0 reflecting local attack vector and high privilege requirements, but poses significant risk in environments where approval workflows are relied upon for security boundaries.

OpenClaw versions prior to 2026.3.2 contain a symlink traversal vulnerability in the stageSandboxMedia function that fails to validate destination symlinks during media staging operations. This allows local attackers with low privileges to write files outside the intended sandbox workspace by placing malicious symlinks in the media/inbound directory, resulting in arbitrary file overwrite on the host system. A patch is available from the vendor, and the vulnerability was reported by VulnCheck with public references including a GitHub security advisory and commit fix.

OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.

OpenClaw versions prior to 2026.2.25 suffer from a webhook replay vulnerability where valid signed Nextcloud Talk webhook requests lack durable replay state suppression, allowing attackers to capture and replay previously legitimate signed requests to trigger duplicate inbound message processing. This can result in message duplication, data integrity issues, and potential availability degradation. While the CVSS score of 4.8 is moderate, the attack requires no authentication and can be executed over the network with medium complexity, making it a viable attack vector for threat actors with network visibility to webhook traffic.

OpenClaw versions before 2026.3.2 are vulnerable to a race condition in ZIP extraction that permits local attackers with limited privileges to write arbitrary files outside the intended extraction directory. By manipulating symlinks between path validation and write operations, an attacker can achieve arbitrary file placement on the system. A patch is available to resolve this integrity issue.

SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.

The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.

UDM incorrectly converts client-side errors to server-side errors and mistranslates PATCH requests to PUT when forwarding to UDR, exposing internal error handling behavior that prevents clients from distinguishing between legitimate client errors and actual server failures. An unauthenticated remote attacker can exploit this by sending PATCH requests with malformed parameters to leak information about the service's internal architecture and error handling mechanisms. A patch is available to address this HTTP method translation and improper error handling issue.

A header leakage vulnerability exists in the internal HTTP client of HAPI FHIR Core library that causes sensitive headers (such as authentication tokens) to be forwarded to third-party hosts when following HTTP redirects. Multiple HAPI FHIR packages including org.hl7.fhir.utilities, org.hl7.fhir.convertors, and various FHIR version implementations (DSTU2, DSTU3, R4, R4B, R5) are affected in versions prior to 6.8.3. With a CVSS score of 9.8 (Critical), this vulnerability allows network-based attackers to capture sensitive credentials without authentication or user interaction, though no EPSS score, KEV listing, or public POC is currently documented.

This is an improper error handling vulnerability in free5GC's UDM (Unified Data Management) component that incorrectly converts valid 400 Bad Request responses from downstream UDR (Unified Data Repository) services into 500 Internal Server Error responses when processing DELETE requests with empty `supi` path parameters. An attacker or misconfigured client can exploit this by sending malformed DELETE requests to the sdm-subscriptions endpoint, causing the UDM to leak internal error handling behavior and making it difficult for legitimate clients to distinguish between client-side errors and actual server failures. This vulnerability affects free5GC v4.0.1 and is classified as an information disclosure issue (CWE-209), though no CVSS score or KEV status has been assigned and no public exploit code is currently known.

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Parse Server's LiveQuery component leaks protected fields and OAuth authentication data to unauthorized subscribers when an afterLiveQueryEvent trigger is registered for a class. The vulnerability affects Parse Server installations using LiveQuery with afterEvent triggers, allowing any user with basic subscription permissions to access sensitive personal information and third-party OAuth tokens belonging to other users. Patches are available from the vendor with workarounds documented.

Devolutions Hub Reporting Service versions 2025.3.1.1 and earlier contain improper certificate validation that disables TLS certificate verification, enabling network attackers to intercept and manipulate encrypted communications. An unauthenticated attacker on the network can conduct man-in-the-middle (MITM) attacks to eavesdrop on sensitive data exchanges or inject malicious content. While no CVSS score or EPSS probability is currently available, the vulnerability's classification under CWE-295 (Improper Certificate Validation) indicates a cryptographic bypass with potentially severe information disclosure implications.

HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain a buffer over-read vulnerability in the CRAM decoder's cram_decode_seq() function that fails to properly validate feature data offsets. An attacker can craft malicious CRAM files to read arbitrary data from memory adjacent to reference sequence buffers, leading to information disclosure of program state or denial of service through memory access violations. No active exploitation has been documented, but patches are available from the vendor.

HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.

HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.

This vulnerability is a use-after-free (UaF) condition in the Linux kernel's traffic control (tc) subsystem, specifically in the act_ct (connection tracking) action module. The vulnerability affects all Linux kernel versions where act_ct can be attached to qdiscs other than clsact/ingress, allowing a packet held by the defragmentation engine to be freed while the defrag engine still references it, potentially leading to information disclosure or denial of service. The issue is resolved by restricting act_ct binding to only clsact/ingress qdiscs and shared blocks, eliminating the dangerous egress path usage patterns.

Dell Integrated Dell Remote Access Controller (iDRAC) versions 9, 14G (prior to 7.00.00.174), 15G, and 16G (prior to 7.10.90.00) contain an exposure of sensitive system information vulnerability caused by uncleared debug information in memory or logs. A remote attacker with high privileges can exploit this to disclose confidential system details without modifying or disrupting service availability. While the CVSS score is moderate at 4.9 due to high privilege requirements, the confidentiality impact is rated high, making this relevant for organizations where insider threats or compromised administrator accounts are a concern.

A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.

This vulnerability in the Linux kernel's DVB core media subsystem causes improper reinitialization of a shared ringbuffer waitqueue when the DVR device is reopened, orphaning existing io_uring poll and epoll waitqueue entries with stale pointers. Affected Linux kernels of all versions prior to the patched commits are vulnerable, potentially leading to information disclosure or kernel instability when multiple readers interact with the DVR device simultaneously. While no CVSS score or EPSS probability has been assigned and no active exploitation in the wild is documented, the vulnerability has been patched in stable kernel releases, indicating developer recognition of its severity.

PySpector versions 0.1.6 and earlier contain a security validation bypass in the plugin system that allows arbitrary code execution. The validate_plugin_code() function fails to detect dangerous API calls when invoked indirectly via getattr(), allowing malicious plugins to execute system commands. A public proof-of-concept exploit exists demonstrating the bypass, and while exploitation requires user interaction (installing and trusting a malicious plugin), successful exploitation grants full system access including filesystem manipulation, credential theft, and persistence mechanisms.

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.

The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources.

The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained.

Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms.

A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.

Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.

LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.

A race condition in the Linux kernel's perf_mmap() function creates a use-after-free vulnerability when concurrent threads attempt to access a ring buffer during failed memory mapping operations. The vulnerability affects Linux kernel versions across 6.18.17, 6.19.7, and 7.0-rc2, allowing a local attacker with standard user privileges to trigger refcount saturation warnings and potential kernel crashes via denial of service. This issue was discovered by Syzkaller fuzzing and has patches available across multiple stable kernel branches.

This vulnerability is an information disclosure issue in the Linux kernel's TCP implementation where the timestamp offset calculation was insufficiently randomized, allowing off-path attackers to leak TCP source ports via a SYN cookie side-channel attack. All Linux kernel versions from 4.11 onwards are affected, with confirmed vulnerable versions including Linux 6.18.17, 6.19.7, and 7.0-rc3. An attacker can exploit this to infer source port numbers used in TCP connections without being on the network path, which can facilitate further network-level attacks such as connection hijacking or targeted DoS.

A race condition vulnerability exists in the Linux kernel's net/sched act_gate module where the hrtimer callback or dump path can access schedule list parameters while they are being replaced, leading to potential use-after-free or memory corruption. The vulnerability affects Linux kernel versions across multiple release branches including 5.8 and later stable releases up to 6.19.8, with the fix implemented through RCU-protected parameter snapshots. This is a kernel-level race condition that could allow local attackers with network scheduler configuration privileges to cause denial of service or potentially achieve code execution through memory corruption.

A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Cross-course privilege escalation in Moodle Mod Customcert allows authenticated teachers with certificate management rights in any course to read and modify certificate data across the entire Moodle installation due to missing context validation in the editelement callback and save_element web service. An attacker with mod/customcert:manage permissions in a single course can exploit this to disclose sensitive certificate information from other courses or tamper with their certificate elements. Versions 4.4.9 and 5.0.3 patch the vulnerability, but no patch is currently available for affected versions.

OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in the system.run function that allows authenticated operators to execute arbitrary commands on Windows systems by appending malicious arguments after cmd.exe /c while the approval audit log records only the benign command text. An authenticated attacker with operator privileges can exploit this to achieve local command execution on trusted Windows nodes with mismatched or incomplete audit trails, enabling information disclosure and lateral movement while evading detection.

Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.

This vulnerability enables arbitrary SQL command execution in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 through malicious Report Definition Language (RDL) files uploaded to SQL Server Reporting Services. An attacker with the 'Add Reporting Services Reports' privilege can upload a crafted RDL file containing raw SQL queries; if the file is already loaded and executable by the user, this privilege is not required. Upon report generation, arbitrary SQL commands execute in the underlying database, potentially allowing data exfiltration, linked server access, or operating system command execution depending on SQL Server service account permissions. A proof-of-concept has been documented in public repositories, indicating active research and potential exploitation risk.

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.

aaPanel v7.57.0 contains a path validation vulnerability that allows local file inclusion (LFI) attacks, enabling attackers to read sensitive files and disclose confidential information. The vulnerability affects the aaPanel control panel application and requires local or proximal access to exploit. While no CVSS score or EPSS data is currently available, the presence of public references and vulnerability research repositories suggests active researcher interest and potential proof-of-concept availability.

A zip slip vulnerability exists in CTFd v3.8.1-18-gdb5a18c4's Admin import functionality, allowing attackers to write arbitrary files outside intended directories by supplying a crafted import file. This path traversal vulnerability affects the CTFd Capture-The-Flag platform and can lead to information disclosure and potential remote code execution depending on file placement. A proof-of-concept exploit has been published on GitHub (syphonetic/CVE-2026-30345), and patch information is available in the CTFd v3.8.2 release blog post.

The WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface exposed through accessible PCB pads, allowing information disclosure through direct hardware access. An attacker with physical access to the device can connect to the UART pins to read sensitive data, firmware contents, or configuration information without authentication. No CVSS score, EPSS metric, or KEV status is currently available, but a proof-of-concept and detailed security research have been published, confirming the vulnerability's practical exploitability.

CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain an improper access control vulnerability (CWE-200) that allows authenticated users to access sensitive application data and administrative functionalities beyond their authorization level. An attacker with valid credentials can leverage this flaw to read confidential planning and analytics data, escalate privileges, or access administrative functions without proper authorization. A vendor patch is available, and this represents a moderate-to-high risk for organizations running affected versions in production environments.

IBM Planning Analytics Local versions 2.1.0 through 2.1.17 contain a cache poisoning vulnerability (CWE-524) where attackers can manipulate the caching mechanism to store and serve sensitive, user-specific responses as publicly cacheable resources, resulting in information disclosure to unauthorized users. The vulnerability requires low attack complexity and user interaction but only affects confidentiality with a CVSS score of 5.7. A patch is available from the vendor, and this represents a moderate-priority issue requiring prompt remediation in production environments handling sensitive analytical data.

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

CVE-2026-32766 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable `/objects/encryptPass.json.php` file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.

Memory corruption in MongoDB Server's slot-based execution engine can be triggered by authenticated users with write privileges through malicious $lookup aggregation queries that cause hash table spillover to disk. Successful exploitation enables denial of service and potential information disclosure, though a patch is not currently available. The attack requires network access and specific query construction, limiting the practical exploit window.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, allowing attackers to read memory beyond allocated buffer boundaries. Affinity version 3.0.1.3808 and potentially earlier versions are affected. By crafting a malicious EMF file, an unauthenticated attacker with local file system access can trigger the vulnerability through user interaction (opening the file), potentially disclosing sensitive information such as API keys, credentials, or other data resident in adjacent memory regions. The vulnerability has a CVSS score of 6.1 indicating medium severity with high confidentiality impact but limited integrity and availability consequences.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing an attacker to read memory beyond allocated buffer boundaries by crafting a malicious EMF file. This vulnerability affects Canva Affinity version 3.0.1.3808 and potentially earlier versions, and requires user interaction (opening a specially crafted file) but no elevated privileges to exploit. Successful exploitation can disclose sensitive information from process memory, with potential for limited availability impact; no public exploit code or active exploitation in the wild has been confirmed based on available intelligence.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, allowing an attacker to read memory beyond allocated buffer boundaries by supplying a specially crafted EMF file. Affected versions include Affinity 3.0.1.3808 and potentially other releases in the Affinity product line. Successful exploitation could disclose sensitive information from application memory, though the vulnerability does not enable code execution or denial of service; however, the local attack vector and user interaction requirement (opening a malicious file) limit real-world impact compared to network-exploitable vulnerabilities.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, affecting version 3.0.1.3808 and potentially earlier releases. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from adjacent memory regions. The vulnerability requires user interaction (opening a file) but no elevated privileges, with a CVSS score of 6.1 indicating moderate severity; while not currently listed in CISA's Known Exploited Vulnerabilities catalog, the straightforward attack vector and information disclosure impact warrant prompt patching.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling that allows attackers to read memory beyond allocated buffer boundaries. The vulnerability affects Affinity version 3.0.1.3808 and potentially other versions in the product line. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory, with a CVSS score of 6.1 indicating moderate severity with high confidentiality impact and limited availability impact.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, affecting Affinity 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, allowing disclosure of sensitive information from adjacent memory regions. While the CVSS score of 6.1 indicates moderate severity with high confidentiality impact, actual exploitation requires user interaction (opening a file) and is limited to information disclosure without code execution capability.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions in the product line; attackers with local access and user interaction can trigger the flaw to disclose sensitive information from process memory. While the CVSS score of 6.1 indicates medium severity with high confidentiality impact and low availability impact, the attack requires local file system access and user interaction (opening a malicious EMF file), limiting widespread exploitation risk.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk of information disclosure with minimal availability impact.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially earlier versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from the application's memory space. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk primarily through information disclosure, though local denial of service is also possible.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory such as authentication tokens, cryptographic keys, or other confidential data. The vulnerability requires user interaction (opening a file) and local access, making it a moderate-priority issue with a CVSS base score of 6.1, though the high confidentiality impact warrants prompt patching.

An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality that allows attackers to read memory beyond allocated buffer boundaries. Canva Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory; the vulnerability requires user interaction (opening the file) but no elevated privileges, making it a practical attack vector for phishing or drive-by downloads.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries by crafting malicious EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker with local access can exploit this vulnerability through user interaction (opening a crafted EMF file) to disclose sensitive information from process memory, with potential for denial of service through application crashes.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected, with the vulnerability requiring only local access and user interaction (opening a malicious file) to trigger. Successful exploitation enables disclosure of sensitive information from application memory, with potential limited impact on system availability; no active exploitation or public proof-of-concept has been confirmed at this time based on available intelligence sources.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) image processing functionality of Canva Affinity, enabling attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, allowing unauthenticated local attackers with no special privileges to trigger the flaw via user interaction (opening a malicious file). Successful exploitation can disclose sensitive information from process memory, with a secondary risk of application instability (low availability impact). No active exploitation in the wild or public proof-of-concept has been confirmed based on available intelligence, but the vulnerability has been formally disclosed by Talos Intelligence and tracked in NIST NVD and ENISA EUVD databases.

An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, requiring local access and user interaction (opening a malicious EMF file). Successful exploitation can lead to disclosure of sensitive information from process memory, with limited impact on system availability. No active exploitation in the wild has been confirmed via KEV status, and the CVSS 6.1 score reflects moderate risk balanced between high confidentiality impact and lower attack complexity.

Canva Affinity's EMF file parser is vulnerable to out-of-bounds read attacks when processing specially crafted files, allowing attackers to extract sensitive information from application memory. This local vulnerability requires user interaction to trigger and has no available patch, affecting users who open malicious EMF documents in Affinity.

Canva Affinity's EMF file parser is vulnerable to an out-of-bounds read (CWE-125) when processing specially crafted EMF files, allowing local attackers to extract sensitive data from application memory. This medium-severity vulnerability affects users who open untrusted EMF files and currently has no available patch. The attack requires user interaction and local access but poses a real information disclosure risk.

The password reset mechanism in Parse Server fails to enforce single-use guarantees on reset tokens, allowing attackers to exploit a race condition during concurrent password reset requests. An attacker who intercepts a password reset token can submit a password change request that races against the legitimate user's own reset attempt, potentially causing the attacker's new password to take effect while the user believes their own password was successfully changed. All Parse Server deployments using the password reset feature are affected, with patched versions available from the vendor (Parse Server versions 8.6.48 and later, and 9.6.0-alpha.28 and later).

Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. This affects all Devise applications using the default Confirmable configuration with email changes, and is patched in Devise v5.0.3.

JetKVM versions prior to 0.5.4 contain an authentication vulnerability that allows unlimited login attempts without rate limiting, enabling attackers to conduct brute-force attacks against user credentials. This affects KVM (Keyboard, Video, Mouse) over IP devices used for remote server management, potentially granting attackers administrative access to critical infrastructure. The vulnerability has been reported by CISA-CG and analyzed by security researchers at Eclypsium in their research on KVM device security risks.

JetKVM versions prior to 0.5.4 lack cryptographic verification of firmware update authenticity, allowing attackers positioned on the network or controlling the update server to inject malicious firmware that bypasses hash validation. This enables local attackers with user interaction to compromise system integrity through a man-in-the-middle attack or server compromise. A patch is available to address this vulnerability.

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates.

A brute-force authentication vulnerability exists in the GL-iNet Comet (GL-RM1) KVM device's web interface, which fails to implement rate limiting or account lockout mechanisms for login attempts. This allows remote attackers to systematically guess credentials and gain unauthorized access to the KVM management interface, potentially compromising all systems connected to the KVM device. The vulnerability affects GL-iNet Comet KVM versions prior to 1.7.2 and has a CVSS score of 7.5, indicating high severity for confidentiality impact.

GL-iNet Comet (GL-RM1) firmware verification fails to authenticate update packages cryptographically, allowing an attacker positioned on the network or controlling the update server to inject malicious firmware. An attacker exploiting this weakness could modify firmware binaries and their corresponding MD5 hashes to bypass integrity checks and gain code execution on affected devices. No patch is currently available.

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.

An authenticated user with read-only role can extract limited amounts of uninitialized stack memory through specially crafted issuances of the filemd5 command in MongoDB Server. This information disclosure vulnerability affects MongoDB Server versions 8.2 prior to 8.2.6, 8.0 prior to 8.0.20, and 7.0 prior to 7.0.31. An attacker with valid database read credentials can exploit this to leak sensitive data from process memory without requiring elevated privileges or user interaction.

Outline versions before 1.5.0 allow authenticated users to enumerate sensitive metadata from documents they shouldn't access via a logic flaw in the events.list API endpoint, exposing document IDs, activity timestamps, and titles of deleted items. This information disclosure enables attackers to bypass UUID protections and craft follow-up IDOR attacks to access restricted documents. The vulnerability requires authentication but affects all users with access to the Outline instance.

CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

A cryptographic vulnerability in the Stanford Javascript Crypto Library (SJCL) allows attackers to recover victims' ECDH private keys through a missing point-on-curve validation flaw. The vulnerability affects all versions of SJCL and enables remote attackers to send specially crafted off-curve public keys and observe ECDH outputs to extract private key material. A proof-of-concept exploit is publicly available, though the vulnerability is not currently listed in CISA KEV and has no EPSS score assigned yet.

Unauthenticated attackers can extract sensitive data from non-public custom post types in Royal Addons for Elementor WordPress plugin versions up to 1.7.1049 through improper access controls in the get_main_query_args() function. This allows exposure of private content including Contact Form 7 submissions and WooCommerce coupons without authentication. The vulnerability affects WordPress installations using this plugin and remains unpatched.

Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.