Information Disclosure
Monthly
Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process escalate out of the sandbox via a crafted HTML page that triggers a type-confusion bug (CWE-843) in the Tabs component. Exploitation is gated behind prior renderer compromise and user interaction, and the flaw is rated High by Chromium with a CVSS 8.3 due to scope change and total impact. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC lists exploitation as none.
Insufficient validation of untrusted input in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.
Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.
Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.
Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).
Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.
Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).
Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Nonce reuse in ImageMagick's AES-CTR cipher implementation exposes encrypted image plaintext to recovery attacks. The PasskeyEncipherImage method in ImageMagick before 7.1.2-22 reuses nonces when performing AES in Counter mode, violating the fundamental security requirement that a nonce be used exactly once per key. A network-accessible attacker who can collect multiple ciphertexts produced with the same passkey and nonce can XOR the outputs to cancel the shared keystream and partially or fully recover encrypted image content. No active exploitation has been identified (not in CISA KEV), and no public exploit code is known at time of analysis.
Heap buffer out-of-bounds read in ImageMagick before 7.1.2-19 via off-by-one error in morphology validation allows local attackers with user interaction to trigger denial of service. The vulnerability stems from incorrect morphology parameters causing single pixel memory access violations within heap buffers, potentially leading to application crashes or information disclosure through controlled reads of adjacent heap memory.
Server-side validation bypass in Capgo before 12.128.2 allows authenticated organization administrators to write invalid values directly to the public.orgs database table from the browser, circumventing field-level security policy enforcement for parameters such as max_apikey_expiration_days. The root cause is insufficient server-side enforcement in a Supabase-backed architecture where authenticated clients can interact directly with underlying tables without adequate RLS or server-side validation gates. No public exploit has been identified and the vulnerability is not listed in CISA KEV, though the low-complexity attack path makes it trivially executable by any org admin.
Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.
Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.
Organization UUID enumeration in Capgo before 12.128.2 allows unauthenticated remote attackers to confirm the existence of valid organization identifiers by exploiting differential error responses from the /private/validate_password_compliance endpoint. The endpoint returns distinct HTTP status codes and error message bodies depending on whether a submitted organization ID is malformed, non-existent, or valid - functioning as an unauthenticated oracle. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though automated scripted enumeration is trivially feasible given the low attack complexity (CVSS 4.0 base score 6.9, AV:N/AC:L/PR:N).
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse two SECURITY DEFINER RPC functions, get_user_id and get_org_perm_for_apikey, reachable with only the public/anon API key. Attackers can confirm whether a leaked API key is valid, resolve user UUIDs, and read the permission level tied to a key, turning otherwise-uncertain credential leaks into actionable, scoped targets. CVSS 4.0 is 8.7 (High); there is no public exploit identified at time of analysis and it is not in CISA KEV.
Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS `origin` option is configured to anything other than wildcard `*`, the middleware incorrectly promotes client-supplied `Vary` header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves `Vary` as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary `Vary` values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes sensitive information to network interception by a man-in-the-middle adversary. The platform transmits certain data without encryption, enabling an attacker positioned on the network path to capture confidential content in transit. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified; however, the CVSS High confidentiality impact (C:H) signals that the interceptable data is substantively sensitive, likely including queries, credentials, or intelligence payloads.
OAuth scope concealment in GitHub Enterprise Server allows an attacker to obtain unauthorized control over an organization's GitHub Actions runner management by exploiting a missing scope disclosure on the authorization consent screen. The `manage_runners:org` OAuth scope, which governs CI/CD runner infrastructure, is never shown to the victim during the standard OAuth authorization flow, enabling a maliciously crafted OAuth application to acquire it without informed user consent. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 4.8 and mandatory user interaction (UI:A) correctly reflect the social-engineering dependency that constrains real-world exploitation.
Sensitive information disclosure in IBM UrbanCode Deploy and IBM DevOps Deploy exposes potentially sensitive data to any local user who can read application log files. Affected are UrbanCode Deploy 7.2 through 7.2.3.23 and 7.3 through 7.3.2.18, as well as DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the local no-privilege vector combined with high confidentiality impact makes this a meaningful insider threat and post-compromise escalation vector in enterprise CI/CD environments.
Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0) exposes credentials and configuration data to any authenticated low-privilege user via API responses. The exposed secrets can serve as a direct launchpad for privilege escalation or lateral movement within the CI/CD pipeline and connected deployment targets. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS-assigned high confidentiality impact reflects real post-authentication risk.
Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD) versions 8.1.0 through 8.1.2.6 and 8.2.0 through 8.2.1.0 stem from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict requests to trusted domains. An attacker who lures an authenticated user to a malicious web page can leverage the victim's session across origins to read confidential data and invoke privileged operations. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).
Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.
IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 expose sensitive information through internal monitoring and event tables to authenticated low-privilege local users, a consequence of CWE-538 where sensitive data is inserted into storage locations accessible beyond the intended trust boundary. The CVSS vector confirms local-only attack surface (AV:L) with low-privilege authentication (PR:L) and high confidentiality impact, making this most relevant to insider threat scenarios or post-compromise lateral movement in multi-tenant Db2 environments. No public exploit code exists and the vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.
Session hijacking in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 allows an authenticated user to impersonate another user because session IDs are not invalidated after they expire (CWE-613). An attacker who obtains or reuses a stale session identifier can act with the victim's identity, producing high confidentiality and integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mechanism used to protect secrets encrypted at rest, allowing an attacker who can reach the stored credential data to recover the encryption key and decrypt every stored credential. Because Langflow stores API keys, database connection strings, and third-party service tokens used by AI workflow components, recovery of these secrets gives an attacker the keys to all integrated systems. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied, so the threat is currently theoretical but high-impact, and IBM (the reporter) has released a fix.
Information disclosure in IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 allows remote attackers to obtain sensitive information over the network without authentication (CVSS 3.1 vector AV:N/PR:N, base 7.5). The flaw exposes confidential data (C:H) while leaving integrity and availability untouched, and there is no public exploit identified at time of analysis. EPSS is low (0.15%, 5th percentile) and CISA SSVC rates exploitation as none, indicating this is a real but not urgently exploited issue.
Sandbox policy bypass in Twig PHP template engine allows sandboxed template authors to trigger `__toString()` calls on objects explicitly blocked by `SecurityPolicy::$allowedMethods`, through two distinct coercion paths: `Traversable` inputs to the `join` and `replace` filters, and PHP's implicit spaceship-operator coercion inside the `in`/`not in` operator implementation. Beyond unauthorized method invocation, the `in` operator can be chained into a character-by-character equality oracle, enabling reconstruction of the full string value of sensitive objects - such as tokens or credentials passed into the render context - without any direct method invocation being permitted. This is a residual bypass of CVE-2026-47732; no public exploit code has been identified at time of analysis, and the issue is patched in Twig v3.27.0.
Race condition in Zephyr RTOS Bluetooth Classic RFCOMM host stack (v4.4.0 and earlier) permanently wedges session state and exhausts the fixed bt_rfcomm_pool when a peer-transmitted DISC frame for dlci 0 collides with a simultaneous local-initiated teardown. The underlying L2CAP channel is never released and the session slot is never reclaimed, eventually denying RFCOMM service to the targeted peer across repeated occurrences. No public exploit identified at time of analysis; the CVSS 3.1 score of 3.1 (Low) with AV:A/AC:H accurately reflects both the Bluetooth adjacency prerequisite and the high-complexity timing race required.
Non-atomic reference-count manipulation in the Zephyr RTOS net_buf library (lib/net_buf/buf.c) allows a double-free/use-after-free when a single buffer is shared and independently unref'd across concurrent contexts. Because buf->ref and the per-data-block ref_count were incremented/decremented with plain C operators despite the API being documented as self-synchronizing, two holders racing net_buf_unref() under SMP or single-core preemption can each conclude they hold the last reference, causing a double k_heap_free()/k_free() (heap-metadata corruption and UAF on heap-hardening poison) for heap/variable-data pools, or a double return to the pool free list for any pool type. All Zephyr releases through v4.4.0 are affected; no public exploit is identified at time of analysis and EPSS risk is low (0.16%, 6th percentile).
### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Out-of-bounds read in the Zephyr RTOS Bluetooth controller's ISO Adaptation Layer (isoal.c) lets an adjacent attacker leak controller memory to the HCI host and potentially crash the device. A malicious CIS peer or a broadcaster the device is BIS-synced to sends a framed ISO PDU whose start-segment length field is 0-2, causing a uint8_t underflow (len-3 → 253-255) that copies up to ~255 bytes past the received PDU into an HCI ISO packet. Publicly available exploit code exists (SSVC: poc); it is not listed in CISA KEV, and EPSS is low at 0.17%, indicating no evidence of widespread active exploitation.
SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.
Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.
Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user operating under the default profile to read files scoped to other named profiles' workspaces. The /api/session/import handler validates the workspace against the active named profile but omits setting the profile field on the constructed Session object, persisting it with a null profile value. Because the authorization layer treats null profile as equivalent to the default profile, any default-profile user can exploit imported session identifiers to traverse the intended profile boundary and extract file contents - a complete defeat of the application's workspace isolation model. No public exploit is identified at time of analysis, and a vendor-released patch is available at v0.51.521.
Out-of-bounds read in the Zephyr RTOS DNS resolver (subsys/net/lib/dns) lets a malicious, spoofed, or on-path DNS server - or any LAN node when mDNS/LLMNR is enabled - return crafted truncated TXT or SRV records that leak residual receive-pool memory to the application, and in some configurations crash the device. It affects Zephyr v4.3.0 and v4.4.0; the SSVC framework records a proof-of-concept, so publicly available exploit code exists, though EPSS is low (0.20%, 10th percentile) and there is no public evidence of active exploitation. The disclosed data is bounded (~64 bytes for TXT, ~6 for SRV) and read-only, but can expose stale contents of prior DNS packets.
PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.
CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.
Coolify's GitLab webhook endpoint leaks its secret token through a timing side-channel, enabling unauthenticated network attackers to reconstruct the token incrementally by measuring HTTP response time differences. All self-hosted Coolify instances prior to 4.0.0-beta.461 with GitLab webhook integrations configured are affected. Once the secret is recovered, an attacker can forge arbitrary GitLab webhook events and potentially trigger unauthorized deployments. No public exploit or active exploitation has been identified at time of analysis; the CVSS-assigned AC:H correctly reflects the practical difficulty of conducting reliable timing measurements over real-world networks.
Heap-use-after-free in openGauss 7.0.0-RC1 and RC2 allows a database user with SQL execution privileges to crash the backend process by crafting a to_timestamp() call with NLS parameters that triggers the seqscan+sort execution path. The nls_fmt_str pointer is stored in session context but allocated within SeqScan's expression memory context, which is freed upon scan completion; subsequent access by timestamp_out() via CheckNlsFormat() dereferences the dangling pointer. The practical impact is denial of service through backend process termination. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.
KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digits, prohibiting alphabetic, special, or extended characters and producing a maximum keyspace of only 1,000,000 possible values (10^6). This CWE-521 (Weak Password Requirements) flaw enables remote unauthenticated brute-force attacks against any customer account, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). No public exploit code or CISA KEV listing exists, but the trivial keyspace means no specialized tooling is required - standard credential automation suffices. CERT-PL reported the issue; a vendor patch was published in June 2026.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.
Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.
Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.
Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.
Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).
Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.
Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the network-accessible, zero-privilege attack vector warrants prompt patching given NetScaler's broad enterprise deployment.
Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network retrieve sensitive files from the appliance when the NSIP, Cluster Management IP, or a SNIP has management access enabled. The flaw (CWE-73, external control of file name or path) carries a CVSS 4.0 base score of 7.1 with high confidentiality impact, and no public exploit identified at time of analysis. Exposure is gated by the management interface being reachable, which limits but does not eliminate risk given NetScaler's history of attacker targeting.
Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal access they should not hold, because the GitHub authentication provider incorrectly caches the result of team membership expansion. The flaw (CWE-303, CVSS 8.8) means a low-privileged GitHub-authenticated user can be granted access tied to other principals/teams, effectively bypassing intended authorization. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Redeight CMS 1.0 stores user passwords using unsalted MD5 hashes, enabling any attacker who obtains the credential database to recover plaintext passwords nearly instantaneously via precomputed rainbow tables. All stored credentials are effectively exposed upon database compromise, since MD5 is cryptographically broken and the absence of per-user salts eliminates hash uniqueness across identical passwords. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the cracking technique is trivially automated and requires no specialized skill.
MSE Diffie-Hellman key exchange in Net::BitTorrent (Perl, all versions through 2.0.1) is rendered cryptographically transparent to passive network observers because Perl's non-cryptographic rand() function generates the 160-bit DH private key in KeyExchange.pm, and the same PRNG sequence simultaneously produces cleartext random padding transmitted during the same handshake. A passive eavesdropper who captures the handshake can recover the drand48 PRNG state from the observable padding bytes, reconstruct the private key, derive the RC4 session keys, and fully decrypt the MSE-encrypted stream - completely defeating the passive-observation obfuscation MSE is designed to provide. No public exploit has been identified at time of analysis, but the recovery is deterministic and requires only standard number theory once the handshake is captured.
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Sensitive data exposure in Advantech Hospital Queuing Management lets unauthenticated remote attackers reach a specific URL and retrieve the application's API documentation, mapping out endpoints and parameters without any credentials. The flaw is rooted in missing authentication (CWE-306) on a resource that should be protected, and TWCERT rates it CVSS 4.0 9.3 (Critical). No public exploit is identified at time of analysis, but the exposed API documentation provides reconnaissance that materially lowers the barrier to follow-on attacks.
Information disclosure in Advantech Hospital Queuing Management allows unauthenticated remote attackers to retrieve internal API documentation by requesting a specific URL, exposing the application's API surface, endpoints, and parameters. The flaw carries a high CVSS 4.0 base score of 8.7 driven entirely by confidentiality impact, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The leaked documentation primarily serves as reconnaissance that lowers the barrier to attacking other endpoints of this healthcare queuing platform.
Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's configured searchBase and searchFilter instantiate transports that are otherwise denied inside the broker JVM. By doing so the attacker can force the broker to fetch an attacker-controlled URL and spawn a second BrokerService within the same JVM, an integrity-impacting condition affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All before 5.19.8 and 6.x before 6.2.7. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. The flaw affects ActiveMQ, ActiveMQ All, and ActiveMQ Stomp before 5.19.8 and the 6.0.0-6.2.6 line; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cleartext-transmission exposure in Hitachi Energy PROMOD V allows a network man-in-the-middle to intercept or read sensitive data because the application relies on unencrypted HTTP rather than HTTPS when communicating with a third-party Digipede grid-computing server. The flaw (CWE-1428, reliance on an insecure communications channel) carries a CVSS 4.0 base score of 7.0 and is rated high confidentiality impact with limited integrity impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems - notably Samsung TV appliances - to local exploitation resulting in limited confidentiality, integrity, and availability impact. The flaw exists at a specific upstream commit (bab3a5797557014ce3c2e28419a6310cfba90d0d) and allows an attacker who can execute code in the same environment to exploit a timing window between a security check and the subsequent use of a resource. No active exploitation has been identified at time of analysis, but a fix commit is available upstream.
Insufficient data exists to characterize CVE-2026-13606. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating this vulnerability affects a package or component within the Ubuntu ecosystem. No description, CVSS score, vector, CWE classification, or additional references are available - a complete technical characterization is not possible from the provided data.
Insufficient data exists to characterize CVE-2026-44605 meaningfully. The only available intelligence signal is a vendor attribution to Ubuntu, with no description, CVSS vector, CWE classification, or reference URLs provided. The CVE ID year (2026) places this beyond the analyst's knowledge cutoff of August 2025, meaning no corroborating open-source intelligence can be applied. No exploitation status, affected version range, or impact class can be stated with any confidence.
Insufficient data exists to characterize CVE-2026-57964 meaningfully. The only confirmed signal is a vendor attribution to Ubuntu (Canonical), with no description, CVSS score, vector, or CWE provided. No exploitation status, affected component, or impact can be determined from the available intelligence. Security teams should monitor the Ubuntu Security Notices (USN) portal and the NVD entry for this CVE as data becomes available.
Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. No public exploit identified at time of analysis, but the bug is trivial to trigger (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) and a vendor patch is available.
USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in `cdc_ncm_send()` ignores the return value of `usbd_ep_enqueue()` and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. No public exploit code or active exploitation has been identified; the trigger is routine USB host power management, making this an availability risk for any embedded Zephyr device using USB virtual Ethernet.
Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity network attack surface against a widely-deployed enterprise broker makes this a credible denial-of-service risk for any deployment with an exposed STOMP port.
Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.
Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.
Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. No public exploit code exists and CISA has not listed this in KEV; EPSS is 0.23% (13th percentile), consistent with SSVC's 'Exploitation: none' rating at time of disclosure.
Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).
Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.
Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.
Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.
Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to write kernel memory or force unexpected system termination by supplying improperly validated input to a privileged interface. Apple resolved the flaw through improved input sanitization. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and CISA SSVC records exploitation status as none, though it rates the technical impact as total and considers it automatable.
Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.
Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.
Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process escalate out of the sandbox via a crafted HTML page that triggers a type-confusion bug (CWE-843) in the Tabs component. Exploitation is gated behind prior renderer compromise and user interaction, and the flaw is rated High by Chromium with a CVSS 8.3 due to scope change and total impact. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC lists exploitation as none.
Insufficient validation of untrusted input in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.
Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.
Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). SSVC lists exploitation status as none, indicating no observed active exploitation.
Sandbox escape in Google Chrome's ANGLE graphics component before version 150.0.7871.47 allows an attacker who has already compromised the renderer process to break out of the browser sandbox and execute code in a higher-privilege context via a crafted HTML page. Google rates the Chromium security severity as Critical (CVSS 9.6), though this is a second-stage bug requiring a prior renderer compromise. A vendor patch is available; no public exploit has been identified at time of analysis and EPSS exploitation probability is low (0.22%).
Heap corruption in the iOSWeb component of Google Chrome for iOS before 150.0.7871.47 lets a remote attacker who lures a victim to a crafted HTML page potentially achieve memory corruption with high confidentiality, integrity, and availability impact. Chromium rated the underlying issue Critical severity, though the CVSS base score is 8.8 because exploitation requires user interaction (visiting a page). There is no public exploit identified at time of analysis, it is not on CISA KEV, and the EPSS probability is low at 0.21%.
Sandbox escape via type confusion in Google Chrome's Dawn WebGPU implementation allows an attacker who already controls a compromised renderer process to break out of the browser sandbox using a crafted HTML page, affecting all Chrome desktop builds prior to 150.0.7871.47. Rated Critical by Chromium and CVSS 9.8, though the score assumes no prior privilege; realistically it is the second stage of an exploit chain. A vendor patch is available and no public exploit has been identified at time of analysis (EPSS 0.24%, 15th percentile).
Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Nonce reuse in ImageMagick's AES-CTR cipher implementation exposes encrypted image plaintext to recovery attacks. The PasskeyEncipherImage method in ImageMagick before 7.1.2-22 reuses nonces when performing AES in Counter mode, violating the fundamental security requirement that a nonce be used exactly once per key. A network-accessible attacker who can collect multiple ciphertexts produced with the same passkey and nonce can XOR the outputs to cancel the shared keystream and partially or fully recover encrypted image content. No active exploitation has been identified (not in CISA KEV), and no public exploit code is known at time of analysis.
Heap buffer out-of-bounds read in ImageMagick before 7.1.2-19 via off-by-one error in morphology validation allows local attackers with user interaction to trigger denial of service. The vulnerability stems from incorrect morphology parameters causing single pixel memory access violations within heap buffers, potentially leading to application crashes or information disclosure through controlled reads of adjacent heap memory.
Server-side validation bypass in Capgo before 12.128.2 allows authenticated organization administrators to write invalid values directly to the public.orgs database table from the browser, circumventing field-level security policy enforcement for parameters such as max_apikey_expiration_days. The root cause is insufficient server-side enforcement in a Supabase-backed architecture where authenticated clients can interact directly with underlying tables without adequate RLS or server-side validation gates. No public exploit has been identified and the vulnerability is not listed in CISA KEV, though the low-complexity attack path makes it trivially executable by any org admin.
Improper error handling in Capgo's /private/accept_invitation endpoint before version 12.128.2 allows unauthenticated network attackers to trigger HTTP 500 Internal Server Error responses by submitting malformed magic_invite_string values, leaking internal processing details in violation of CWE-209. Exploitation requires no privileges or user interaction - only the publicly accessible endpoint and knowledge of its path - making any internet-exposed Capgo instance susceptible to targeted reconnaissance. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the risk is constrained to information disclosure that could support a broader attack chain.
Release-routing integrity failure in Capgo before 12.128.2 lets an authorized app or channel manager covertly steer which update bundle unnamed clients receive. Because the platform permits multiple public channels per app/platform to coexist and silently resolves channel-less /updates requests to a single hidden 'winner' channel, a low-privileged insider can manipulate default update state and serve a chosen bundle to clients that did not specify a channel. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.
Organization UUID enumeration in Capgo before 12.128.2 allows unauthenticated remote attackers to confirm the existence of valid organization identifiers by exploiting differential error responses from the /private/validate_password_compliance endpoint. The endpoint returns distinct HTTP status codes and error message bodies depending on whether a submitted organization ID is malformed, non-existent, or valid - functioning as an unauthenticated oracle. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though automated scripted enumeration is trivially feasible given the low attack complexity (CVSS 4.0 base score 6.9, AV:N/AC:L/PR:N).
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse two SECURITY DEFINER RPC functions, get_user_id and get_org_perm_for_apikey, reachable with only the public/anon API key. Attackers can confirm whether a leaked API key is valid, resolve user UUIDs, and read the permission level tied to a key, turning otherwise-uncertain credential leaks into actionable, scoped targets. CVSS 4.0 is 8.7 (High); there is no public exploit identified at time of analysis and it is not in CISA KEV.
Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.
Header injection in Hono's CORS middleware exposes applications to cache key pollution across versions before 4.10.3. When the CORS `origin` option is configured to anything other than wildcard `*`, the middleware incorrectly promotes client-supplied `Vary` header values from the incoming request directly into the HTTP response - a behavior violating the HTTP specification, which reserves `Vary` as a server-managed response header. In environments using shared caches, CDNs, or reverse proxies, an attacker can craft requests with arbitrary `Vary` values to poison cache entries, potentially causing incorrect CORS policies to be enforced for legitimate downstream users. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.
HTTP request smuggling in IBM WebSphere Application Server (traditional 8.5 and 9.0) and WebSphere Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers desynchronize how front-end proxies and the WebSphere back-end parse HTTP request boundaries, enabling request-queue poisoning, security-control bypass, and disclosure of other users' data (tagged Information Disclosure). The CVSS 9.8 vector rates all impacts high, but SSVC records no observed exploitation and EPSS is low (0.34%); no public exploit is identified at time of analysis, and a vendor patch is available. Realistic exploitation depends on WebSphere sitting behind an intermediary that disagrees with it on request framing.
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes sensitive information to network interception by a man-in-the-middle adversary. The platform transmits certain data without encryption, enabling an attacker positioned on the network path to capture confidential content in transit. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified; however, the CVSS High confidentiality impact (C:H) signals that the interceptable data is substantively sensitive, likely including queries, credentials, or intelligence payloads.
OAuth scope concealment in GitHub Enterprise Server allows an attacker to obtain unauthorized control over an organization's GitHub Actions runner management by exploiting a missing scope disclosure on the authorization consent screen. The `manage_runners:org` OAuth scope, which governs CI/CD runner infrastructure, is never shown to the victim during the standard OAuth authorization flow, enabling a maliciously crafted OAuth application to acquire it without informed user consent. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 4.8 and mandatory user interaction (UI:A) correctly reflect the social-engineering dependency that constrains real-world exploitation.
Sensitive information disclosure in IBM UrbanCode Deploy and IBM DevOps Deploy exposes potentially sensitive data to any local user who can read application log files. Affected are UrbanCode Deploy 7.2 through 7.2.3.23 and 7.3 through 7.3.2.18, as well as DevOps Deploy 8.0 through 8.0.1.13, 8.1 through 8.1.2.6, and 8.2 through 8.2.1.0. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, but the local no-privilege vector combined with high confidentiality impact makes this a meaningful insider threat and post-compromise escalation vector in enterprise CI/CD environments.
Sensitive configuration and secret disclosure in IBM UrbanCode Deploy (7.3-7.3.2.18) and IBM DevOps Deploy (8.0-8.2.1.0) exposes credentials and configuration data to any authenticated low-privilege user via API responses. The exposed secrets can serve as a direct launchpad for privilege escalation or lateral movement within the CI/CD pipeline and connected deployment targets. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the CVSS-assigned high confidentiality impact reflects real post-authentication risk.
Sensitive information disclosure and unauthorized privileged actions in IBM DevOps Deploy (formerly UrbanCode Deploy/UCD) versions 8.1.0 through 8.1.2.6 and 8.2.0 through 8.2.1.0 stem from an overly permissive Cross-Origin Resource Sharing (CORS) policy that fails to restrict requests to trusted domains. An attacker who lures an authenticated user to a malicious web page can leverage the victim's session across origins to read confidential data and invoke privileged operations. No public exploit identified at time of analysis, and EPSS is low (0.15%, 5th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Arbitrary file read in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.6) lets remote attackers retrieve files from the server host when the restConnector-2.0 administrative REST feature is enabled. The flaw is classed as HTTP request smuggling (CWE-444), meaning inconsistent request parsing lets an attacker coax the server into exposing file contents it should not serve. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none; EPSS is low at 0.50% (39th percentile).
Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.
IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 expose sensitive information through internal monitoring and event tables to authenticated low-privilege local users, a consequence of CWE-538 where sensitive data is inserted into storage locations accessible beyond the intended trust boundary. The CVSS vector confirms local-only attack surface (AV:L) with low-privilege authentication (PR:L) and high confidentiality impact, making this most relevant to insider threat scenarios or post-compromise lateral movement in multi-tenant Db2 environments. No public exploit code exists and the vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbose error messages, giving authenticated remote attackers a reconnaissance foothold for follow-on attacks. The flaw is rooted in CWE-209 (overly informative error generation), which can expose stack traces, internal paths, backend technology details, or configuration fragments depending on what error condition is triggered. No public exploit code has been identified and no active exploitation is confirmed; the mandatory authentication barrier (PR:L) and information-only impact limit immediate blast radius, but the data gathered can materially assist more sophisticated attacks against the same system.
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to interception by network-adjacent attackers using man-in-the-middle techniques. The CVSS vector (AV:N/AC:H/PR:N) confirms exploitation requires no authentication but does demand the attacker occupy a privileged on-path network position, moderating the overall risk. No public exploit code and no CISA KEV listing have been identified at time of analysis; vendor-released patch is available.
Session hijacking in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 allows an authenticated user to impersonate another user because session IDs are not invalidated after they expire (CWE-613). An attacker who obtains or reuses a stale session identifier can act with the victim's identity, producing high confidentiality and integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mechanism used to protect secrets encrypted at rest, allowing an attacker who can reach the stored credential data to recover the encryption key and decrypt every stored credential. Because Langflow stores API keys, database connection strings, and third-party service tokens used by AI workflow components, recovery of these secrets gives an attacker the keys to all integrated systems. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied, so the threat is currently theoretical but high-impact, and IBM (the reporter) has released a fix.
Information disclosure in IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 allows remote attackers to obtain sensitive information over the network without authentication (CVSS 3.1 vector AV:N/PR:N, base 7.5). The flaw exposes confidential data (C:H) while leaving integrity and availability untouched, and there is no public exploit identified at time of analysis. EPSS is low (0.15%, 5th percentile) and CISA SSVC rates exploitation as none, indicating this is a real but not urgently exploited issue.
Sandbox policy bypass in Twig PHP template engine allows sandboxed template authors to trigger `__toString()` calls on objects explicitly blocked by `SecurityPolicy::$allowedMethods`, through two distinct coercion paths: `Traversable` inputs to the `join` and `replace` filters, and PHP's implicit spaceship-operator coercion inside the `in`/`not in` operator implementation. Beyond unauthorized method invocation, the `in` operator can be chained into a character-by-character equality oracle, enabling reconstruction of the full string value of sensitive objects - such as tokens or credentials passed into the render context - without any direct method invocation being permitted. This is a residual bypass of CVE-2026-47732; no public exploit code has been identified at time of analysis, and the issue is patched in Twig v3.27.0.
Race condition in Zephyr RTOS Bluetooth Classic RFCOMM host stack (v4.4.0 and earlier) permanently wedges session state and exhausts the fixed bt_rfcomm_pool when a peer-transmitted DISC frame for dlci 0 collides with a simultaneous local-initiated teardown. The underlying L2CAP channel is never released and the session slot is never reclaimed, eventually denying RFCOMM service to the targeted peer across repeated occurrences. No public exploit identified at time of analysis; the CVSS 3.1 score of 3.1 (Low) with AV:A/AC:H accurately reflects both the Bluetooth adjacency prerequisite and the high-complexity timing race required.
Non-atomic reference-count manipulation in the Zephyr RTOS net_buf library (lib/net_buf/buf.c) allows a double-free/use-after-free when a single buffer is shared and independently unref'd across concurrent contexts. Because buf->ref and the per-data-block ref_count were incremented/decremented with plain C operators despite the API being documented as self-synchronizing, two holders racing net_buf_unref() under SMP or single-core preemption can each conclude they hold the last reference, causing a double k_heap_free()/k_free() (heap-metadata corruption and UAF on heap-hardening poison) for heap/variable-data pools, or a double return to the pool free list for any pool type. All Zephyr releases through v4.4.0 are affected; no public exploit is identified at time of analysis and EPSS risk is low (0.16%, 6th percentile).
### Impact Shovel and Federation plugins perform URI obfuscation in their worker (link) state. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Out-of-bounds read in the Zephyr RTOS Bluetooth controller's ISO Adaptation Layer (isoal.c) lets an adjacent attacker leak controller memory to the HCI host and potentially crash the device. A malicious CIS peer or a broadcaster the device is BIS-synced to sends a framed ISO PDU whose start-segment length field is 0-2, causing a uint8_t underflow (len-3 → 253-255) that copies up to ~255 bytes past the received PDU into an HCI ISO packet. Publicly available exploit code exists (SSVC: poc); it is not listed in CISA KEV, and EPSS is low at 0.17%, indicating no evidence of widespread active exploitation.
SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.
Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.
Cross-profile workspace isolation bypass in Hermes WebUI before 0.51.521 allows an authenticated low-privilege user operating under the default profile to read files scoped to other named profiles' workspaces. The /api/session/import handler validates the workspace against the active named profile but omits setting the profile field on the constructed Session object, persisting it with a null profile value. Because the authorization layer treats null profile as equivalent to the default profile, any default-profile user can exploit imported session identifiers to traverse the intended profile boundary and extract file contents - a complete defeat of the application's workspace isolation model. No public exploit is identified at time of analysis, and a vendor-released patch is available at v0.51.521.
Out-of-bounds read in the Zephyr RTOS DNS resolver (subsys/net/lib/dns) lets a malicious, spoofed, or on-path DNS server - or any LAN node when mDNS/LLMNR is enabled - return crafted truncated TXT or SRV records that leak residual receive-pool memory to the application, and in some configurations crash the device. It affects Zephyr v4.3.0 and v4.4.0; the SSVC framework records a proof-of-concept, so publicly available exploit code exists, though EPSS is low (0.20%, 10th percentile) and there is no public evidence of active exploitation. The disclosed data is bounded (~64 bytes for TXT, ~6 for SRV) and read-only, but can expose stale contents of prior DNS packets.
PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.
CPython's tarfile.extract() silently bypasses the 'filter' parameter when processing hardlinks within tar archives, writing files with attacker-controlled uid/gid values despite the caller specifying filter='data' for security. Systems that extract content from untrusted tar archives while relying on this filter mechanism for ownership hardening are left with unexpected file ownership on extracted hardlinks. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept is available at time of analysis; the CVSS 4.0 score of 2.0 reflects the narrow, low-impact nature of the flaw.
Coolify's GitLab webhook endpoint leaks its secret token through a timing side-channel, enabling unauthenticated network attackers to reconstruct the token incrementally by measuring HTTP response time differences. All self-hosted Coolify instances prior to 4.0.0-beta.461 with GitLab webhook integrations configured are affected. Once the secret is recovered, an attacker can forge arbitrary GitLab webhook events and potentially trigger unauthorized deployments. No public exploit or active exploitation has been identified at time of analysis; the CVSS-assigned AC:H correctly reflects the practical difficulty of conducting reliable timing measurements over real-world networks.
Heap-use-after-free in openGauss 7.0.0-RC1 and RC2 allows a database user with SQL execution privileges to crash the backend process by crafting a to_timestamp() call with NLS parameters that triggers the seqscan+sort execution path. The nls_fmt_str pointer is stored in session context but allocated within SeqScan's expression memory context, which is freed upon scan completion; subsequent access by timestamp_out() via CheckNlsFormat() dereferences the dangling pointer. The practical impact is denial of service through backend process termination. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.
KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digits, prohibiting alphabetic, special, or extended characters and producing a maximum keyspace of only 1,000,000 possible values (10^6). This CWE-521 (Weak Password Requirements) flaw enables remote unauthenticated brute-force attacks against any customer account, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). No public exploit code or CISA KEV listing exists, but the trivial keyspace means no specialized tooling is required - standard credential automation suffices. CERT-PL reported the issue; a vendor patch was published in June 2026.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.
Arbitrary file disclosure in GLib's GDBus client affects the DBUS_COOKIE_SHA1 SASL authentication mechanism, where the client fails to validate the server-supplied cookie_context parameter. A malicious or compromised D-Bus server can send a cookie_context containing path traversal sequences, forcing the client to read attacker-chosen files and leak their contents by confirming guessed values against the returned authentication hash. No public exploit has been identified and it is not in CISA KEV; EPSS is low at 0.30% (22th percentile), consistent with the SSVC assessment of no known exploitation.
Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.
Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.
Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).
Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.
Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the network-accessible, zero-privilege attack vector warrants prompt patching given NetScaler's broad enterprise deployment.
Arbitrary file read in Citrix NetScaler ADC and NetScaler Gateway lets unauthenticated attackers on an adjacent network retrieve sensitive files from the appliance when the NSIP, Cluster Management IP, or a SNIP has management access enabled. The flaw (CWE-73, external control of file name or path) carries a CVSS 4.0 base score of 7.1 with high confidentiality impact, and no public exploit identified at time of analysis. Exposure is gated by the management interface being reachable, which limits but does not eliminate risk given NetScaler's history of attacker targeting.
Privilege escalation in Rancher 2.13 (before 2.13.6) and 2.14 (before 2.14.2) lets any authenticated user gain principal access they should not hold, because the GitHub authentication provider incorrectly caches the result of team membership expansion. The flaw (CWE-303, CVSS 8.8) means a low-privileged GitHub-authenticated user can be granted access tied to other principals/teams, effectively bypassing intended authorization. No public exploit identified at time of analysis and it is not listed in CISA KEV.
Redeight CMS 1.0 stores user passwords using unsalted MD5 hashes, enabling any attacker who obtains the credential database to recover plaintext passwords nearly instantaneously via precomputed rainbow tables. All stored credentials are effectively exposed upon database compromise, since MD5 is cryptographically broken and the absence of per-user salts eliminates hash uniqueness across identical passwords. No public exploit code or confirmed active exploitation has been identified at time of analysis, but the cracking technique is trivially automated and requires no specialized skill.
MSE Diffie-Hellman key exchange in Net::BitTorrent (Perl, all versions through 2.0.1) is rendered cryptographically transparent to passive network observers because Perl's non-cryptographic rand() function generates the 160-bit DH private key in KeyExchange.pm, and the same PRNG sequence simultaneously produces cleartext random padding transmitted during the same handshake. A passive eavesdropper who captures the handshake can recover the drand48 PRNG state from the observable padding bytes, reconstruct the private key, derive the RC4 session keys, and fully decrypt the MSE-encrypted stream - completely defeating the passive-observation obfuscation MSE is designed to provide. No public exploit has been identified at time of analysis, but the recovery is deterministic and requires only standard number theory once the handshake is captured.
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Sensitive data exposure in Advantech Hospital Queuing Management lets unauthenticated remote attackers reach a specific URL and retrieve the application's API documentation, mapping out endpoints and parameters without any credentials. The flaw is rooted in missing authentication (CWE-306) on a resource that should be protected, and TWCERT rates it CVSS 4.0 9.3 (Critical). No public exploit is identified at time of analysis, but the exposed API documentation provides reconnaissance that materially lowers the barrier to follow-on attacks.
Information disclosure in Advantech Hospital Queuing Management allows unauthenticated remote attackers to retrieve internal API documentation by requesting a specific URL, exposing the application's API surface, endpoints, and parameters. The flaw carries a high CVSS 4.0 base score of 8.7 driven entirely by confidentiality impact, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The leaked documentation primarily serves as reconnaissance that lowers the barrier to attacking other endpoints of this healthcare queuing platform.
Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's configured searchBase and searchFilter instantiate transports that are otherwise denied inside the broker JVM. By doing so the attacker can force the broker to fetch an attacker-controlled URL and spawn a second BrokerService within the same JVM, an integrity-impacting condition affecting Apache ActiveMQ, ActiveMQ Broker, and ActiveMQ All before 5.19.8 and 6.x before 6.2.7. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. The flaw affects ActiveMQ, ActiveMQ All, and ActiveMQ Stomp before 5.19.8 and the 6.0.0-6.2.6 line; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cleartext-transmission exposure in Hitachi Energy PROMOD V allows a network man-in-the-middle to intercept or read sensitive data because the application relies on unencrypted HTTP rather than HTTPS when communicating with a third-party Digipede grid-computing server. The flaw (CWE-1428, reliance on an insecure communications channel) carries a CVSS 4.0 base score of 7.0 and is rated high confidentiality impact with limited integrity impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems - notably Samsung TV appliances - to local exploitation resulting in limited confidentiality, integrity, and availability impact. The flaw exists at a specific upstream commit (bab3a5797557014ce3c2e28419a6310cfba90d0d) and allows an attacker who can execute code in the same environment to exploit a timing window between a security check and the subsequent use of a resource. No active exploitation has been identified at time of analysis, but a fix commit is available upstream.
Insufficient data exists to characterize CVE-2026-13606. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating this vulnerability affects a package or component within the Ubuntu ecosystem. No description, CVSS score, vector, CWE classification, or additional references are available - a complete technical characterization is not possible from the provided data.
Insufficient data exists to characterize CVE-2026-44605 meaningfully. The only available intelligence signal is a vendor attribution to Ubuntu, with no description, CVSS vector, CWE classification, or reference URLs provided. The CVE ID year (2026) places this beyond the analyst's knowledge cutoff of August 2025, meaning no corroborating open-source intelligence can be applied. No exploitation status, affected version range, or impact class can be stated with any confidence.
Insufficient data exists to characterize CVE-2026-57964 meaningfully. The only confirmed signal is a vendor attribution to Ubuntu (Canonical), with no description, CVSS score, vector, or CWE provided. No exploitation status, affected component, or impact can be determined from the available intelligence. Security teams should monitor the Ubuntu Security Notices (USN) portal and the NVD entry for this CVE as data becomes available.
Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. No public exploit identified at time of analysis, but the bug is trivial to trigger (CVSS 7.5, AV:N/AC:L/PR:N/UI:N) and a vendor patch is available.
USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in `cdc_ncm_send()` ignores the return value of `usbd_ep_enqueue()` and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. No public exploit code or active exploitation has been identified; the trigger is routine USB host power management, making this an availability risk for any embedded Zephyr device using USB virtual Ethernet.
Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. No public exploit code or active exploitation has been identified at time of analysis, but the unauthenticated, low-complexity network attack surface against a widely-deployed enterprise broker makes this a credible denial-of-service risk for any deployment with an exposed STOMP port.
Authentication bypass in Apache Tomcat (7.0.0-7.0.109, 8.5.0-8.5.100, 9.0.0.M1-9.0.100, 10.1.0-M1-10.1.36, 11.0.0-M1-11.0.4) lets remote attackers authenticate without supplying the correct password when the JNDIRealm is configured to validate credentials via GSSAPI bind. The flaw (CWE-304, Missing Critical Step in Authentication) means the realm accepts a bind as successful even when the password verification step is effectively skipped. There is no public exploit identified at time of analysis, EPSS risk is low (0.21%, 12th percentile), and it is not listed in CISA KEV.
Incomplete security-constraint logging in Apache Tomcat (8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, 11.0.0-M1-11.0.22) omits special roles and empty authorization constraints when the effective web.xml is written to the log, giving administrators an inaccurate view of the deployed access-control configuration. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and CISA SSVC marks exploitation status as none, despite the inflated 9.1 CVSS published by Apache. The practical effect is misleading audit/diagnostic output rather than direct attacker compromise.
Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the streaming decrypt_done path, enabling authentication tag forgery across five AEAD cipher modes: GCM, CCM, ChaCha20Poly1305, EAX, and OCB. An attacker who can submit many candidate tags for a fixed nonce and ciphertext while precisely measuring response timing can recover the expected tag byte-by-byte and forge authenticated messages. No public exploit code exists and CISA has not listed this in KEV; EPSS is 0.23% (13th percentile), consistent with SSVC's 'Exploitation: none' rating at time of disclosure.
Improper handling of a Certificate Revocation List (CRL) error condition in Apache Tomcat's FFM-based (Foreign Function & Memory / OpenSSL) connector allows revoked client certificates to be accepted during mutual TLS authentication, defeating revocation checking. The flaw affects Tomcat 9.0.83-9.0.118, 10.1.0-M7-10.1.55, and 11.0.0-M1-11.0.22 when a CRL is configured on the FFM connector, letting an attacker holding a revoked-but-otherwise-valid client certificate reach protected resources. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though the CVSS base score is 9.1 (CWE-390).
Access-control bypass in Apache Tomcat's RewriteValve (versions 8.5.0-8.5.100, 9.0.0.M1-9.0.118, 10.1.0-M1-10.1.55, and 11.0.0-M1-11.0.22) arises because once the first condition in an OR (`[OR]`) chain matched, subsequent non-OR conditions were never evaluated. Where operators rely on chained rewrite conditions to gate or restrict requests, an attacker can satisfy only the first condition and have later guard conditions silently skipped, leading to information disclosure or unintended request routing. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Apache has released fixes in 11.0.23, 10.1.56, and 9.0.119.
Cross-origin information disclosure in Apple Safari, iOS, iPadOS, and macOS Tahoe (all versions before 26.5.2) allows an attacker who can direct a user to maliciously crafted web content to read sensitive data from other origins, violating the Same-Origin Policy. The flaw stems from inadequate tracking of security origins in the WebKit engine (CWE-346), and is notable because on iOS and iPadOS all browsers are mandated to use WebKit, meaning every browser on those platforms is affected. No public exploit or CISA KEV listing is identified at time of analysis; Apple has released patches across all affected platforms.
Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to corrupt kernel memory or trigger unexpected system termination via malformed input that bypasses validation. Reported by Apple internally and fixed with improved input validation; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Despite a high CVSS of 9.1, the practical attack surface is bound to code already executing on the device as an app.
Clipboard data disclosure in Apple Safari (and the shared WebKit engine on iOS, iPadOS, and macOS) before version 26.5.2 lets a malicious website silently read or hijack clipboard contents without user interaction or permission, rated CVSS 7.5 (confidentiality-only). Apple has shipped fixes in Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2, and the issue was reported internally by Apple. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compromised app to write kernel memory or force unexpected system termination by supplying improperly validated input to a privileged interface. Apple resolved the flaw through improved input sanitization. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and CISA SSVC records exploitation status as none, though it rates the technical impact as total and considers it automatable.
Cross-origin data exfiltration in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) allows a malicious website to read data belonging to a different origin due to insufficient input validation. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-delivered without authentication, requiring only that the victim visits an attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis, and vendor-released patches are available for all affected platforms.