Information Disclosure
Monthly
A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.
A security vulnerability in Chamilo LMS (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.
File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.
The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.
Unauthenticated users can view a list of buckets the plugin has access to.
The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.
Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
A credential disclosure vulnerability exists in Glances monitoring tool when running in Central Browser mode with autodiscovery enabled. The vulnerability allows attackers on the same local network to steal reusable authentication credentials by advertising fake Glances services via Zeroconf, as the application trusts untrusted service names for password lookups instead of using verified IP addresses. A working proof-of-concept is included in the advisory, and the issue has a CVSS score of 8.1 indicating high severity.
The Glances system monitoring tool exposes reusable authentication credentials for downstream servers through an unauthenticated API endpoint when running in Central Browser mode without password protection. This vulnerability allows any network attacker to retrieve pbkdf2-hashed passwords that can be replayed to access protected Glances servers across an entire monitored fleet. A proof-of-concept is included in the advisory demonstrating credential extraction from the /api/4/serverslist endpoint.
A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.
A critical authentication bypass vulnerability exists in Tenda AC8 router firmware version 16.03.50.11 where the IPv6 handler function check_is_ipv6 relies on IP address for authentication, allowing remote attackers to gain unauthorized access. The vulnerability has a publicly available proof-of-concept exploit on GitHub and scores 9.8 CVSS, enabling complete compromise of the affected device with no authentication required. While not currently listed in CISA KEV, the combination of public exploit availability and ease of exploitation makes this a high-priority vulnerability for organizations using affected Tenda routers.
A critical information disclosure vulnerability in Glances system monitoring tool allows unauthenticated remote attackers to access sensitive configuration data including password hashes, SNMP community strings, and authentication keys through unprotected API endpoints. The vulnerability affects Glances versions prior to 4.5.2 when running in web server mode without password protection (the default configuration), and a proof-of-concept demonstrating the attack is publicly available. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a high CVSS score of 7.5 due to the ease of exploitation and severity of exposed secrets.
A critical physical access vulnerability in IncusOS allows attackers to bypass LUKS disk encryption without breaking Secure Boot or modifying the kernel. The vulnerability affects all IncusOS versions through mkosi prior to version 202603142010 and enables attackers with physical access to extract encryption keys by substituting the encrypted root partition with their own malicious partition. This vulnerability has been patched and a proof-of-concept attack methodology has been publicly documented.
Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.
ONNX's hub.load() function can be bypassed to load untrusted models without user confirmation when the silent parameter is enabled, allowing attackers to potentially deliver malicious models to applications that suppress security warnings. The vulnerability stems from improper logic in the repository trust verification mechanism that prioritizes the silent flag over security checks. This affects Python-based systems using ONNX and could lead to unauthorized code execution through model loading.
A remote code execution vulnerability in CityData CityChat (CVSS 2.5). Risk factors: public PoC available.
A remote code execution vulnerability in Albert Sağlık Hizmetleri ve Ticaret Albert Health (CVSS 2.5). Risk factors: public PoC available.
CVE-2026-21386 is a security vulnerability (CVSS 4.3) that allows an authenticated team member. Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.
CVE-2026-27448 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.
A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
Improper access control in D-Link DIR-823G 1.0.2B05's goahead component allows unauthenticated remote attackers to manipulate multiple configuration functions including firewall, network, and security settings. The vulnerability affects a wide range of device management functions and has been publicly disclosed with no patch currently available. Affected organizations should implement network segmentation and access controls to limit exposure to this remotely exploitable flaw.
A arbitrary file access vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
A vulnerability was found in Lagom WHMCS Template up to 2.3.7.
A security vulnerability in HCL AION (CVSS 4.8). Remediation should follow standard vulnerability management procedures.
HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
Mattermost fails to properly validate User-Agent header tokens in versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier, allowing authenticated attackers to trigger request panics through specially crafted User-Agent headers. This denial-of-service vulnerability affects availability but requires prior authentication and results in only low-severity impact. While the CVSS score of 4.3 reflects the low severity, the practical risk depends on whether the application is exposed to untrusted authenticated users and whether automatic exploitation tools are readily available.
Mattermost versions 11.3.x up to and including 11.3.0 contain an information disclosure vulnerability where burn-on-read posts fail to maintain their redacted state when deleted, allowing authenticated channel members to view previously hidden message contents through WebSocket post deletion events. The vulnerability requires low-privilege authenticated access and results in confidentiality loss of sensitive communications that were intentionally designed to be self-destructing. With a CVSS score of 4.3 and network-based attack vector, this represents a meaningful but contained risk primarily affecting organizations relying on Mattermost's burn-on-read feature for secure internal communications.
Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts without triggering account lockout, rate limiting, or multi-factor authentication challenges. Versions prior to 1.4.6 are affected, and an attacker can systematically enumerate valid usernames and crack passwords through high-volume credential stuffing attacks. The vulnerability represents a significant authentication bypass risk that could lead to unauthorized administrative access depending on password strength and user enumeration feasibility.
Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages reveal whether a login exists in the system, enabling attackers to build valid user lists for targeted brute force attacks. This vulnerability affects Raytha CMS versions prior to 1.5.0. The moderate CVSS score of 6.9 reflects the information disclosure risk, though real-world impact depends on how attackers chain this enumeration with other attacks.
A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwarded-Host or Host headers, leading to account takeover. The vulnerability affects all versions prior to 1.4.6 and requires only that the attacker knows the victim's email address to initiate the attack chain. With a CVSS 7.5 score and requiring user interaction, this represents a significant authentication bypass risk for organizations using the affected CMS versions.
Mattermost fails to properly sanitize client-supplied post metadata in its post update API endpoint, allowing authenticated attackers to spoof permalink embeds and impersonate other users through crafted PUT requests. The vulnerability affects Mattermost versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier. While the CVSS score of 4.3 is moderate and requires authentication, the integrity impact allows attackers to deceive users by falsely attributing messages to legitimate users, potentially facilitating social engineering or misinformation campaigns within Mattermost instances.
A sensitive information disclosure vulnerability in Mattermost Plugins versions 2.0.3.0 and earlier fails to properly mask sensitive configuration values in support packets, allowing attackers with high privileges to extract original plugin settings from exported configuration data. The vulnerability requires authenticated access with high privileges (CVSS 7.6) and enables attackers to obtain sensitive configuration data that should be masked, potentially exposing API keys, credentials, or other sensitive plugin configurations. No active exploitation or proof-of-concept has been reported, and the vulnerability requires significant access privileges to exploit.
Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
An Insecure Direct Object Reference (IDOR) vulnerability exists in Campus Educativa at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' that allows unauthenticated attackers to enumerate and download profile photographs of all users by manipulating URL parameters. Successful exploitation enables mass collection of user photos for identity impersonation, social engineering, facial recognition-based identity linking across platforms, and doxxing attacks. With a CVSS score of 6.9 and no authentication required, this vulnerability poses a moderate-to-significant risk to user privacy and security.
An Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa allows unauthenticated attackers to access sensitive user data including usernames, full names, email addresses, and phone numbers of all enrolled students by manipulating course IDs in the export endpoint. The vulnerability requires no authentication and can be exploited remotely through simple URL manipulation and brute-force attacks on course IDs. With a CVSS score of 8.7 and network-based attack vector, this represents a critical data exposure risk for educational institutions using Campus Educativa.
An authentication bypass vulnerability in Tinycontrol network devices (tcPDU and LAN Controllers LK3.5, LK3.9, LK4) exposes usernames and encoded passwords for both normal and admin users through unauthenticated HTTP requests to the login page. The vulnerability affects devices running older firmware versions when the secondary authentication mechanism is disabled (default setting), allowing any attacker on the local network to harvest credentials without authentication. With an EPSS score of 0.00043 and no KEV listing, this vulnerability shows low real-world exploitation activity despite its high CVSS score of 8.7.
A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.
OpenHarmony versions 5.1.0 and prior contain an improper input validation vulnerability (CWE-20) that allows local attackers with low privileges to trigger a denial of service condition. An authenticated local user can craft malicious input that causes the system to become unresponsive or crash, requiring manual intervention to restore availability. While this vulnerability has a moderate CVSS score of 5.0, the local-only attack vector and requirement for user interaction limit widespread exploitation risk.
OpenHarmony v5.0.3 and prior versions contain an improper input validation vulnerability (CWE-20) that allows a local attacker with limited privileges to read sensitive information from the system. The vulnerability carries a CVSS score of 3.3 with low attack complexity and requires local access and low privileges, indicating a confined risk profile suitable only for restricted exploitation scenarios. While the CVSS vector does not indicate active exploitation or widespread POC availability based on the provided data, the information disclosure impact warrants attention in environments where local privilege escalation chains may amplify the risk.
OpenHarmony versions 5.0.3 and earlier contain an information disclosure vulnerability caused by use of uninitialized resources, allowing local attackers to leak sensitive case-sensitive data. The vulnerability affects OpenHarmony deployments across all product lines up to v5.0.3.x (per EUVD-2025-208673). An attacker with local access and standard user privileges can read uninitialized memory regions to obtain confidential information without requiring user interaction, though there is no indication of active exploitation in public KEV databases at this time.
This vulnerability is a memory leak in OpenHarmony v6.0 and prior versions that allows a local, low-privileged attacker to trigger a denial-of-service condition by preventing proper memory release during runtime operations. An authenticated local user without special privileges can exhaust system memory through repeated triggering of the affected code path, causing application or system instability. The low CVSS score of 3.3 reflects the limited scope (local access only, no confidentiality or integrity impact), but the underlying memory management flaw (CWE-401: Missing Release of Memory) is a classic stability threat in systems software.
A critical integer underflow vulnerability in libexif library versions up to 0.6.25 allows attackers to cause buffer overflows when processing malformed EXIF MakerNotes data in image files. This vulnerability can lead to arbitrary code execution or information disclosure when a victim opens a maliciously crafted image file containing specially crafted EXIF metadata. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a published fix and affects a widely-used image metadata processing library.
Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.
A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.
A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.
Hard-coded credentials exist in the i-SENS SmartLog Android application (versions up to 2.6.8) within a developer mode function used for Bluetooth pairing configuration between blood glucose meters and the mobile app. An attacker with local access and low privileges can exploit this to obtain credentials, potentially compromising the integrity and confidentiality of health data. A public proof-of-concept is available, though the CVSS 5.3 score and local-only attack vector limit immediate widespread exploitation risk.
Galaxy Store prior to version 4.6.03.8 contains an improper cryptographic signature verification vulnerability that allows a local attacker to install arbitrary applications without proper authorization. An attacker with physical or local access to a device can bypass the signature validation mechanism, enabling installation of malicious or unauthorized apps. While the CVSS score of 5.9 is moderate, the integrity impact is high, making this a meaningful threat to device security and app ecosystem integrity.
A cryptographic downgrade vulnerability in Samsung Smart Switch allows remote attackers to force the application to use weak authentication schemes during device-to-device transfers. The vulnerability affects Smart Switch versions prior to 3.7.69.15 and requires user interaction to exploit, potentially exposing sensitive data during the transfer process between Samsung devices. With a CVSS 4.0 score of 7.1 and no current evidence of active exploitation or public proof-of-concept code, this represents a moderate risk primarily to Samsung device users performing data migrations.
A URL redirection vulnerability in Samsung Account allows remote attackers to potentially steal user access tokens through malicious redirect chains. The vulnerability affects Samsung Account versions prior to 15.5.01.1 and requires user interaction to exploit. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a moderate CVSS score of 7.0 and could lead to account takeover if successfully exploited.
Samsung Assistant versions prior to 9.3.10.7 contain an improper export of Android application components vulnerability that allows a local attacker with low privilege access to read sensitive saved information from the application. The vulnerability has a CVSS score of 4.8 with low complexity and no user interaction required, making it a moderate-risk issue affecting users on vulnerable Samsung devices. While no active exploitation or public proof-of-concept is documented at this time, the local attack vector and information disclosure impact warrant timely patching.
ThemeManager prior to the SMR Mar-2026 Release 1 contains an improper privilege management vulnerability that allows local privileged attackers to inappropriately reuse trial contents, potentially circumventing licensing restrictions or trial period limitations. With a CVSS score of 6.7 and requiring high privileges (PR:H) but no user interaction, this vulnerability poses a moderate integrity risk in environments where multiple privileged users share access to ThemeManager systems. No public proof-of-concept or active exploitation has been reported in the CVE record, and this does not appear on CISA's KEV catalog, suggesting limited real-world weaponization at present.
Google's Secure Folder prior to the March 2026 SMR release improperly exports Android application components, enabling local attackers to execute arbitrary activities with Secure Folder privileges. This high-severity vulnerability affects users with local device access and could allow privilege escalation or unauthorized access to protected data. No patch is currently available.
This vulnerability involves improper cryptographic signature verification in the Font Settings component of Samsung devices prior to the March 2026 Security Update Release 1. A physical attacker can bypass signature validation to install custom fonts, potentially leading to integrity compromise of system font resources. While the CVSS score is moderate at 5.1, the attack requires physical access and user interaction, limiting real-world exploitation frequency.
A broadcast receiver in Android Settings fails to properly verify intents prior to the March 2026 Security Maintenance Release 1, allowing a local attacker with limited privileges to launch arbitrary activities with Settings-level permissions. The vulnerability requires user interaction to trigger and carries a CVSS 4.0 score of 6.8, reflecting high confidentiality and integrity impact. No public exploit or KEV designation is currently documented, but the local attack vector and privilege escalation potential warrant prompt patching.
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
User enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usernames through partial character submissions to the authentication endpoint. A public proof-of-concept exploit is available, making this vulnerability actively exploitable, though it has a notably high CVSS score of 9.8 that appears inflated given the actual impact is limited to information disclosure.
Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.
A buffer overflow vulnerability in A flaw (CVSS 6.1) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Heap-based buffer overflow (out-of-bounds read) in GNU Binutils' BFD linker component that affects RHEL 6, 7, 8, and 10, as well as multiple Debian and Ubuntu releases. An attacker can exploit this vulnerability by distributing a malicious XCOFF object file, which when processed by a user, may disclose sensitive information from process memory or crash the application. While the CVSS score of 6.1 indicates medium severity with user interaction required, the vulnerability impacts widely-deployed enterprise Linux distributions across Red Hat, Debian, and Ubuntu ecosystems.
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.
Host header injection vulnerability in Pigeon (a message board/blog system) versions prior to 1.0.201 that allows attackers to manipulate email verification URLs, potentially leading to account takeover. The vulnerability has a high CVSS score of 8.2 but requires user interaction (clicking a malicious link), and there is no indication of active exploitation in the wild or inclusion in CISA KEV.
Cleanuparr versions 2.7.0 through 2.8.0 contain a timing-based username enumeration vulnerability in the /api/auth/login endpoint that allows unauthenticated remote attackers to discover valid usernames by analyzing response time differences. The flaw stems from password verification logic that performs expensive cryptographic hashing only after validating username existence, creating a measurable timing side-channel. This vulnerability is fixed in version 2.8.1 and presents a moderate information disclosure risk with a CVSS score of 6.9, though exploitation requires no special privileges or user interaction.
telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.
IceWarp collaboration platform contains an unauthenticated directory traversal vulnerability that allows remote attackers to read sensitive files from the server. The flaw exists in HTTP request handling, enabling access to configuration files, user data, and potentially email contents stored on the server.
Prototype pollution in Apollo Federation before multiple versions.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
Critical authentication bypass vulnerability in the simplesamlphp/xml-security library (versions before 2.3.1) that affects XML encryption using AES-GCM modes. Attackers can exploit missing authentication tag validation to brute-force decryption keys, decrypt sensitive XML data, and forge arbitrary ciphertexts without knowing encryption keys. No active exploitation detected (not in KEV), but the high CVSS score (8.2) and network-based attack vector make this a priority for organizations using affected SAML/XML security implementations.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. With an EPSS score of only 0.01% and no KEV listing, this represents a low real-world exploitation risk despite the high CVSS score.
A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.
ZwickRoell Test Data Management versions prior to 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint.
Mattermost 10.11.x through 10.11.10 fails to clear cached permalink preview data when a user's channel access is revoked, allowing authenticated users to view private channel content through previously cached previews until the cache expires or they re-login. An authenticated attacker who previously had access to a private channel can exploit this to maintain visibility into sensitive channel communications after access removal. A patch is not currently available for this medium-severity vulnerability.
A security vulnerability in Chamilo LMS (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-29516 is a security vulnerability (CVSS 4.9) that allows authenticated attackers. Remediation should follow standard vulnerability management procedures.
File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.
The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.
Unauthenticated users can view a list of buckets the plugin has access to.
The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.
Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
A credential disclosure vulnerability exists in Glances monitoring tool when running in Central Browser mode with autodiscovery enabled. The vulnerability allows attackers on the same local network to steal reusable authentication credentials by advertising fake Glances services via Zeroconf, as the application trusts untrusted service names for password lookups instead of using verified IP addresses. A working proof-of-concept is included in the advisory, and the issue has a CVSS score of 8.1 indicating high severity.
The Glances system monitoring tool exposes reusable authentication credentials for downstream servers through an unauthenticated API endpoint when running in Central Browser mode without password protection. This vulnerability allows any network attacker to retrieve pbkdf2-hashed passwords that can be replayed to access protected Glances servers across an entire monitored fleet. A proof-of-concept is included in the advisory demonstrating credential extraction from the /api/4/serverslist endpoint.
A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.
A critical authentication bypass vulnerability exists in Tenda AC8 router firmware version 16.03.50.11 where the IPv6 handler function check_is_ipv6 relies on IP address for authentication, allowing remote attackers to gain unauthorized access. The vulnerability has a publicly available proof-of-concept exploit on GitHub and scores 9.8 CVSS, enabling complete compromise of the affected device with no authentication required. While not currently listed in CISA KEV, the combination of public exploit availability and ease of exploitation makes this a high-priority vulnerability for organizations using affected Tenda routers.
A critical information disclosure vulnerability in Glances system monitoring tool allows unauthenticated remote attackers to access sensitive configuration data including password hashes, SNMP community strings, and authentication keys through unprotected API endpoints. The vulnerability affects Glances versions prior to 4.5.2 when running in web server mode without password protection (the default configuration), and a proof-of-concept demonstrating the attack is publicly available. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a high CVSS score of 7.5 due to the ease of exploitation and severity of exposed secrets.
A critical physical access vulnerability in IncusOS allows attackers to bypass LUKS disk encryption without breaking Secure Boot or modifying the kernel. The vulnerability affects all IncusOS versions through mkosi prior to version 202603142010 and enables attackers with physical access to extract encryption keys by substituting the encrypted root partition with their own malicious partition. This vulnerability has been patched and a proof-of-concept attack methodology has been publicly documented.
Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.
ONNX's hub.load() function can be bypassed to load untrusted models without user confirmation when the silent parameter is enabled, allowing attackers to potentially deliver malicious models to applications that suppress security warnings. The vulnerability stems from improper logic in the repository trust verification mechanism that prioritizes the silent flag over security checks. This affects Python-based systems using ONNX and could lead to unauthorized code execution through model loading.
A remote code execution vulnerability in CityData CityChat (CVSS 2.5). Risk factors: public PoC available.
A remote code execution vulnerability in Albert Sağlık Hizmetleri ve Ticaret Albert Health (CVSS 2.5). Risk factors: public PoC available.
CVE-2026-21386 is a security vulnerability (CVSS 4.3) that allows an authenticated team member. Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.
CVE-2026-27448 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.
A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
Improper access control in D-Link DIR-823G 1.0.2B05's goahead component allows unauthenticated remote attackers to manipulate multiple configuration functions including firewall, network, and security settings. The vulnerability affects a wide range of device management functions and has been publicly disclosed with no patch currently available. Affected organizations should implement network segmentation and access controls to limit exposure to this remotely exploitable flaw.
A arbitrary file access vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
A vulnerability was found in Lagom WHMCS Template up to 2.3.7.
A security vulnerability in HCL AION (CVSS 4.8). Remediation should follow standard vulnerability management procedures.
HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
Mattermost fails to properly validate User-Agent header tokens in versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier, allowing authenticated attackers to trigger request panics through specially crafted User-Agent headers. This denial-of-service vulnerability affects availability but requires prior authentication and results in only low-severity impact. While the CVSS score of 4.3 reflects the low severity, the practical risk depends on whether the application is exposed to untrusted authenticated users and whether automatic exploitation tools are readily available.
Mattermost versions 11.3.x up to and including 11.3.0 contain an information disclosure vulnerability where burn-on-read posts fail to maintain their redacted state when deleted, allowing authenticated channel members to view previously hidden message contents through WebSocket post deletion events. The vulnerability requires low-privilege authenticated access and results in confidentiality loss of sensitive communications that were intentionally designed to be self-destructing. With a CVSS score of 4.3 and network-based attack vector, this represents a meaningful but contained risk primarily affecting organizations relying on Mattermost's burn-on-read feature for secure internal communications.
Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts without triggering account lockout, rate limiting, or multi-factor authentication challenges. Versions prior to 1.4.6 are affected, and an attacker can systematically enumerate valid usernames and crack passwords through high-volume credential stuffing attacks. The vulnerability represents a significant authentication bypass risk that could lead to unauthorized administrative access depending on password strength and user enumeration feasibility.
Raytha CMS contains a user enumeration vulnerability in its password reset functionality where differing error messages reveal whether a login exists in the system, enabling attackers to build valid user lists for targeted brute force attacks. This vulnerability affects Raytha CMS versions prior to 1.5.0. The moderate CVSS score of 6.9 reflects the information disclosure risk, though real-world impact depends on how attackers chain this enumeration with other attacks.
A host header injection vulnerability in Raytha CMS allows attackers to hijack password reset tokens by spoofing X-Forwarded-Host or Host headers, leading to account takeover. The vulnerability affects all versions prior to 1.4.6 and requires only that the attacker knows the victim's email address to initiate the attack chain. With a CVSS 7.5 score and requiring user interaction, this represents a significant authentication bypass risk for organizations using the affected CMS versions.
Mattermost fails to properly sanitize client-supplied post metadata in its post update API endpoint, allowing authenticated attackers to spoof permalink embeds and impersonate other users through crafted PUT requests. The vulnerability affects Mattermost versions 11.3.0 and earlier, 11.2.2 and earlier, and 10.11.10 and earlier. While the CVSS score of 4.3 is moderate and requires authentication, the integrity impact allows attackers to deceive users by falsely attributing messages to legitimate users, potentially facilitating social engineering or misinformation campaigns within Mattermost instances.
A sensitive information disclosure vulnerability in Mattermost Plugins versions 2.0.3.0 and earlier fails to properly mask sensitive configuration values in support packets, allowing attackers with high privileges to extract original plugin settings from exported configuration data. The vulnerability requires authenticated access with high privileges (CVSS 7.6) and enables attackers to obtain sensitive configuration data that should be masked, potentially exposing API keys, credentials, or other sensitive plugin configurations. No active exploitation or proof-of-concept has been reported, and the vulnerability requires significant access privileges to exploit.
Insufficient Session Expiration in Truesec's LAPSWebUI before version 2.4 allows local attackers with user-level privileges to obtain local administrator passwords through inadequate session management controls. An attacker with physical or logical access to a workstation can exploit this vulnerability to escalate privileges and disclose sensitive credentials, potentially compromising domain administration. This vulnerability represents a practical privilege escalation risk in environments relying on LAPS (Local Administrator Password Solution) for credential management.
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento', allowing authenticated users with low privileges to inject malicious scripts that persist in the application and execute in the browsers of other users, potentially enabling unauthorized data access and privilege escalation across the veterinary team. The vulnerability has a CVSS v4.0 base score of 4.8 (low-to-medium severity) but poses meaningful organizational risk due to its stored nature and the ability for low-privileged users to affect higher-privileged team members. No public exploit code or active exploitation in the wild has been reported at this time, though the attack requires only Network access and user interaction, making it feasible for insider threats.
Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
An Insecure Direct Object Reference (IDOR) vulnerability exists in Campus Educativa at the endpoint '/archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg' that allows unauthenticated attackers to enumerate and download profile photographs of all users by manipulating URL parameters. Successful exploitation enables mass collection of user photos for identity impersonation, social engineering, facial recognition-based identity linking across platforms, and doxxing attacks. With a CVSS score of 6.9 and no authentication required, this vulnerability poses a moderate-to-significant risk to user privacy and security.
An Insecure Direct Object Reference (IDOR) vulnerability in Campus Educativa allows unauthenticated attackers to access sensitive user data including usernames, full names, email addresses, and phone numbers of all enrolled students by manipulating course IDs in the export endpoint. The vulnerability requires no authentication and can be exploited remotely through simple URL manipulation and brute-force attacks on course IDs. With a CVSS score of 8.7 and network-based attack vector, this represents a critical data exposure risk for educational institutions using Campus Educativa.
An authentication bypass vulnerability in Tinycontrol network devices (tcPDU and LAN Controllers LK3.5, LK3.9, LK4) exposes usernames and encoded passwords for both normal and admin users through unauthenticated HTTP requests to the login page. The vulnerability affects devices running older firmware versions when the secondary authentication mechanism is disabled (default setting), allowing any attacker on the local network to harvest credentials without authentication. With an EPSS score of 0.00043 and no KEV listing, this vulnerability shows low real-world exploitation activity despite its high CVSS score of 8.7.
A privilege escalation vulnerability in Tinycontrol network management devices (tcPDU and LAN Controllers) allows low-privileged users to retrieve administrator passwords by directly accessing resources that are hidden from the graphical interface. The vulnerability affects multiple product lines including tcPDU, LK3.5, LK3.9, and LK4 controllers across various hardware versions, with a high CVSS score of 8.6 indicating significant risk. No evidence of active exploitation exists (not in KEV), no public POC is available, and the EPSS score is not provided, but patches are available for all affected versions.
OpenHarmony versions 5.1.0 and prior contain an improper input validation vulnerability (CWE-20) that allows local attackers with low privileges to trigger a denial of service condition. An authenticated local user can craft malicious input that causes the system to become unresponsive or crash, requiring manual intervention to restore availability. While this vulnerability has a moderate CVSS score of 5.0, the local-only attack vector and requirement for user interaction limit widespread exploitation risk.
OpenHarmony v5.0.3 and prior versions contain an improper input validation vulnerability (CWE-20) that allows a local attacker with limited privileges to read sensitive information from the system. The vulnerability carries a CVSS score of 3.3 with low attack complexity and requires local access and low privileges, indicating a confined risk profile suitable only for restricted exploitation scenarios. While the CVSS vector does not indicate active exploitation or widespread POC availability based on the provided data, the information disclosure impact warrants attention in environments where local privilege escalation chains may amplify the risk.
OpenHarmony versions 5.0.3 and earlier contain an information disclosure vulnerability caused by use of uninitialized resources, allowing local attackers to leak sensitive case-sensitive data. The vulnerability affects OpenHarmony deployments across all product lines up to v5.0.3.x (per EUVD-2025-208673). An attacker with local access and standard user privileges can read uninitialized memory regions to obtain confidential information without requiring user interaction, though there is no indication of active exploitation in public KEV databases at this time.
This vulnerability is a memory leak in OpenHarmony v6.0 and prior versions that allows a local, low-privileged attacker to trigger a denial-of-service condition by preventing proper memory release during runtime operations. An authenticated local user without special privileges can exhaust system memory through repeated triggering of the affected code path, causing application or system instability. The low CVSS score of 3.3 reflects the limited scope (local access only, no confidentiality or integrity impact), but the underlying memory management flaw (CWE-401: Missing Release of Memory) is a classic stability threat in systems software.
A critical integer underflow vulnerability in libexif library versions up to 0.6.25 allows attackers to cause buffer overflows when processing malformed EXIF MakerNotes data in image files. This vulnerability can lead to arbitrary code execution or information disclosure when a victim opens a maliciously crafted image file containing specially crafted EXIF metadata. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a published fix and affects a widely-used image metadata processing library.
Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.
A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.
A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.
Hard-coded credentials exist in the i-SENS SmartLog Android application (versions up to 2.6.8) within a developer mode function used for Bluetooth pairing configuration between blood glucose meters and the mobile app. An attacker with local access and low privileges can exploit this to obtain credentials, potentially compromising the integrity and confidentiality of health data. A public proof-of-concept is available, though the CVSS 5.3 score and local-only attack vector limit immediate widespread exploitation risk.
Galaxy Store prior to version 4.6.03.8 contains an improper cryptographic signature verification vulnerability that allows a local attacker to install arbitrary applications without proper authorization. An attacker with physical or local access to a device can bypass the signature validation mechanism, enabling installation of malicious or unauthorized apps. While the CVSS score of 5.9 is moderate, the integrity impact is high, making this a meaningful threat to device security and app ecosystem integrity.
A cryptographic downgrade vulnerability in Samsung Smart Switch allows remote attackers to force the application to use weak authentication schemes during device-to-device transfers. The vulnerability affects Smart Switch versions prior to 3.7.69.15 and requires user interaction to exploit, potentially exposing sensitive data during the transfer process between Samsung devices. With a CVSS 4.0 score of 7.1 and no current evidence of active exploitation or public proof-of-concept code, this represents a moderate risk primarily to Samsung device users performing data migrations.
A URL redirection vulnerability in Samsung Account allows remote attackers to potentially steal user access tokens through malicious redirect chains. The vulnerability affects Samsung Account versions prior to 15.5.01.1 and requires user interaction to exploit. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a moderate CVSS score of 7.0 and could lead to account takeover if successfully exploited.
Samsung Assistant versions prior to 9.3.10.7 contain an improper export of Android application components vulnerability that allows a local attacker with low privilege access to read sensitive saved information from the application. The vulnerability has a CVSS score of 4.8 with low complexity and no user interaction required, making it a moderate-risk issue affecting users on vulnerable Samsung devices. While no active exploitation or public proof-of-concept is documented at this time, the local attack vector and information disclosure impact warrant timely patching.
ThemeManager prior to the SMR Mar-2026 Release 1 contains an improper privilege management vulnerability that allows local privileged attackers to inappropriately reuse trial contents, potentially circumventing licensing restrictions or trial period limitations. With a CVSS score of 6.7 and requiring high privileges (PR:H) but no user interaction, this vulnerability poses a moderate integrity risk in environments where multiple privileged users share access to ThemeManager systems. No public proof-of-concept or active exploitation has been reported in the CVE record, and this does not appear on CISA's KEV catalog, suggesting limited real-world weaponization at present.
Google's Secure Folder prior to the March 2026 SMR release improperly exports Android application components, enabling local attackers to execute arbitrary activities with Secure Folder privileges. This high-severity vulnerability affects users with local device access and could allow privilege escalation or unauthorized access to protected data. No patch is currently available.
This vulnerability involves improper cryptographic signature verification in the Font Settings component of Samsung devices prior to the March 2026 Security Update Release 1. A physical attacker can bypass signature validation to install custom fonts, potentially leading to integrity compromise of system font resources. While the CVSS score is moderate at 5.1, the attack requires physical access and user interaction, limiting real-world exploitation frequency.
A broadcast receiver in Android Settings fails to properly verify intents prior to the March 2026 Security Maintenance Release 1, allowing a local attacker with limited privileges to launch arbitrary activities with Settings-level permissions. The vulnerability requires user interaction to trigger and carries a CVSS 4.0 score of 6.8, reflecting high confidentiality and integrity impact. No public exploit or KEV designation is currently documented, but the local attack vector and privilege escalation potential warrant prompt patching.
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
An information disclosure vulnerability in Serviio PRO 1.8 and earlier versions allows unauthenticated remote attackers to retrieve sensitive configuration data through the Configuration REST API due to missing authentication controls. Multiple public exploits are available, with proof-of-concept code published on Exploit-DB and PacketStorm, making this vulnerability easily exploitable by attackers with no special privileges or user interaction required.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
User enumeration vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to discover valid usernames through partial character submissions to the authentication endpoint. A public proof-of-concept exploit is available, making this vulnerability actively exploitable, though it has a notably high CVSS score of 9.8 that appears inflated given the actual impact is limited to information disclosure.
Privilege escalation vulnerability in ZKTeco ZKAccess Professional 3.5.3 (Build 0005) where authenticated users can modify executable files due to insecure permissions, allowing them to replace binaries with malicious code and gain elevated privileges. Multiple public exploits are available (exploit-db, PacketStorm) making this a high-risk vulnerability for organizations using this access control software, despite no current KEV listing or EPSS data.
A buffer overflow vulnerability in A flaw (CVSS 6.1) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Heap-based buffer overflow (out-of-bounds read) in GNU Binutils' BFD linker component that affects RHEL 6, 7, 8, and 10, as well as multiple Debian and Ubuntu releases. An attacker can exploit this vulnerability by distributing a malicious XCOFF object file, which when processed by a user, may disclose sensitive information from process memory or crash the application. While the CVSS score of 6.1 indicates medium severity with user interaction required, the vulnerability impacts widely-deployed enterprise Linux distributions across Red Hat, Debian, and Ubuntu ecosystems.
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.
Host header injection vulnerability in Pigeon (a message board/blog system) versions prior to 1.0.201 that allows attackers to manipulate email verification URLs, potentially leading to account takeover. The vulnerability has a high CVSS score of 8.2 but requires user interaction (clicking a malicious link), and there is no indication of active exploitation in the wild or inclusion in CISA KEV.
Cleanuparr versions 2.7.0 through 2.8.0 contain a timing-based username enumeration vulnerability in the /api/auth/login endpoint that allows unauthenticated remote attackers to discover valid usernames by analyzing response time differences. The flaw stems from password verification logic that performs expensive cryptographic hashing only after validating username existence, creating a measurable timing side-channel. This vulnerability is fixed in version 2.8.1 and presents a moderate information disclosure risk with a CVSS score of 6.9, though exploitation requires no special privileges or user interaction.
telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
A Cross-Site Scripting (XSS) vulnerability in Angular's runtime and compiler allows attackers to bypass built-in sanitization when internationalization (i18n) is enabled on security-sensitive attributes like href, src, and action. The vulnerability affects Angular versions before 19.2.20, 20.3.18, 21.2.4, and 22.0.0-next.3, enabling attackers with low privileges to execute arbitrary JavaScript in users' browsers for session hijacking, data theft, and unauthorized actions. With a CVSS score of 8.6 and no current evidence of active exploitation or public POCs, this represents a serious but not yet weaponized threat to Angular applications using i18n features with user-controlled data.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.
IceWarp collaboration platform contains an unauthenticated directory traversal vulnerability that allows remote attackers to read sensitive files from the server. The flaw exists in HTTP request handling, enabling access to configuration files, user data, and potentially email contents stored on the server.
Prototype pollution in Apollo Federation before multiple versions.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
Critical authentication bypass vulnerability in the simplesamlphp/xml-security library (versions before 2.3.1) that affects XML encryption using AES-GCM modes. Attackers can exploit missing authentication tag validation to brute-force decryption keys, decrypt sensitive XML data, and forge arbitrary ciphertexts without knowing encryption keys. No active exploitation detected (not in KEV), but the high CVSS score (8.2) and network-based attack vector make this a priority for organizations using affected SAML/XML security implementations.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. With an EPSS score of only 0.01% and no KEV listing, this represents a low real-world exploitation risk despite the high CVSS score.