Information Disclosure
Monthly
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]
Unauthorized SSH credential extraction affects systems where low-privileged users can access stored authentication material, enabling account compromise without administrative access. The network-accessible vulnerability requires valid user credentials to exploit but impacts the entire system's security posture by exposing sensitive SSH keys. No patch is currently available to remediate this issue.
Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.
A vulnerability was identified in OpenClaw versions up to 2026.2.17. is affected by information exposure (CVSS 3.3).
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.
An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.
AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.
Medium severity vulnerability in See description. A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address...
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Incorrect security UI in Downloads in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Side-channel information leakage in ResourceTiming in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 3.1).
Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Incorrect security UI in LookalikeChecks in Google Chrome on Android versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by insufficient session expiration (CVSS 7.4).
ZITADEL is an open source identity management platform. From 2.68.0 to versions up to 3.4.8 contains a security vulnerability (CVSS 7.5).
OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2. The issue is in the live event streaming path. EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber: - service/internal/api/api.go:776 After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action: - service/internal/api/api.go:846 OnExecutionStarted - service/internal/api/api.go:869 OnExecutionFinished - service/internal/api/api.go:1047 OnOutputChunk The event payload includes action output through: - service/internal/api/api.go:295 internalLogEntryToPb - service/internal/api/api.go:302 Output By contrast, the normal log APIs do apply per-action authorization checks: - service/internal/api/api.go:518 GetLogs - service/internal/api/api.go:585 GetActionLogs - service/internal/api/api.go:544 isLogEntryAllowed Root cause: - the subscription path enforces only coarse dashboard access - execution callbacks broadcast to every connected client - no per-recipient ACL check is applied before sending action metadata or output I validated the issue using: - an admin user with full ACLs - an alice user with no ACLs - a protected action that outputs TOPSECRET=alpha-bravo-charlie Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output. Tested version: ``` - 3000.10.2 ``` 1. Fetch and check out 3000.10.2 in a clean worktree: ```bash git -C OliveTin fetch origin tag 3000.10.2 git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2 ``` 2. Copy the PoC test into the clean tree: ```bash cp OliveTin/service/internal/api/event_stream_leak_test.go \ OliveTin-3000.10.2/service/internal/api/ ``` 3. Run the targeted PoC test: ```bash cd OliveTin-3000.10.2/service go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v ``` 4. Optional: save validation output: ```bash go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \ 2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log ``` Observed validation output: ```bash === RUN TestEventStreamLeaksUnauthorizedExecutionOutput time="2026-03-01T04:44:59-05:00" level=info msg="Action requested" actionTitle=secret-action tags="[]" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - Before" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - After" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action started" actionTitle=secret-action timeout=1 time="2026-03-01T04:44:59-05:00" level=info msg="Action finished" actionTitle=secret-action exit=0 outputLength=30 timedOut=false --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s) PASS ok github.com/OliveTin/OliveTin/internal/api 0.025s ``` What this proves: - admin can execute the protected action - alice has no ACLs - alice still receives the streamed completion event for the protected action - protected action output is exposed through the event stream This is an authenticated broken access control / information disclosure vulnerability. A low-privileged authenticated user can subscribe to EventStream and receive: - action execution metadata - execution tracking IDs - initiating username - live output chunks - final command output Who is impacted: - multi-user OliveTin deployments - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events This bypasses intended per-action log/view restrictions for protected actions.
LenovoProductivitySystemAddin in Lenovo Vantage and Baiying contains an input validation flaw that enables local authenticated users to terminate arbitrary processes with elevated privileges. This medium-severity vulnerability (CVSS 6.8) requires local access and valid credentials but poses a significant availability risk. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contain an input validation flaw that allows authenticated local users to delete arbitrary registry keys with elevated privileges. This vulnerability affects systems where users have local access and could enable attackers to modify system configuration or disable security controls. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contains an input validation flaw that allows authenticated local users to modify arbitrary registry keys with system-level privileges. This vulnerability could enable privilege escalation or system configuration tampering by an attacker with local access. No patch is currently available.
Hardcoded password in ThermaKube Kubernetes monitoring.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
SQL injection in WeGIA before 3.6.6.
WeGIA 3.6.5 allows unauthenticated remote attackers to read arbitrary files on the server through symlink traversal in backup database extraction functionality. When processing tar.gz archives, the application fails to validate whether extracted members are symbolic links before reading their contents, enabling an attacker to access sensitive files like database credentials or configuration data. No patch is currently available for this vulnerability.
Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. [CVSS 2.5 LOW]
Shopware's Store API login endpoint (POST /store-api/account/login) leaks information about registered customer accounts by returning distinct error messages and echoing email addresses based on whether credentials belong to known users, enabling unauthenticated attackers to enumerate valid customer accounts. The vulnerability affects versions prior to 6.7.8.1 and 6.6.10.15, while the storefront login controller properly mitigates this issue, indicating inconsistent security controls. No patch is currently available.
IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via the cgiServer.exx endpoint. [CVSS 7.5 HIGH]
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
An information disclosure vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to obtain and modify sensitive information by triggering live terminal session via Cortex UI and modifying any configuration setting.
Improper access control in the Discover Splunk Observability Cloud app allows low-privileged users without admin or power roles to retrieve Observability Cloud API access tokens in Splunk Enterprise versions below 10.2.1/10.0.4 and Splunk Cloud Platform versions below 10.2.2510.5/10.1.2507.16/10.0.2503.12. An attacker with low-level credentials could leverage this to obtain API tokens for unauthorized access to Observability Cloud resources. No patch is currently available.
Improper access control in Splunk Enterprise and Cloud Platform versions below specified thresholds allows low-privileged users without admin or power roles to extract sensitive information from job search logs through the MongoClient logging channel. Affected versions include Enterprise 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform releases. No patch is currently available for this medium-severity vulnerability.
Splunk Enterprise and Cloud Platform versions below specified thresholds fail to properly restrict access to the passwords configuration API endpoint, allowing low-privileged users without admin or power roles to retrieve hashed or plaintext credential values from passwords.conf. This information disclosure vulnerability could enable attackers to obtain sensitive authentication credentials for further system compromise. No patch is currently available.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 versions up to 18.7.6 contains a security vulnerability (CVSS 5.0).
NanoMQ MQTT Broker versions 0.24.6 and earlier are vulnerable to an out-of-bounds read in the MQTT v5 Variable Byte Integer parser, which lacks proper bounds validation when processing 5-byte varints. Remote unauthenticated attackers can trigger a denial of service by sending malformed MQTT packets that crash the broker. No patch is currently available for this vulnerability.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 versions up to 18.7.6 is affected by use of incorrectly-resolved name or reference (CVSS 4.1).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 versions up to 18.7.6 is affected by improper encoding or escaping of output (CVSS 2.2).
curl's HTTP proxy connection reuse mechanism fails to validate credential changes, allowing an attacker to intercept or manipulate traffic by leveraging an existing proxy connection established with different authentication. This affects users whose applications reuse proxy connections across requests with varying credentials, enabling credential confusion attacks. Public exploit code exists for this vulnerability, though a patch is available.
libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.
An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 exposes sensitive form data and settings through an unauthenticated URL parameter that regenerates JSON files, allowing attackers to download administrator email addresses and other configuration details. This vulnerability affects WordPress installations using the vulnerable plugin versions when admin notifications are enabled. No patch is currently available for this medium-severity information disclosure.
Time-of-check time-of-use race condition in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Exposure of resource to wrong sphere in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Improper buffer restrictions in the UEFI DXE module for some Intel(R) Reference Platforms within UEFI may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Istio versions prior to 1.29.1, 1.28.5, and 1.27.8 fall back to hardcoded default JWKS values when the resolver becomes unavailable or fails to fetch, potentially allowing attackers to bypass authentication controls configured via RequestAuthentication policies. This flaw exposes sensitive information and could enable unauthorized access to microservices when JWKS endpoints are unreachable. No patch is currently available for affected deployments.
Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission.
In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 2.9 LOW]
Android versions up to - contains a vulnerability that allows attackers to physical information disclosure with no additional execution privileges needed (CVSS 2.1).
Improper register protection in the PowerVR GPU on Android devices enables local attackers to read sensitive information without requiring special privileges or user interaction. This memory disclosure vulnerability affects Android systems and cannot currently be patched, leaving devices vulnerable to information leakage through direct GPU register access.
Microsoft Authenticator contains an information disclosure vulnerability that allows local attackers to access sensitive data without requiring elevated privileges or user interaction beyond standard operation. The vulnerability stems from improper categorization of security controls, enabling unauthorized disclosure of confidential information on affected systems. No patch is currently available for this issue.
Giflib's image processing functions are vulnerable to denial of service through a double-free memory corruption flaw triggered during shallow copy operations in GifMakeSavedImage with improper error handling. Local attackers with crafted image files can crash applications using affected Giflib versions, though exploitation requires specific and difficult-to-achieve conditions. No patch is currently available.
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. [CVSS 5.3 MEDIUM]
Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to information disclosure if unauthorized parties have access to the URLs via serve (CVSS 5.9).
Code execution in Adobe Premiere Pro 25.5 and earlier via out-of-bounds read when processing malicious media files. An attacker can achieve arbitrary code execution within the user's security context by crafting a specially formatted file that triggers a memory read past allocated buffer boundaries. Exploitation requires the victim to open the malicious file, and no patch is currently available.
Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier allows attackers to expose sensitive data from application memory. Exploitation requires a user to open a malicious file, making this a local attack vector dependent on social engineering. No patch is currently available for this vulnerability.
Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier enables attackers to leak sensitive data from application memory when a user opens a specially crafted file. This local vulnerability requires user interaction but poses a meaningful confidentiality risk to designers and artists using affected versions. No patch is currently available.
Memory disclosure in Substance 3D Painter 11.1.2 and earlier allows attackers to read sensitive data from process memory through an out-of-bounds read vulnerability. Exploitation requires user interaction, as victims must open a specially crafted malicious file. No patch is currently available for this vulnerability.
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable leak authentication tokens through the /public/api/share/info endpoint, allowing unauthenticated attackers to bypass password protections on shared files. The vulnerability stems from an incomplete fix to CVE-2026-27611 and enables token disclosure that could facilitate unauthorized file access. No patch is currently available for affected installations.
Glances is an open-source system cross-platform monitoring tool. versions up to 4.5.1 is affected by information exposure.
SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]
Privilege escalation in SQL Server 2016-2025 stems from insufficient input validation, enabling authenticated network attackers to gain elevated permissions. The high CVSS score of 8.8 reflects complete compromise of confidentiality, integrity, and availability, though no patch is currently available. Organizations running affected SQL Server versions should prioritize access controls and network segmentation until remediation is released.
Arbitrary code execution in Microsoft Office Excel and related products (Office Online Server, 365 Apps) via out-of-bounds memory read allows local attackers to achieve complete system compromise without requiring user interaction or elevated privileges. This high-severity vulnerability affects multiple Microsoft Office components and currently lacks a security patch. An attacker with local access can exploit memory corruption to execute malicious code with full system permissions.
Remote code execution in Microsoft SharePoint Server allows authenticated users to bypass input validation and execute arbitrary code across the network. This high-severity vulnerability (CVSS 8.8) affects authorized attackers who can leverage improper validation controls to achieve full system compromise. No patch is currently available, making immediate mitigation and access controls critical for affected organizations.
Fortinet FortiDeceptor versions 4.0 through 6.2.0 are vulnerable to argument injection that allows authenticated super-admin users with CLI access to delete sensitive files through crafted HTTP requests. The vulnerability requires high-level privileges and direct CLI access to exploit, limiting the attack surface to trusted administrators. No patch is currently available for this issue.
Windows Winlogon's failure to properly validate symbolic links before file access enables local privilege escalation on affected Windows Server and Windows 10/11 systems. An authenticated attacker can exploit this vulnerability to gain elevated system privileges without user interaction. No patch is currently available for this high-severity issue affecting multiple Windows versions including Server 2025 and Windows 11 26h1.
Unauthorized disclosure of sensitive information in Windows Accessibility Infrastructure (ATBroker.exe) affects Windows Server 2019, 2025, Windows 10 22h2, and Windows 11 25h2, allowing local authenticated attackers to read confidential data. The vulnerability requires user privileges and local access but poses no risk to system integrity or availability. No patch is currently available for this issue.
Windows Shell Link Processing leaks sensitive information over the network in Windows Server 2012, 2019, and 2022, enabling remote spoofing attacks without authentication or user interaction. An unauthenticated attacker can exploit this information disclosure to conduct spoofing attacks against affected systems. No patch is currently available.
Information disclosure in Windows GDI+ affects Windows 11 (24h2, 25h2) and Windows Server 2012/2016, allowing unauthenticated attackers to read sensitive data remotely through an out-of-bounds memory access vulnerability. The flaw requires no user interaction and can be exploited over the network to compromise confidentiality without modifying system data or availability. No patch is currently available for this high-severity vulnerability.
Microsoft Graphics Component contains an out-of-bounds read vulnerability affecting Windows 10 1607, Windows Server 2019, and 2022, enabling local attackers to read sensitive information from memory. The vulnerability requires user interaction and local access, posing a confidentiality risk without offering a currently available patch. Attack complexity is low, making it a practical concern for systems running affected Office and Windows versions.
Windows Ancillary Function Driver for WinSock in Windows Server 2025, 2022, and Windows 10 1809 contains insufficient input validation that allows authenticated local users to escalate privileges. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated system permissions, though no patch is currently available. This HIGH severity vulnerability affects multiple Windows Server and client versions with no active exploit mitigation path.
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]
Unauthorized SSH credential extraction affects systems where low-privileged users can access stored authentication material, enabling account compromise without administrative access. The network-accessible vulnerability requires valid user credentials to exploit but impacts the entire system's security posture by exposing sensitive SSH keys. No patch is currently available to remediate this issue.
Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.
A vulnerability was identified in OpenClaw versions up to 2026.2.17. is affected by information exposure (CVSS 3.3).
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.
An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.
AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.
Medium severity vulnerability in See description. A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address...
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Incorrect security UI in Downloads in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Side-channel information leakage in ResourceTiming in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 3.1).
Insufficient policy enforcement in Extensions in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Incorrect security UI in PictureInPicture in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Out of bounds read in V8 in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Incorrect security UI in LookalikeChecks in Google Chrome on Android versions up to 146.0.7680.71 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.
ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by insufficient session expiration (CVSS 7.4).
ZITADEL is an open source identity management platform. From 2.68.0 to versions up to 3.4.8 contains a security vulnerability (CVSS 7.5).
OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2. The issue is in the live event streaming path. EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber: - service/internal/api/api.go:776 After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action: - service/internal/api/api.go:846 OnExecutionStarted - service/internal/api/api.go:869 OnExecutionFinished - service/internal/api/api.go:1047 OnOutputChunk The event payload includes action output through: - service/internal/api/api.go:295 internalLogEntryToPb - service/internal/api/api.go:302 Output By contrast, the normal log APIs do apply per-action authorization checks: - service/internal/api/api.go:518 GetLogs - service/internal/api/api.go:585 GetActionLogs - service/internal/api/api.go:544 isLogEntryAllowed Root cause: - the subscription path enforces only coarse dashboard access - execution callbacks broadcast to every connected client - no per-recipient ACL check is applied before sending action metadata or output I validated the issue using: - an admin user with full ACLs - an alice user with no ACLs - a protected action that outputs TOPSECRET=alpha-bravo-charlie Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output. Tested version: ``` - 3000.10.2 ``` 1. Fetch and check out 3000.10.2 in a clean worktree: ```bash git -C OliveTin fetch origin tag 3000.10.2 git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2 ``` 2. Copy the PoC test into the clean tree: ```bash cp OliveTin/service/internal/api/event_stream_leak_test.go \ OliveTin-3000.10.2/service/internal/api/ ``` 3. Run the targeted PoC test: ```bash cd OliveTin-3000.10.2/service go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v ``` 4. Optional: save validation output: ```bash go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \ 2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log ``` Observed validation output: ```bash === RUN TestEventStreamLeaksUnauthorizedExecutionOutput time="2026-03-01T04:44:59-05:00" level=info msg="Action requested" actionTitle=secret-action tags="[]" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - Before" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - After" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action started" actionTitle=secret-action timeout=1 time="2026-03-01T04:44:59-05:00" level=info msg="Action finished" actionTitle=secret-action exit=0 outputLength=30 timedOut=false --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s) PASS ok github.com/OliveTin/OliveTin/internal/api 0.025s ``` What this proves: - admin can execute the protected action - alice has no ACLs - alice still receives the streamed completion event for the protected action - protected action output is exposed through the event stream This is an authenticated broken access control / information disclosure vulnerability. A low-privileged authenticated user can subscribe to EventStream and receive: - action execution metadata - execution tracking IDs - initiating username - live output chunks - final command output Who is impacted: - multi-user OliveTin deployments - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events This bypasses intended per-action log/view restrictions for protected actions.
LenovoProductivitySystemAddin in Lenovo Vantage and Baiying contains an input validation flaw that enables local authenticated users to terminate arbitrary processes with elevated privileges. This medium-severity vulnerability (CVSS 6.8) requires local access and valid credentials but poses a significant availability risk. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contain an input validation flaw that allows authenticated local users to delete arbitrary registry keys with elevated privileges. This vulnerability affects systems where users have local access and could enable attackers to modify system configuration or disable security controls. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contains an input validation flaw that allows authenticated local users to modify arbitrary registry keys with system-level privileges. This vulnerability could enable privilege escalation or system configuration tampering by an attacker with local access. No patch is currently available.
Hardcoded password in ThermaKube Kubernetes monitoring.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
SQL injection in WeGIA before 3.6.6.
WeGIA 3.6.5 allows unauthenticated remote attackers to read arbitrary files on the server through symlink traversal in backup database extraction functionality. When processing tar.gz archives, the application fails to validate whether extracted members are symbolic links before reading their contents, enabling an attacker to access sensitive files like database credentials or configuration data. No patch is currently available for this vulnerability.
Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. [CVSS 2.5 LOW]
Shopware's Store API login endpoint (POST /store-api/account/login) leaks information about registered customer accounts by returning distinct error messages and echoing email addresses based on whether credentials belong to known users, enabling unauthenticated attackers to enumerate valid customer accounts. The vulnerability affects versions prior to 6.7.8.1 and 6.6.10.15, while the storefront login controller properly mitigates this issue, indicating inconsistent security controls. No patch is currently available.
IntelBras Telefone IP TIP200 and 200 LITE contain an unauthenticated arbitrary file read vulnerability in the dumpConfigFile function accessible via the cgiServer.exx endpoint. [CVSS 7.5 HIGH]
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
An information disclosure vulnerability in Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to obtain and modify sensitive information by triggering live terminal session via Cortex UI and modifying any configuration setting.
Improper access control in the Discover Splunk Observability Cloud app allows low-privileged users without admin or power roles to retrieve Observability Cloud API access tokens in Splunk Enterprise versions below 10.2.1/10.0.4 and Splunk Cloud Platform versions below 10.2.2510.5/10.1.2507.16/10.0.2503.12. An attacker with low-level credentials could leverage this to obtain API tokens for unauthorized access to Observability Cloud resources. No patch is currently available.
Improper access control in Splunk Enterprise and Cloud Platform versions below specified thresholds allows low-privileged users without admin or power roles to extract sensitive information from job search logs through the MongoClient logging channel. Affected versions include Enterprise 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform releases. No patch is currently available for this medium-severity vulnerability.
Splunk Enterprise and Cloud Platform versions below specified thresholds fail to properly restrict access to the passwords configuration API endpoint, allowing low-privileged users without admin or power roles to retrieve hashed or plaintext credential values from passwords.conf. This information disclosure vulnerability could enable attackers to obtain sensitive authentication credentials for further system compromise. No patch is currently available.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 versions up to 18.7.6 contains a security vulnerability (CVSS 5.0).
NanoMQ MQTT Broker versions 0.24.6 and earlier are vulnerable to an out-of-bounds read in the MQTT v5 Variable Byte Integer parser, which lacks proper bounds validation when processing 5-byte varints. Remote unauthenticated attackers can trigger a denial of service by sending malformed MQTT packets that crash the broker. No patch is currently available for this vulnerability.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 versions up to 18.7.6 is affected by use of incorrectly-resolved name or reference (CVSS 4.1).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 versions up to 18.7.6 contains a security vulnerability (CVSS 4.3).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 versions up to 18.7.6 is affected by improper encoding or escaping of output (CVSS 2.2).
curl's HTTP proxy connection reuse mechanism fails to validate credential changes, allowing an attacker to intercept or manipulate traffic by leveraging an existing proxy connection established with different authentication. This affects users whose applications reuse proxy connections across requests with varying credentials, enabling credential confusion attacks. Public exploit code exists for this vulnerability, though a patch is available.
libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.
An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 exposes sensitive form data and settings through an unauthenticated URL parameter that regenerates JSON files, allowing attackers to download administrator email addresses and other configuration details. This vulnerability affects WordPress installations using the vulnerable plugin versions when admin notifications are enabled. No patch is currently available for this medium-severity information disclosure.
Time-of-check time-of-use race condition in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Exposure of resource to wrong sphere in the UEFI PdaSmm module for some Intel(R) reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Improper buffer restrictions in the UEFI DXE module for some Intel(R) Reference Platforms within UEFI may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure.
Istio versions prior to 1.29.1, 1.28.5, and 1.27.8 fall back to hardcoded default JWKS values when the resolver becomes unavailable or fails to fetch, potentially allowing attackers to bypass authentication controls configured via RequestAuthentication policies. This flaw exposes sensitive information and could enable unauthorized access to microservices when JWKS endpoints are unreachable. No patch is currently available for affected deployments.
Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission.
In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 2.9 LOW]
Android versions up to - contains a vulnerability that allows attackers to physical information disclosure with no additional execution privileges needed (CVSS 2.1).
Improper register protection in the PowerVR GPU on Android devices enables local attackers to read sensitive information without requiring special privileges or user interaction. This memory disclosure vulnerability affects Android systems and cannot currently be patched, leaving devices vulnerable to information leakage through direct GPU register access.
Microsoft Authenticator contains an information disclosure vulnerability that allows local attackers to access sensitive data without requiring elevated privileges or user interaction beyond standard operation. The vulnerability stems from improper categorization of security controls, enabling unauthorized disclosure of confidential information on affected systems. No patch is currently available for this issue.
Giflib's image processing functions are vulnerable to denial of service through a double-free memory corruption flaw triggered during shallow copy operations in GifMakeSavedImage with improper error handling. Local attackers with crafted image files can crash applications using affected Giflib versions, though exploitation requires specific and difficult-to-achieve conditions. No patch is currently available.
If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. [CVSS 5.3 MEDIUM]
Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to information disclosure if unauthorized parties have access to the URLs via serve (CVSS 5.9).
Code execution in Adobe Premiere Pro 25.5 and earlier via out-of-bounds read when processing malicious media files. An attacker can achieve arbitrary code execution within the user's security context by crafting a specially formatted file that triggers a memory read past allocated buffer boundaries. Exploitation requires the victim to open the malicious file, and no patch is currently available.
Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier allows attackers to expose sensitive data from application memory. Exploitation requires a user to open a malicious file, making this a local attack vector dependent on social engineering. No patch is currently available for this vulnerability.
Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier enables attackers to leak sensitive data from application memory when a user opens a specially crafted file. This local vulnerability requires user interaction but poses a meaningful confidentiality risk to designers and artists using affected versions. No patch is currently available.
Memory disclosure in Substance 3D Painter 11.1.2 and earlier allows attackers to read sensitive data from process memory through an out-of-bounds read vulnerability. Exploitation requires user interaction, as victims must open a specially crafted malicious file. No patch is currently available for this vulnerability.
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable leak authentication tokens through the /public/api/share/info endpoint, allowing unauthenticated attackers to bypass password protections on shared files. The vulnerability stems from an incomplete fix to CVE-2026-27611 and enables token disclosure that could facilitate unauthorized file access. No patch is currently available for affected installations.
Glances is an open-source system cross-platform monitoring tool. versions up to 4.5.1 is affected by information exposure.
SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]
Privilege escalation in SQL Server 2016-2025 stems from insufficient input validation, enabling authenticated network attackers to gain elevated permissions. The high CVSS score of 8.8 reflects complete compromise of confidentiality, integrity, and availability, though no patch is currently available. Organizations running affected SQL Server versions should prioritize access controls and network segmentation until remediation is released.
Arbitrary code execution in Microsoft Office Excel and related products (Office Online Server, 365 Apps) via out-of-bounds memory read allows local attackers to achieve complete system compromise without requiring user interaction or elevated privileges. This high-severity vulnerability affects multiple Microsoft Office components and currently lacks a security patch. An attacker with local access can exploit memory corruption to execute malicious code with full system permissions.
Remote code execution in Microsoft SharePoint Server allows authenticated users to bypass input validation and execute arbitrary code across the network. This high-severity vulnerability (CVSS 8.8) affects authorized attackers who can leverage improper validation controls to achieve full system compromise. No patch is currently available, making immediate mitigation and access controls critical for affected organizations.
Fortinet FortiDeceptor versions 4.0 through 6.2.0 are vulnerable to argument injection that allows authenticated super-admin users with CLI access to delete sensitive files through crafted HTTP requests. The vulnerability requires high-level privileges and direct CLI access to exploit, limiting the attack surface to trusted administrators. No patch is currently available for this issue.
Windows Winlogon's failure to properly validate symbolic links before file access enables local privilege escalation on affected Windows Server and Windows 10/11 systems. An authenticated attacker can exploit this vulnerability to gain elevated system privileges without user interaction. No patch is currently available for this high-severity issue affecting multiple Windows versions including Server 2025 and Windows 11 26h1.
Unauthorized disclosure of sensitive information in Windows Accessibility Infrastructure (ATBroker.exe) affects Windows Server 2019, 2025, Windows 10 22h2, and Windows 11 25h2, allowing local authenticated attackers to read confidential data. The vulnerability requires user privileges and local access but poses no risk to system integrity or availability. No patch is currently available for this issue.
Windows Shell Link Processing leaks sensitive information over the network in Windows Server 2012, 2019, and 2022, enabling remote spoofing attacks without authentication or user interaction. An unauthenticated attacker can exploit this information disclosure to conduct spoofing attacks against affected systems. No patch is currently available.
Information disclosure in Windows GDI+ affects Windows 11 (24h2, 25h2) and Windows Server 2012/2016, allowing unauthenticated attackers to read sensitive data remotely through an out-of-bounds memory access vulnerability. The flaw requires no user interaction and can be exploited over the network to compromise confidentiality without modifying system data or availability. No patch is currently available for this high-severity vulnerability.
Microsoft Graphics Component contains an out-of-bounds read vulnerability affecting Windows 10 1607, Windows Server 2019, and 2022, enabling local attackers to read sensitive information from memory. The vulnerability requires user interaction and local access, posing a confidentiality risk without offering a currently available patch. Attack complexity is low, making it a practical concern for systems running affected Office and Windows versions.
Windows Ancillary Function Driver for WinSock in Windows Server 2025, 2022, and Windows 10 1809 contains insufficient input validation that allows authenticated local users to escalate privileges. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated system permissions, though no patch is currently available. This HIGH severity vulnerability affects multiple Windows Server and client versions with no active exploit mitigation path.