Information Disclosure
Monthly
Remote code execution affects NETGEAR gaming routers (XR1000, MR70, MS70, RAXE500) when an attacker holds an on-path man-in-the-middle position between the device and the internet. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) confirms no privileges are needed on the target device but requires both high attack complexity and a specific network prerequisite - the ability to intercept and tamper with upstream traffic. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation.
Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.
Fortinet FortiOS and FortiProxy expose an internal debug interface (CWE-1244) that allows authenticated administrators to execute arbitrary Lua scripts through crafted CLI commands, exceeding their intended administrative scope. The vulnerability spans broad version ranges of both products, including FortiOS 6.4 through 7.6.2 and FortiProxy 7.0 through 7.6.3. While exploitation requires existing high-privilege (admin) access - limiting opportunistic attack surface - the CVSS temporal vector (E:P) confirms a proof-of-concept exploit exists, and the official fix is available (RL:O). No public exploit identified at time of analysis beyond the proof-of-concept, and this vulnerability is not listed in CISA KEV.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.
Unsynchronized traversal of HVM I/O port translation linked lists in the Xen hypervisor on x86 systems exposes a race condition exploitable by a compromised or malicious device model. The hypervisor manages I/O port translations via a linked list modified by the device model through XEN_DOMCTL_ioport_mapping; because traversal of that list during I/O port handling was never synchronized against concurrent modifications, a racing update can corrupt traversal state. The resulting hypervisor crash causes a Denial of Service of the entire host, with privilege escalation and information leakage explicitly acknowledged as non-ruled-out consequences - all without any active CISA KEV listing or public exploit identified at time of analysis.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Out-of-bounds array access in the Linux kernel's Rockchip RKCIF camera interface driver (drivers/media/platform/rockchip/rkcif) allows a local low-privileged user to trigger memory corruption by reading one element past the end of internal arrays due to off-by-one comparison errors. Affects mainline Linux through 6.19 and is fixed in 7.0.4 and 7.1-rc1; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 5th percentile).
Privilege escalation via UID confusion in the Linux kernel's 9p filesystem client allows local users mounting 9P2000.L shares with non-default access modes to be silently demoted to the INVALID_UID (nobody/65534) for all fid lookups, breaking root's ability to chown or perform privileged file operations over the mount. Introduced by commit 1f3e4142c0eb during the conversion of 9p to the new mount API, the bug causes v9fs_apply_options() to OR user-supplied access flags onto the default V9FS_ACCESS_CLIENT instead of replacing them. EPSS is 0.02% and the issue is not on CISA KEV; no public exploit identified at time of analysis.
Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two `min_region_sz` value through the DAMON sysfs interface and invoking `damon_start()`. The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the `damon_commit_ctx()` code path but left `damon_start()` - reachable via DAMON sysfs - without the `is_power_of_2()` guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.
Memory leak in the Linux kernel's drm/nouveau subsystem exposes systems with NVIDIA GPUs using the open-source nouveau driver to local denial of service. When aperture_remove_conflicting_pci_devices() fails during PCI device probe, the error path bypasses the fail_nvkm cleanup label, permanently leaking both the nvkm_device wrapper and the pci_enable_device() reference taken inside nvkm_device_pci_new(). No public exploit exists and EPSS sits at the 5th percentile (0.02%), confirming negligible exploitation probability; however, patched stable releases are available across multiple kernel branches.
Improper end-of-filesystem boundary handling in the Linux kernel EROFS driver for file-backed mounts causes a denial-of-service condition when I/O requests exceed the filesystem image boundary. Affected kernels spanning multiple stable branches fail to zero-fill out-of-bounds I/O regions as expected (analogous to loopback device behavior), producing undefined kernel behavior that results in availability loss. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible opportunistic exploitation probability; patches are confirmed available across stable branches 6.12.x, 6.18.x, 6.19.x, and 7.0.
Local privilege/availability impact in the Linux kernel AppArmor subsystem stems from incomplete rlimit handling for POSIX CPU timers, where setting an rlimit through AppArmor policy did not propagate to the POSIX CPU timer machinery. A local low-privileged user operating under an AppArmor-confined profile can leverage the inconsistent limit enforcement to disrupt CPU-time accounting and cause high-impact availability effects on the system. No public exploit identified at time of analysis, and EPSS rates likelihood of exploitation at only 0.02% (7th percentile).
Race condition in the Linux kernel device-mapper (dm) subsystem allows a local privileged user to trigger memory corruption or use-after-free conditions by exploiting a TOCTOU flaw in dm_blk_report_zones, which calls dm_suspended_md without holding required locks. The flaw affects multiple stable kernel branches including 6.12.x, 6.15.x, 6.16, and 6.18.x prior to fixed releases. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile).
Uninitialized stack memory disclosure in the Linux kernel's iio pressure sensor driver (mprls0025pa) for the Honeywell MPRLS0025PA SPI pressure sensor stems from a spi_transfer struct that was not zeroed before use. Local users on systems with the vulnerable driver loaded may trigger undefined SPI transfer behavior and potentially leak kernel stack contents. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.02% (5th percentile).
Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.
Local privilege escalation potential exists in the Linux kernel's netfilter nf_tables subsystem where netlink hook unregistration functions failed to use RCU-safe list removal while concurrent dumpers walked the same list. Affected paths are nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks, which previously used non-RCU list_del semantics and could race with readers, leading to memory corruption or use-after-free conditions on systems exposing nftables. No public exploit identified at time of analysis, and EPSS rates real-world exploitation likelihood at 0.02%.
Use-after-free in the Linux kernel's Generic Receive Offload (GRO) networking path allows local attackers to corrupt kernel memory and potentially achieve privilege escalation or denial of service. The flaw stems from skb_gro_receive() merging fragment lists between socket buffers without honoring the SKBFL_MANAGED_FRAG_REFS zero-copy flag, leaving page refcounts inconsistent. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (5th percentile).
Memory leak in the Linux kernel's TUN driver (tun_xdp_one) allows a local attacker to exhaust host memory by repeatedly triggering build_skb() allocation failures, leaking one page-frag chunk per failed batch entry. The flaw affects the vhost_net XDP fast-path used by virtual machines and containers; with no public exploit identified at time of analysis and an EPSS score of 0.02% (5th percentile), real-world weaponization risk is low, but sustained leakage on busy virtualization hosts could degrade availability.
Local denial-of-service in the Linux kernel's tun/vhost-net subsystem allows an unprivileged process with access to /dev/net/tun and /dev/vhost-net to leak page-frag chunks on every short frame (length minus virtio-net header below ETH_HLEN) submitted to tun_xdp_one(), eventually exhausting host memory and triggering an OOM panic. The flaw is a missing put_page() on the -EINVAL error path that tun_sendmsg() then masks by reporting success to vhost_tx_batch(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is upstream-confirmed with patches in stable trees.
Denial-of-service via memory exhaustion in the Linux kernel's tap/vhost_net XDP path allows adjacent network attackers to leak kernel page-frag memory by sending malformed frames over a tap device. The bug in tap_get_user_xdp() fails to free pages allocated by vhost_net_build_xdp() on the error paths for undersized frames (<ETH_HLEN) and build_skb() allocation failures, with each rejected frame in a batch leaking one page-frag chunk. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Lock resource leak in Linux kernel hugetlbfs subsystem enables local denial of service against systems using huge page memory mappings. Introduced by a faulty commit (ea52cb24cd3f) that incorrectly handled VMA lock allocation during the mmap_prepare stage, the defect allows a failed post-mmap_prepare allocation to leave a VMA lock unreleased, leaking kernel resources. This CVE documents the corrective revert; systems running affected kernel versions (around 6.19 through pre-7.0.12 and pre-7.1-rc6) with hugetlbfs in use are exposed to potential availability impact. No public exploit code exists and EPSS probability is 0.02% (5th percentile), indicating very low real-world exploitation activity.
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.
Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.
Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.
Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.
Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.
Heap use-after-free in OpenSSL's PKCS7_verify() function affects multiple supported branches (1.0.2, 1.1.1, 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0) and is fixed in OpenSSL 4.0.1. Authenticated remote attackers able to submit crafted PKCS#7 signed data to a vulnerable application can trigger memory corruption leading to high-impact compromise of confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis; EPSS is low (0.12%, 30th percentile) and CISA SSVC reports no observed exploitation, though the flaw is rated automatable with total technical impact.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.
Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.
Bleichenbacher oracle in OpenSSL's CMS_decrypt() and PKCS7_decrypt() functions exposes RSA-encrypted message content to unauthenticated remote attackers who can submit adaptive chosen-ciphertext queries against multi-RecipientInfo CMS/PKCS7 structures. Four active OpenSSL branches are affected (3.4.x, 3.5.x, 3.6.x, and 4.0.x), with patches released under the coordinated OpenSSL security advisory on 2026-06-09. No public exploit code and no active exploitation have been identified at time of analysis; SSVC rates this non-automatable with partial technical impact, consistent with the attack's high operational complexity.
Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
FFC-DH peer validation in OpenSSL incorrectly accepts an attacker-supplied `q` (subgroup order) parameter instead of using the locally trusted value, undermining the cryptographic integrity of Diffie-Hellman key exchange. Affected branches span OpenSSL 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0, with patched releases issued across all five branches on 2026-06-09. With a CVSS score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) and no confirmed active exploitation or public proof-of-concept, this is a moderate-priority patch item rather than an emergency response trigger - though its broad reach across widely deployed OpenSSL branches warrants timely remediation.
Integrity-check bypass in OpenSSL 3.4.x, 3.5.x, 3.6.x, and 4.0.0 allows PKCS#12 files protected with PBMAC1 to be accepted even when secured by dangerously short HMAC keys, undermining the authentication of the keystore contents. Vendor patches are available in 3.4.6, 3.5.7, 3.6.3, and 4.0.1, and no public exploit identified at time of analysis; EPSS is 0.00% and the issue is not on the CISA KEV list.
Confidentiality break in OpenSSL's AES-OCB implementation stems from the EVP_Cipher() code path ignoring the caller-supplied initialization vector (IV), causing the cipher to operate with a fixed/default IV instead. Affected branches include 3.0.x prior to 3.0.21, 3.4.x prior to 3.4.6, 3.5.x prior to 3.5.7, 3.6.x prior to 3.6.3, and 4.0.0, fixed in OpenSSL 4.0.1 and corresponding maintenance releases. With no public exploit identified at time of analysis and no CISA KEV listing, the issue is rated High (CVSS 7.5) due to high confidentiality impact via network-reachable cryptographic operations.
Local privilege escalation in X-VPN for macOS (website-distributed versions 77.0 through 77.5) allows a low-privileged local attacker to corrupt privileged files by abusing a race condition (TOCTOU) and symlink manipulation in the quarantine and restore workflow. Discovered and reported by Fluid Attacks, the issue is patched by the vendor; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
TYPO3 CMS clipboard functionality exposes unauthorized records and files to authenticated backend users due to missing read permission enforcement. Affected versions span 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2. A low-privileged backend user can insert arbitrary database records or file system objects into their clipboard, causing the application to resolve and expose metadata about resources they are not authorized to view - effectively bypassing access controls on content visibility. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Cross-exception-level write access in multiple Arm CPU cores including Cortex-A76 through Cortex-X925, Neoverse N1/N2/V1/V2/V3/V3AE, and C1-Ultra/Premium designs allows a lower-privileged context to modify resources owned by a higher exception level due to a race condition (CWE-362). Tracked also as Xen XSA-493 and EUVD-2025-210084, the issue carries a CVSS of 9.1 reflecting high confidentiality and integrity impact, though there is no public exploit identified at time of analysis and the EPSS score of 0.02% (4th percentile) indicates very low predicted exploitation probability.
Sensitive key material extraction is possible in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection in the WinCC Certificate Manager component. A local attacker on an affected HMI/SCADA workstation could harvest cryptographic key material that protects operator certificates, potentially enabling impersonation or downstream attacks against industrial control networks. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Link-following (symlink attack) in Dell iDRAC Tools versions prior to 11.4.1.0 allows a low-privileged local attacker to redirect file operations to unintended targets, resulting in unauthorized modification of files (high integrity impact) and potential availability disruption. Exploitation requires both low-level local access and user interaction, placing this in a constrained attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, and no EPSS score was supplied in source data.
Improper certificate revocation checking in S2OPC's CycloneCrypto wrapper permits OPC UA connections authenticated with revoked certificates. The library evaluates only the first Certificate Revocation List (CRL) matching a given CA and silently discards any additional valid CRLs issued by that same CA - meaning a certificate listed exclusively in a secondary CRL passes validation unchallenged. With CVSS 5.6 (AV:N/AC:H/PR:N/UI:N), all published versions of systerel/s2opc are affected per CPE. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.
Stale kernel memory disclosure in the Linux kernel's io_uring IORING_OP_WAITID operation allows a local low-privileged user to read arbitrary bytes from reused io_kiocb command storage via the userspace siginfo output buffer. The io_uring prep path for waitid requests fails to zero-initialize the io_waitid::info result field, meaning that when a wait completes without a child event the kernel copies whatever bytes happen to occupy that slab slot into the caller's siginfo_t. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) reflects low current exploitation probability.
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Unauthorized information disclosure in Apache Answer through 2.0.0 allows authenticated users to bypass access restrictions on the 'unlisted question' feature by querying direct API endpoints. Rather than enforcing the same visibility controls applied at the UI layer, the underlying API routes expose unlisted questions along with their associated answers, comments, and full revision history to any authenticated user. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the straightforward nature of the bypass - direct API calls - lowers the practical bar for exploitation by any platform user.
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.
Denial-of-service in the HarmonyOS browser kernel component allows a remote unauthenticated attacker to degrade availability on affected Huawei devices by luring a user into visiting a malicious page or interacting with crafted content. Exploitation requires user interaction (UI:R per CVSS), limiting opportunistic reach, but the network-accessible attack vector (AV:N) and low complexity (AC:L) make delivery straightforward once a user is socially engineered. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Insufficient permission enforcement in the HarmonyOS file preview module allows a local, unprivileged attacker to access sensitive file contents without authorization. Affecting Huawei HarmonyOS (all versions per CPE wildcard), the flaw is classified as CWE-200 and carries a CVSS 5.5 Medium score, with high confidentiality impact but no integrity or availability exposure. No public exploit identified at time of analysis, and Huawei disclosed this vulnerability via its June 2026 security bulletin.
Permission control failure in the HarmonyOS print module allows a local attacker - without requiring elevated privileges - to compromise system integrity through user-triggered interaction. The vulnerability resides in Huawei's HarmonyOS, disclosed via the June 2026 Huawei Security Bulletin, and carries a CVSS 5.5 (Medium) rating. No public exploit code has been identified at time of analysis, and it does not appear in the CISA KEV catalog, though the high integrity impact warrants attention in enterprise HarmonyOS deployments.
Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector indicates exploitation requires specific conditions beyond default network access.
Predictable WebSocket session IDs in Spring Framework's spring-websocket module allow remote attackers to guess or forge session identifiers and, when paired with weak authorization rules, hijack or interact with other users' WebSocket sessions. The flaw affects Spring Framework 5.3.x, 6.1.x, 6.2.x, and 7.0.x prior to patched releases; no public exploit identified at time of analysis and EPSS is very low (0.03%).
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Permission management bypass in HarmonyOS's network management module allows a locally present, low-privileged attacker - with user interaction - to read sensitive network data (C:H) and disrupt service availability (A:H) under high-complexity conditions. The CVSS 6.3 Medium score reflects meaningful impact tempered by stringent prerequisites: local access, an authenticated account, required victim interaction, and high attack complexity. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the confidentiality and availability impacts warrant patching per Huawei's June 2026 security bulletin.
Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.
Incorrect privilege assignment in the vsftpd service of TOTOLINK EX200 firmware 4.0.3c.7646 (B20201211) permits remote unauthenticated attackers to perform unauthorized write operations against the device over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack preconditions, making this broadly reachable. Publicly available exploit code exists (E:P per CVSS supplemental metrics and confirmed in description); no active exploitation via CISA KEV has been identified at time of analysis.
Dolibarr ERP CRM's Legacy Filemanager component exposes its configuration endpoint without any authorization gate, allowing authenticated users holding only low-level privileges to interact with filemanager functionality reserved for website administrators. Affecting all releases through 23.0.2, the missing permission check in htdocs/core/filemanagerdol/connectors/php/config.inc.php means any valid account - regardless of role - can reach this endpoint. Publicly available exploit code exists (CVSS E:P); no CISA KEV listing is confirmed in the available data.
Email spoofing in the SAP Business Objects Business Intelligence Platform allows authenticated network users to manipulate email sending parameters without sufficient server-side validation, enabling them to craft and dispatch emails with falsified sender or header fields. Affected users require only low-privilege authentication, and exploitation is network-accessible with no additional user interaction required. No public exploit code exists and this vulnerability is not listed in CISA KEV; the CVSS score of 4.3 (Medium) accurately reflects the limited, integrity-only impact scoped to the application.
SAP Business Objects exposes sensitive information through a specific network-accessible endpoint when high-complexity preconditions are met, exploitable by unauthenticated remote attackers. Classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the flaw carries a CVSS score of 3.7 (Low) with impact limited strictly to partial confidentiality loss - integrity and availability are unaffected. No public exploit has been identified at time of analysis, and no active exploitation has been confirmed.
SAP Fiori Launchpad is vulnerable to malicious URL crafting that triggers arbitrary service calls within the Fiori domain, enabling credential theft from users who interact with the crafted link. Exploitation requires no attacker privileges (PR:N per CVSS) but demands high attack complexity (AC:H) and user interaction (UI:R), meaning adversaries must possess advanced system knowledge and successfully deliver the URL to a victim. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, placing this in the medium-priority tier despite the credential-theft potential.
UI spoofing in Google Chrome's Guest View component prior to 149.0.7827.103 enables a remote unauthenticated attacker to deceive users about page content or origin by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation requires no privileges and no special network position, but does require the victim to visit a malicious page. With an EPSS score of 0.05% at the 15th percentile and no CISA KEV listing, real-world exploitation is currently assessed as low probability, though the zero-friction delivery mechanism (a link) keeps the attack surface broad.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker to break out of the browser's renderer sandbox via a crafted HTML page that exploits insufficient input validation in the UI layer. The scope-changing CVSS 9.6 reflects that successful exploitation crosses the sandbox security boundary, though user interaction (visiting a malicious page) is required. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but Google rates the underlying Chromium severity as High.
Uninitialized memory use in the Video component of Google Chrome on Windows (prior to 149.0.7827.103) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by directing the victim to a crafted HTML page. The vulnerability is Windows-specific, rated High severity by Chromium's internal scale, and carries a CVSS 5.3 due to the high attack complexity and required user interaction stacking atop the renderer-compromise prerequisite. No public exploit identified at time of analysis; Google has released a fix in version 149.0.7827.103.
Cross-origin data leakage in Google Chrome's Passwords feature (all versions prior to 149.0.7827.103) can be triggered by a remote unauthenticated attacker delivering a crafted HTML page to a victim. The flaw results from an inappropriate implementation classified under CWE-693 (Protection Mechanism Failure), meaning the browser's same-origin policy enforcement is bypassed specifically within the Passwords subsystem. With a CVSS score of 4.3 and no public exploit or CISA KEV listing identified at time of analysis, this is a medium-severity information disclosure risk requiring user interaction to exploit.
Cross-origin data leakage in Google Chrome's New Tab Page (NTP) component prior to version 149.0.7827.103 enables an unauthenticated remote attacker - who has already achieved renderer process compromise - to exfiltrate cross-origin data via a crafted HTML page. The vulnerability stems from insufficient input validation in the NTP, exploitable only as a second-stage attack chained after a separate renderer exploit. No public exploit code or CISA KEV listing exists at time of analysis, and the CVSS base score of 3.1 (Low) accurately reflects the constrained impact: confidentiality-only, low severity, high attack complexity.
Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.
Cross-origin data leak in Chrome's Dawn (WebGPU) component on macOS affects all versions prior to 149.0.7827.103, allowing a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a crafted HTML page. CVSS score of 3.1 (Low) accurately reflects the constrained impact: confidentiality loss only (C:L), no integrity or availability impact, and a hard prerequisite of prior renderer compromise that makes standalone exploitation impossible. No public exploit code exists and CISA SSVC assessment confirms exploitation status as none with non-automatable attack conditions.
Cross-origin data leakage in Google Chrome's MediaCapture implementation on macOS allows a remote attacker to read data from other origins by enticing a user to visit a specially crafted HTML page. Affected versions are all Chrome releases on Mac prior to 149.0.7827.103. The flaw carries a CVSS score of 4.3 (Medium) with no authentication required, though user interaction is necessary; no public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Insufficient network policy enforcement in Google Chrome prior to 149.0.7827.103 allows a remote unauthenticated attacker - who has already compromised the browser's utility process - to leak cross-origin data by luring a victim to a crafted HTML page. The confidentiality impact is limited and scoped unchanged, yielding a CVSS base score of just 3.1 (Low). No public exploit exists and CISA SSVC confirms exploitation status as none at time of analysis.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page, escalating from a contained renderer context to broader host access. Chromium rates this High severity, and while no public exploit has been identified at time of analysis, the CVSS 8.3 score reflects the serious consequence of bypassing one of the browser's core security boundaries. The flaw resides in the Views component and requires user interaction (UI:R) plus a prior renderer compromise, making it a second-stage vulnerability in a multi-bug exploit chain.
Integer overflow in libyuv allows a renderer-compromised attacker to read sensitive process memory in Google Chrome prior to 149.0.7827.103. This is a chained, post-exploitation vulnerability: the attacker must first control the Chrome renderer process (via a separate exploit), then serve a crafted HTML page that triggers the libyuv integer overflow to extract memory contents - making this a privilege escalation and data exfiltration primitive within a broader attack chain. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Sandbox escape in Google Chrome on macOS versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer/network process to break out of the browser sandbox via a race condition triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome and ChromeOS on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Dawn (WebGPU) component. Chromium rates the severity High, and while no public exploit identified at time of analysis, sandbox-escape bugs in Dawn are historically chained with renderer RCE bugs in exploit chains. The CVSS 8.3 score reflects the high attack complexity and required user interaction, but the scope change (S:C) signals a meaningful trust-boundary break.
Cross-origin data leakage in Google Chrome's codec subsystem on Linux and ChromeOS (versions prior to 149.0.7827.103) enables remote unauthenticated attackers to exfiltrate sensitive data from other origins by delivering a specially crafted video file to a target user. The root cause is uninitialized memory use (CWE-457) within the codec pipeline, where memory contents from other origin contexts may be exposed during video processing. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation status as 'none'; however, the network-accessible attack surface and lack of authentication requirement make patching a prudent priority for Linux and ChromeOS deployments.
Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.
UI spoofing in Google Chrome prior to 149.0.7827.103 enables remote unauthenticated attackers to deceive users into interacting with falsified browser interface elements via a crafted HTML page. The vulnerability exploits insufficient input validation in Chrome's Input component (CWE-20), carrying a moderate CVSS 5.4 with confirmed low confidentiality impact and an Information Disclosure tag suggesting data exposure risk through spoofed UI surfaces such as fake dialogs or address bar manipulation. EPSS probability is very low at 0.05% (15th percentile), no public exploit has been identified, and no CISA KEV listing exists at time of analysis.
Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page served through the New Tab Page. Google rates the underlying Chromium severity as High and a fix is shipped in the stable channel, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
Remote code execution affects NETGEAR gaming routers (XR1000, MR70, MS70, RAXE500) when an attacker holds an on-path man-in-the-middle position between the device and the internet. The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) confirms no privileges are needed on the target device but requires both high attack complexity and a specific network prerequisite - the ability to intercept and tamper with upstream traffic. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
OS command injection in NETGEAR JR6150 firmware (all versions ≤ 1.0.1.26) allows locally authenticated or WiFi-connected users to execute arbitrary operating system commands via insufficient input validation (CWE-20). The device reached End-of-Support in 2018 and NETGEAR will not release a patch, leaving all deployments permanently unmitigated. No public exploit code exists and active exploitation has not been confirmed (not listed in CISA KEV), but the perpetual absence of patching makes device replacement the only durable remediation.
Server-side file disclosure in Schneider Electric EcoStruxure IT Data Center Expert v9.1.1 and prior allows authenticated users to read arbitrary files on the underlying host by submitting crafted XML payloads to SOAP service endpoints. The flaw stems from improper restriction of XML External Entity references (CWE-611) in the SOAP API. No public exploit identified at time of analysis, but CISA SSVC marks the issue as automatable with partial technical impact.
Fortinet FortiOS and FortiProxy expose an internal debug interface (CWE-1244) that allows authenticated administrators to execute arbitrary Lua scripts through crafted CLI commands, exceeding their intended administrative scope. The vulnerability spans broad version ranges of both products, including FortiOS 6.4 through 7.6.2 and FortiProxy 7.0 through 7.6.3. While exploitation requires existing high-privilege (admin) access - limiting opportunistic attack surface - the CVSS temporal vector (E:P) confirms a proof-of-concept exploit exists, and the official fix is available (RL:O). No public exploit identified at time of analysis beyond the proof-of-concept, and this vulnerability is not listed in CISA KEV.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.
Unsynchronized traversal of HVM I/O port translation linked lists in the Xen hypervisor on x86 systems exposes a race condition exploitable by a compromised or malicious device model. The hypervisor manages I/O port translations via a linked list modified by the device model through XEN_DOMCTL_ioport_mapping; because traversal of that list during I/O port handling was never synchronized against concurrent modifications, a racing update can corrupt traversal state. The resulting hypervisor crash causes a Denial of Service of the entire host, with privilege escalation and information leakage explicitly acknowledged as non-ruled-out consequences - all without any active CISA KEV listing or public exploit identified at time of analysis.
Partial stack address disclosure in Red Hat 389 Directory Server (versions 11, 12, and 13) allows authenticated remote users to extract memory layout information via crafted LDAP extended operation requests. The root cause is a CWE-843 type confusion in the SSO token extended operation handler, which causes stack pointer data to bleed into LDAP response payloads. While the direct impact is limited to low-confidence information disclosure, leaked stack addresses are a classic ASLR-weakening primitive that could facilitate chained exploitation. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Out-of-bounds array access in the Linux kernel's Rockchip RKCIF camera interface driver (drivers/media/platform/rockchip/rkcif) allows a local low-privileged user to trigger memory corruption by reading one element past the end of internal arrays due to off-by-one comparison errors. Affects mainline Linux through 6.19 and is fixed in 7.0.4 and 7.1-rc1; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 5th percentile).
Privilege escalation via UID confusion in the Linux kernel's 9p filesystem client allows local users mounting 9P2000.L shares with non-default access modes to be silently demoted to the INVALID_UID (nobody/65534) for all fid lookups, breaking root's ability to chown or perform privileged file operations over the mount. Introduced by commit 1f3e4142c0eb during the conversion of 9p to the new mount API, the bug causes v9fs_apply_options() to OR user-supplied access flags onto the default V9FS_ACCESS_CLIENT instead of replacing them. EPSS is 0.02% and the issue is not on CISA KEV; no public exploit identified at time of analysis.
Denial-of-service in the Linux kernel's DAMON (Data Access MONitor) subsystem allows a local low-privileged user to crash the kernel by supplying a non-power-of-two `min_region_sz` value through the DAMON sysfs interface and invoking `damon_start()`. The flaw is an incomplete remediation: commit c80f46ac228b fixed the same class of bug for the `damon_commit_ctx()` code path but left `damon_start()` - reachable via DAMON sysfs - without the `is_power_of_2()` guard. No public exploit exists and EPSS sits at 0.02% (4th percentile), indicating negligible real-world exploitation probability; no CISA KEV listing has been issued.
Memory leak in the Linux kernel's drm/nouveau subsystem exposes systems with NVIDIA GPUs using the open-source nouveau driver to local denial of service. When aperture_remove_conflicting_pci_devices() fails during PCI device probe, the error path bypasses the fail_nvkm cleanup label, permanently leaking both the nvkm_device wrapper and the pci_enable_device() reference taken inside nvkm_device_pci_new(). No public exploit exists and EPSS sits at the 5th percentile (0.02%), confirming negligible exploitation probability; however, patched stable releases are available across multiple kernel branches.
Improper end-of-filesystem boundary handling in the Linux kernel EROFS driver for file-backed mounts causes a denial-of-service condition when I/O requests exceed the filesystem image boundary. Affected kernels spanning multiple stable branches fail to zero-fill out-of-bounds I/O regions as expected (analogous to loopback device behavior), producing undefined kernel behavior that results in availability loss. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible opportunistic exploitation probability; patches are confirmed available across stable branches 6.12.x, 6.18.x, 6.19.x, and 7.0.
Local privilege/availability impact in the Linux kernel AppArmor subsystem stems from incomplete rlimit handling for POSIX CPU timers, where setting an rlimit through AppArmor policy did not propagate to the POSIX CPU timer machinery. A local low-privileged user operating under an AppArmor-confined profile can leverage the inconsistent limit enforcement to disrupt CPU-time accounting and cause high-impact availability effects on the system. No public exploit identified at time of analysis, and EPSS rates likelihood of exploitation at only 0.02% (7th percentile).
Race condition in the Linux kernel device-mapper (dm) subsystem allows a local privileged user to trigger memory corruption or use-after-free conditions by exploiting a TOCTOU flaw in dm_blk_report_zones, which calls dm_suspended_md without holding required locks. The flaw affects multiple stable kernel branches including 6.12.x, 6.15.x, 6.16, and 6.18.x prior to fixed releases. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 0.02% (5th percentile).
Uninitialized stack memory disclosure in the Linux kernel's iio pressure sensor driver (mprls0025pa) for the Honeywell MPRLS0025PA SPI pressure sensor stems from a spi_transfer struct that was not zeroed before use. Local users on systems with the vulnerable driver loaded may trigger undefined SPI transfer behavior and potentially leak kernel stack contents. There is no public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.02% (5th percentile).
Memory corruption in the Linux kernel's RDMA Soft-RoCE (rxe) driver allows incorrect iova-to-virtual-address translation when Memory Region (MR) page sizes differ from the system PAGE_SIZE, leading to access of wrong memory pages during RDMA operations. The flaw affects kernels from 6.3 through pre-6.18.14 / pre-6.19.4 / pre-7.0 patched releases, and a related kernel panic was previously reported by Yi Zhang. EPSS is 0.02% (4th percentile) and no public exploit identified at time of analysis, but a patch is available from upstream.
Local privilege escalation potential exists in the Linux kernel's netfilter nf_tables subsystem where netlink hook unregistration functions failed to use RCU-safe list removal while concurrent dumpers walked the same list. Affected paths are nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks, which previously used non-RCU list_del semantics and could race with readers, leading to memory corruption or use-after-free conditions on systems exposing nftables. No public exploit identified at time of analysis, and EPSS rates real-world exploitation likelihood at 0.02%.
Use-after-free in the Linux kernel's Generic Receive Offload (GRO) networking path allows local attackers to corrupt kernel memory and potentially achieve privilege escalation or denial of service. The flaw stems from skb_gro_receive() merging fragment lists between socket buffers without honoring the SKBFL_MANAGED_FRAG_REFS zero-copy flag, leaving page refcounts inconsistent. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (5th percentile).
Memory leak in the Linux kernel's TUN driver (tun_xdp_one) allows a local attacker to exhaust host memory by repeatedly triggering build_skb() allocation failures, leaking one page-frag chunk per failed batch entry. The flaw affects the vhost_net XDP fast-path used by virtual machines and containers; with no public exploit identified at time of analysis and an EPSS score of 0.02% (5th percentile), real-world weaponization risk is low, but sustained leakage on busy virtualization hosts could degrade availability.
Local denial-of-service in the Linux kernel's tun/vhost-net subsystem allows an unprivileged process with access to /dev/net/tun and /dev/vhost-net to leak page-frag chunks on every short frame (length minus virtio-net header below ETH_HLEN) submitted to tun_xdp_one(), eventually exhausting host memory and triggering an OOM panic. The flaw is a missing put_page() on the -EINVAL error path that tun_sendmsg() then masks by reporting success to vhost_tx_batch(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is upstream-confirmed with patches in stable trees.
Denial-of-service via memory exhaustion in the Linux kernel's tap/vhost_net XDP path allows adjacent network attackers to leak kernel page-frag memory by sending malformed frames over a tap device. The bug in tap_get_user_xdp() fails to free pages allocated by vhost_net_build_xdp() on the error paths for undersized frames (<ETH_HLEN) and build_skb() allocation failures, with each rejected frame in a batch leaking one page-frag chunk. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Lock resource leak in Linux kernel hugetlbfs subsystem enables local denial of service against systems using huge page memory mappings. Introduced by a faulty commit (ea52cb24cd3f) that incorrectly handled VMA lock allocation during the mmap_prepare stage, the defect allows a failed post-mmap_prepare allocation to leave a VMA lock unreleased, leaking kernel resources. This CVE documents the corrective revert; systems running affected kernel versions (around 6.19 through pre-7.0.12 and pre-7.1-rc6) with hugetlbfs in use are exposed to potential availability impact. No public exploit code exists and EPSS probability is 0.02% (5th percentile), indicating very low real-world exploitation activity.
Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift card viewing permission to obtain full gift card secret codes by generating a reusable media export. Affected versions span pretix 2024.1.0 through all releases prior to the 2026.5.1 fix, as confirmed by ENISA EUVD-2026-35407. No public exploit exists at time of analysis (CVSS E:U), but successful exploitation undermines organizational permission boundaries and can enable financial fraud against end customers whose gift card balances are exposed.
Use-after-free in the Linux kernel KVM subsystem on arm64 allows a local attacker with the ability to manipulate nested virtualization state to dereference a freed nested_mmus array, with potential scope-crossing impact from guest to host kernel memory. Triggered by a race between kvm_vcpu_init_nested() reallocating the array under config_lock and MMU notifier walkers (kvm_unmap_gfn_range) traversing it under mmu_lock. EPSS is 0.02% and no public exploit identified at time of analysis; not listed in CISA KEV.
Use-after-free in the KVM arm64 vGIC-ITS translation cache allows a malicious guest to corrupt host kernel memory by triggering concurrent cache invalidations that double-drop a single reference. The flaw affects Linux 6.10 and later until the stable backports, has no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability as very low (0.02%, 5th percentile) despite the CVSS 9.3 rating.
Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.
Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.
Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.
Heap use-after-free in OpenSSL's PKCS7_verify() function affects multiple supported branches (1.0.2, 1.1.1, 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0) and is fixed in OpenSSL 4.0.1. Authenticated remote attackers able to submit crafted PKCS#7 signed data to a vulnerable application can trigger memory corruption leading to high-impact compromise of confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis; EPSS is low (0.12%, 30th percentile) and CISA SSVC reports no observed exploitation, though the flaw is rated automatable with total technical impact.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.
Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.
Bleichenbacher oracle in OpenSSL's CMS_decrypt() and PKCS7_decrypt() functions exposes RSA-encrypted message content to unauthenticated remote attackers who can submit adaptive chosen-ciphertext queries against multi-RecipientInfo CMS/PKCS7 structures. Four active OpenSSL branches are affected (3.4.x, 3.5.x, 3.6.x, and 4.0.x), with patches released under the coordinated OpenSSL security advisory on 2026-06-09. No public exploit code and no active exploitation have been identified at time of analysis; SSVC rates this non-automatable with partial technical impact, consistent with the attack's high operational complexity.
Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo
FFC-DH peer validation in OpenSSL incorrectly accepts an attacker-supplied `q` (subgroup order) parameter instead of using the locally trusted value, undermining the cryptographic integrity of Diffie-Hellman key exchange. Affected branches span OpenSSL 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0, with patched releases issued across all five branches on 2026-06-09. With a CVSS score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) and no confirmed active exploitation or public proof-of-concept, this is a moderate-priority patch item rather than an emergency response trigger - though its broad reach across widely deployed OpenSSL branches warrants timely remediation.
Integrity-check bypass in OpenSSL 3.4.x, 3.5.x, 3.6.x, and 4.0.0 allows PKCS#12 files protected with PBMAC1 to be accepted even when secured by dangerously short HMAC keys, undermining the authentication of the keystore contents. Vendor patches are available in 3.4.6, 3.5.7, 3.6.3, and 4.0.1, and no public exploit identified at time of analysis; EPSS is 0.00% and the issue is not on the CISA KEV list.
Confidentiality break in OpenSSL's AES-OCB implementation stems from the EVP_Cipher() code path ignoring the caller-supplied initialization vector (IV), causing the cipher to operate with a fixed/default IV instead. Affected branches include 3.0.x prior to 3.0.21, 3.4.x prior to 3.4.6, 3.5.x prior to 3.5.7, 3.6.x prior to 3.6.3, and 4.0.0, fixed in OpenSSL 4.0.1 and corresponding maintenance releases. With no public exploit identified at time of analysis and no CISA KEV listing, the issue is rated High (CVSS 7.5) due to high confidentiality impact via network-reachable cryptographic operations.
Local privilege escalation in X-VPN for macOS (website-distributed versions 77.0 through 77.5) allows a low-privileged local attacker to corrupt privileged files by abusing a race condition (TOCTOU) and symlink manipulation in the quarantine and restore workflow. Discovered and reported by Fluid Attacks, the issue is patched by the vendor; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
TYPO3 CMS clipboard functionality exposes unauthorized records and files to authenticated backend users due to missing read permission enforcement. Affected versions span 10.4.0 through 13.4.30 and 14.0.0 through 14.3.2. A low-privileged backend user can insert arbitrary database records or file system objects into their clipboard, causing the application to resolve and expose metadata about resources they are not authorized to view - effectively bypassing access controls on content visibility. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Cross-exception-level write access in multiple Arm CPU cores including Cortex-A76 through Cortex-X925, Neoverse N1/N2/V1/V2/V3/V3AE, and C1-Ultra/Premium designs allows a lower-privileged context to modify resources owned by a higher exception level due to a race condition (CWE-362). Tracked also as Xen XSA-493 and EUVD-2025-210084, the issue carries a CVSS of 9.1 reflecting high confidentiality and integrity impact, though there is no public exploit identified at time of analysis and the EPSS score of 0.02% (4th percentile) indicates very low predicted exploitation probability.
Sensitive key material extraction is possible in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 (prior to V21 Update 2) due to insufficient protection in the WinCC Certificate Manager component. A local attacker on an affected HMI/SCADA workstation could harvest cryptographic key material that protects operator certificates, potentially enabling impersonation or downstream attacks against industrial control networks. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Link-following (symlink attack) in Dell iDRAC Tools versions prior to 11.4.1.0 allows a low-privileged local attacker to redirect file operations to unintended targets, resulting in unauthorized modification of files (high integrity impact) and potential availability disruption. Exploitation requires both low-level local access and user interaction, placing this in a constrained attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, and no EPSS score was supplied in source data.
Improper certificate revocation checking in S2OPC's CycloneCrypto wrapper permits OPC UA connections authenticated with revoked certificates. The library evaluates only the first Certificate Revocation List (CRL) matching a given CA and silently discards any additional valid CRLs issued by that same CA - meaning a certificate listed exclusively in a secondary CRL passes validation unchallenged. With CVSS 5.6 (AV:N/AC:H/PR:N/UI:N), all published versions of systerel/s2opc are affected per CPE. No public exploit code or CISA KEV listing has been identified at time of analysis.
Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.
Stale kernel memory disclosure in the Linux kernel's io_uring IORING_OP_WAITID operation allows a local low-privileged user to read arbitrary bytes from reused io_kiocb command storage via the userspace siginfo output buffer. The io_uring prep path for waitid requests fails to zero-initialize the io_waitid::info result field, meaning that when a wait completes without a child event the kernel copies whatever bytes happen to occupy that slab slot into the caller's siginfo_t. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) reflects low current exploitation probability.
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Unauthorized information disclosure in Apache Answer through 2.0.0 allows authenticated users to bypass access restrictions on the 'unlisted question' feature by querying direct API endpoints. Rather than enforcing the same visibility controls applied at the UI layer, the underlying API routes expose unlisted questions along with their associated answers, comments, and full revision history to any authenticated user. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the straightforward nature of the bypass - direct API calls - lowers the practical bar for exploitation by any platform user.
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Permission control failure in the audio framework of Huawei HarmonyOS and EMUI allows a local attacker with no special privileges, but requiring user interaction, to access confidential audio service data with high confidentiality impact alongside minor integrity and availability effects. The vulnerability stems from improper permission enforcement (CWE-275) within the audio subsystem. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the local-attack-vector with user interaction requirement limits mass exploitation.
Permission control bypass in Huawei HarmonyOS and EMUI's call-handling subsystem allows a locally present, unprivileged attacker to circumvent intended access restrictions, resulting in low-level impacts to confidentiality, integrity, and availability. The vulnerability stems from improper business logic governing permission enforcement (CWE-840), meaning the system fails to correctly validate whether a calling entity holds the required permissions before servicing a request. No public exploit code exists and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog, but the low attack complexity and absence of privilege requirements lower the bar for local abuse.
Denial-of-service in the HarmonyOS browser kernel component allows a remote unauthenticated attacker to degrade availability on affected Huawei devices by luring a user into visiting a malicious page or interacting with crafted content. Exploitation requires user interaction (UI:R per CVSS), limiting opportunistic reach, but the network-accessible attack vector (AV:N) and low complexity (AC:L) make delivery straightforward once a user is socially engineered. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the zero-prerequisite attack profile and broad version coverage across four major Spring branches (5.3.x, 6.1.x, 6.2.x, 7.0.x) make this relevant to any Java shop running Spring MVC or WebFlux with multipart upload handling enabled.
Insufficient permission enforcement in the HarmonyOS file preview module allows a local, unprivileged attacker to access sensitive file contents without authorization. Affecting Huawei HarmonyOS (all versions per CPE wildcard), the flaw is classified as CWE-200 and carries a CVSS 5.5 Medium score, with high confidentiality impact but no integrity or availability exposure. No public exploit identified at time of analysis, and Huawei disclosed this vulnerability via its June 2026 security bulletin.
Permission control failure in the HarmonyOS print module allows a local attacker - without requiring elevated privileges - to compromise system integrity through user-triggered interaction. The vulnerability resides in Huawei's HarmonyOS, disclosed via the June 2026 Huawei Security Bulletin, and carries a CVSS 5.5 (Medium) rating. No public exploit code has been identified at time of analysis, and it does not appear in the CISA KEV catalog, though the high integrity impact warrants attention in enterprise HarmonyOS deployments.
Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector indicates exploitation requires specific conditions beyond default network access.
Predictable WebSocket session IDs in Spring Framework's spring-websocket module allow remote attackers to guess or forge session identifiers and, when paired with weak authorization rules, hijack or interact with other users' WebSocket sessions. The flaw affects Spring Framework 5.3.x, 6.1.x, 6.2.x, and 7.0.x prior to patched releases; no public exploit identified at time of analysis and EPSS is very low (0.03%).
Permission control vulnerability in the HarmonyOS clone module allows a local attacker to read confidential service data, with low confidentiality and availability impact. The flaw stems from improper permission enforcement (CWE-275) during clone operations and requires user interaction to trigger. No public exploit code exists and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Permission management bypass in HarmonyOS's network management module allows a locally present, low-privileged attacker - with user interaction - to read sensitive network data (C:H) and disrupt service availability (A:H) under high-complexity conditions. The CVSS 6.3 Medium score reflects meaningful impact tempered by stringent prerequisites: local access, an authenticated account, required victim interaction, and high attack complexity. No public exploit identified at time of analysis, and no CISA KEV listing exists, but the confidentiality and availability impacts warrant patching per Huawei's June 2026 security bulletin.
Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.
Incorrect privilege assignment in the vsftpd service of TOTOLINK EX200 firmware 4.0.3c.7646 (B20201211) permits remote unauthenticated attackers to perform unauthorized write operations against the device over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack preconditions, making this broadly reachable. Publicly available exploit code exists (E:P per CVSS supplemental metrics and confirmed in description); no active exploitation via CISA KEV has been identified at time of analysis.
Dolibarr ERP CRM's Legacy Filemanager component exposes its configuration endpoint without any authorization gate, allowing authenticated users holding only low-level privileges to interact with filemanager functionality reserved for website administrators. Affecting all releases through 23.0.2, the missing permission check in htdocs/core/filemanagerdol/connectors/php/config.inc.php means any valid account - regardless of role - can reach this endpoint. Publicly available exploit code exists (CVSS E:P); no CISA KEV listing is confirmed in the available data.
Email spoofing in the SAP Business Objects Business Intelligence Platform allows authenticated network users to manipulate email sending parameters without sufficient server-side validation, enabling them to craft and dispatch emails with falsified sender or header fields. Affected users require only low-privilege authentication, and exploitation is network-accessible with no additional user interaction required. No public exploit code exists and this vulnerability is not listed in CISA KEV; the CVSS score of 4.3 (Medium) accurately reflects the limited, integrity-only impact scoped to the application.
SAP Business Objects exposes sensitive information through a specific network-accessible endpoint when high-complexity preconditions are met, exploitable by unauthenticated remote attackers. Classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the flaw carries a CVSS score of 3.7 (Low) with impact limited strictly to partial confidentiality loss - integrity and availability are unaffected. No public exploit has been identified at time of analysis, and no active exploitation has been confirmed.
SAP Fiori Launchpad is vulnerable to malicious URL crafting that triggers arbitrary service calls within the Fiori domain, enabling credential theft from users who interact with the crafted link. Exploitation requires no attacker privileges (PR:N per CVSS) but demands high attack complexity (AC:H) and user interaction (UI:R), meaning adversaries must possess advanced system knowledge and successfully deliver the URL to a victim. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, placing this in the medium-priority tier despite the credential-theft potential.
UI spoofing in Google Chrome's Guest View component prior to 149.0.7827.103 enables a remote unauthenticated attacker to deceive users about page content or origin by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation requires no privileges and no special network position, but does require the victim to visit a malicious page. With an EPSS score of 0.05% at the 15th percentile and no CISA KEV listing, real-world exploitation is currently assessed as low probability, though the zero-friction delivery mechanism (a link) keeps the attack surface broad.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker to break out of the browser's renderer sandbox via a crafted HTML page that exploits insufficient input validation in the UI layer. The scope-changing CVSS 9.6 reflects that successful exploitation crosses the sandbox security boundary, though user interaction (visiting a malicious page) is required. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but Google rates the underlying Chromium severity as High.
Uninitialized memory use in the Video component of Google Chrome on Windows (prior to 149.0.7827.103) allows an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by directing the victim to a crafted HTML page. The vulnerability is Windows-specific, rated High severity by Chromium's internal scale, and carries a CVSS 5.3 due to the high attack complexity and required user interaction stacking atop the renderer-compromise prerequisite. No public exploit identified at time of analysis; Google has released a fix in version 149.0.7827.103.
Cross-origin data leakage in Google Chrome's Passwords feature (all versions prior to 149.0.7827.103) can be triggered by a remote unauthenticated attacker delivering a crafted HTML page to a victim. The flaw results from an inappropriate implementation classified under CWE-693 (Protection Mechanism Failure), meaning the browser's same-origin policy enforcement is bypassed specifically within the Passwords subsystem. With a CVSS score of 4.3 and no public exploit or CISA KEV listing identified at time of analysis, this is a medium-severity information disclosure risk requiring user interaction to exploit.
Cross-origin data leakage in Google Chrome's New Tab Page (NTP) component prior to version 149.0.7827.103 enables an unauthenticated remote attacker - who has already achieved renderer process compromise - to exfiltrate cross-origin data via a crafted HTML page. The vulnerability stems from insufficient input validation in the NTP, exploitable only as a second-stage attack chained after a separate renderer exploit. No public exploit code or CISA KEV listing exists at time of analysis, and the CVSS base score of 3.1 (Low) accurately reflects the constrained impact: confidentiality-only, low severity, high attack complexity.
Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.
Cross-origin data leak in Chrome's Dawn (WebGPU) component on macOS affects all versions prior to 149.0.7827.103, allowing a remote attacker who has already compromised the renderer process to exfiltrate cross-origin data via a crafted HTML page. CVSS score of 3.1 (Low) accurately reflects the constrained impact: confidentiality loss only (C:L), no integrity or availability impact, and a hard prerequisite of prior renderer compromise that makes standalone exploitation impossible. No public exploit code exists and CISA SSVC assessment confirms exploitation status as none with non-automatable attack conditions.
Cross-origin data leakage in Google Chrome's MediaCapture implementation on macOS allows a remote attacker to read data from other origins by enticing a user to visit a specially crafted HTML page. Affected versions are all Chrome releases on Mac prior to 149.0.7827.103. The flaw carries a CVSS score of 4.3 (Medium) with no authentication required, though user interaction is necessary; no public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Insufficient network policy enforcement in Google Chrome prior to 149.0.7827.103 allows a remote unauthenticated attacker - who has already compromised the browser's utility process - to leak cross-origin data by luring a victim to a crafted HTML page. The confidentiality impact is limited and scoped unchanged, yielding a CVSS base score of just 3.1 (Low). No public exploit exists and CISA SSVC confirms exploitation status as none at time of analysis.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page, escalating from a contained renderer context to broader host access. Chromium rates this High severity, and while no public exploit has been identified at time of analysis, the CVSS 8.3 score reflects the serious consequence of bypassing one of the browser's core security boundaries. The flaw resides in the Views component and requires user interaction (UI:R) plus a prior renderer compromise, making it a second-stage vulnerability in a multi-bug exploit chain.
Integer overflow in libyuv allows a renderer-compromised attacker to read sensitive process memory in Google Chrome prior to 149.0.7827.103. This is a chained, post-exploitation vulnerability: the attacker must first control the Chrome renderer process (via a separate exploit), then serve a crafted HTML page that triggers the libyuv integer overflow to extract memory contents - making this a privilege escalation and data exfiltration primitive within a broader attack chain. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Sandbox escape in Google Chrome on macOS versions prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer/network process to break out of the browser sandbox via a race condition triggered by a crafted HTML page. Chromium rates the severity as High and a vendor patch is available, though no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome and ChromeOS on Linux prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page abusing the Dawn (WebGPU) component. Chromium rates the severity High, and while no public exploit identified at time of analysis, sandbox-escape bugs in Dawn are historically chained with renderer RCE bugs in exploit chains. The CVSS 8.3 score reflects the high attack complexity and required user interaction, but the scope change (S:C) signals a meaningful trust-boundary break.
Cross-origin data leakage in Google Chrome's codec subsystem on Linux and ChromeOS (versions prior to 149.0.7827.103) enables remote unauthenticated attackers to exfiltrate sensitive data from other origins by delivering a specially crafted video file to a target user. The root cause is uninitialized memory use (CWE-457) within the codec pipeline, where memory contents from other origin contexts may be exposed during video processing. No public exploit code has been identified at time of analysis, and CISA SSVC classifies exploitation status as 'none'; however, the network-accessible attack surface and lack of authentication requirement make patching a prudent priority for Linux and ChromeOS deployments.
Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.
UI spoofing in Google Chrome prior to 149.0.7827.103 enables remote unauthenticated attackers to deceive users into interacting with falsified browser interface elements via a crafted HTML page. The vulnerability exploits insufficient input validation in Chrome's Input component (CWE-20), carrying a moderate CVSS 5.4 with confirmed low confidentiality impact and an Information Disclosure tag suggesting data exposure risk through spoofed UI surfaces such as fake dialogs or address bar manipulation. EPSS probability is very low at 0.05% (15th percentile), no public exploit has been identified, and no CISA KEV listing exists at time of analysis.
Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page served through the New Tab Page. Google rates the underlying Chromium severity as High and a fix is shipped in the stable channel, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.