Information Disclosure
Monthly
StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. A local attacker meeting the required access prerequisites could read this file and extract live credentials, potentially enabling impersonation of the victim against StrongDM-managed infrastructure. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; the low CVSS 4.0 score of 2.0 reflects the constrained local attack surface and required attack conditions.
Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.
Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.
Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.
Information disclosure in JetBrains YouTrack before version 2026.1.13162 exposes sensitive data through fetchApp requests, exploitable by a high-privileged user with required interaction. The CVSS vector (PR:H/UI:R/S:C) indicates this requires an authenticated administrator-level account, some form of user interaction, and crosses a security scope boundary - meaning disclosed data may reach an unintended security context. No public exploit exists and no KEV listing is present; this is a low-severity (CVSS 3.4) internal information leakage issue most relevant to hardened or compliance-sensitive YouTrack deployments.
Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.
Out-of-bounds read in liboqs prior to 0.16.0 affects the XMSS and XMSS^MT stateful signature verification routines, exploitable by any unauthenticated remote attacker who can supply a crafted public key to a verifying process. The flaw arises when a correctly-sized signature buffer is paired with a public key whose OID bytes reference a different XMSS parameter set, causing the library to derive a larger sig_bytes value and index past the end of the caller-supplied buffer, with the primary observable effect being a process crash. No active exploitation is confirmed (not in CISA KEV) and no independently published exploit has been identified at time of analysis, though a proof-of-concept scenario is embedded in the upstream fix commit's test suite.
Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.
Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.
Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.
Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password hashes to any authenticated low-privileged user. An attacker with a valid low-privilege account operating on the same adjacent network segment - typically the onboard vessel LAN - can retrieve a device backup file containing credential material, enabling offline password cracking and potential privilege escalation. No public exploit identified at time of analysis, but the maritime OT context and CISA ICS advisory issuance (ICSA-26-148-01) underscore relevance to vessel operational security.
Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.
WebSocket frame parsing in XX-Net V5.16.6 corrupts application-layer data when the local HTTP server's WebSocket_receive_worker routine unconditionally consumes 4 bytes as a masking key regardless of the RFC 6455 MASK bit, causing payload data to be silently misinterpreted. Attackers with local system access and no privileges can send unmasked WebSocket frames to the embedded simple_http_server.py endpoint, causing the first 4 bytes of any payload to be misread as a mask key and the remainder to be incorrectly XOR-decoded. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; an upstream fix exists as a GitHub commit and open pull request but a formally released patched version has not been independently confirmed.
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
Out-of-bounds read in the Waterfall WF-500 RX Host (firmware 7.10.0.0 R2601141040) enables an attacker who already controls the TX Host to execute code on the receiving (RX) side, bypassing the unidirectional security guarantee the data diode is designed to enforce. Discovered by Nozomi Networks Labs with no public exploit identified at time of analysis and an EPSS score of 0.02%, the issue is significant because it undermines the OT/IT segmentation use case the product exists to provide. The vulnerability is not listed in CISA KEV and there is no evidence of active exploitation.
Stored cross-site scripting in Mautic 7's Projects component allows authenticated low-privilege users with project create/edit permissions to inject script payloads into project names that execute when administrators hover over project tags or popovers on campaign, email, or form detail views. Exploitation yields script execution in an administrator's authenticated session, enabling configuration tampering, privilege escalation through administrative actions, and exfiltration of sensitive data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Credential exposure in Red Hat Quay 3's config-tool GitLab OAuth validator allows OAuth client_id and client_secret to leak into system logs. The config-tool incorrectly appends these sensitive values as URL query parameters on POST requests to the GitLab endpoint, causing them to appear in server access logs, reverse proxy logs, and monitoring infrastructure. A highly privileged attacker with read access to those log systems can harvest the exposed OAuth credentials and use them for unauthorized GitLab API access. No public exploit code exists and this is not listed in CISA KEV.
Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.
Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.
Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.
Poll Maker WordPress plugin (versions ≤6.3.7) leaks the complete WP_User object - including bcrypt password hashes, email addresses, login names, registration dates, roles, and capabilities - through an AJAX endpoint that performs no nonce verification or capability check beyond confirming the requestor is logged in. Any subscriber-level authenticated user on an affected site can call the `ays_poll_get_user_information` action and retrieve user data that WordPress deliberately withholds from all of its standard interfaces, including the REST API. No public exploit has been identified at time of analysis, but the attack requires only a valid subscriber session and a single POST request, and the recovered bcrypt hash enables offline password-cracking attacks.
Symlink-following vulnerability in the Canon PIXMA/PIXUS CUPS Printer Driver installer for macOS allows a local authenticated attacker to manipulate directory permissions beyond their authorization. By placing a specially crafted symbolic link in a path the installer traverses, the attacker can redirect installer-time permission changes to arbitrary directories during a privileged installation run. Affected versions are 16.91.0.0 and earlier across Japan (iX6800 Series), the US, and Europe (MG2500 and iX6800 Series); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Symlink following in the Canon My Image Garden macOS installer (version 3.6.8 and earlier) enables a locally authenticated attacker to manipulate file permissions outside their authorization scope. During installation - which typically runs with elevated privileges - an attacker who pre-places a crafted symbolic link at a path the installer accesses can redirect file operations to arbitrary targets, achieving unauthorized integrity impact on the host system. No public exploit code and no CISA KEV listing exist at time of analysis; however, the Canon PSIRT has published formal advisories confirming the issue.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting the Skia graphics library. Exploitation requires user interaction (visiting a malicious page) and chained renderer compromise, raising attack complexity, but the resulting scope change and full CIA impact make it a high-severity issue. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%, 15th percentile).
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE graphics translation layer, allowing a remote attacker who lures a user to a crafted HTML page to bypass same-origin protections and exfiltrate sensitive data from other domains. The flaw carries a CVSS 8.8 rating due to network reachability and high impact across confidentiality, integrity, and availability, though Chromium itself rates the severity as Medium. EPSS is very low at 0.03% (11th percentile) and no public exploit identified at time of analysis, indicating limited near-term exploitation pressure despite the high CVSS.
Integer overflow in ANGLE (Chrome's graphics translation layer) in Google Chrome prior to 148.0.7778.216 enables remote attackers to read sensitive data from the renderer process memory by enticing a victim to visit a crafted HTML page. The vulnerability is limited to confidentiality impact - no code execution or integrity impact is indicated by CVSS (C:H/I:N/A:N). With an EPSS of 0.03% and no CISA KEV listing, active exploitation is not currently observed, though the network-accessible attack vector and low complexity make the attack straightforward once a victim visits attacker-controlled content.
Sandbox escape in Google Chrome's Headless component prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is an out-of-bounds read (CWE-125) reported by the Chrome team itself; no public exploit is identified at the time of analysis and EPSS is very low (0.03%), but the high CVSS (8.3) reflects scope-changed sandbox escape impact.
Cross-origin data leak in Google Chrome's Skia graphics engine affects all versions prior to 148.0.7778.216, exploitable only after an attacker has already achieved renderer process compromise via a separate vulnerability. The flaw (CWE-200) allows the compromised renderer to exfiltrate cross-origin data by processing a crafted HTML page, with impact limited to partial confidentiality loss. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) and absence of CISA KEV listing confirm low widespread exploitation probability, though the renderer-compromise prerequisite implies real-world use would appear in chained exploit scenarios.
Uninitialized GPU memory use in Google Chrome on Android prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from the browser's GPU process memory. Exploitation requires user interaction - a victim must visit a crafted HTML page - and is confined to the Android platform, narrowing real-world exposure relative to the CVSS C:H impact rating. No public exploit code exists and this vulnerability is absent from CISA KEV; EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' collectively indicate low near-term exploitation probability.
UI spoofing in Google Chrome's Passwords component (all versions prior to 148.0.7778.216) allows a remote, unauthenticated attacker to manipulate browser-native password UI elements by delivering a crafted HTML page to a victim. The flaw arises from insufficient input validation (CWE-20) in the Passwords subsystem, enabling attacker-controlled content to render deceptive credential prompts that are visually indistinguishable from legitimate Chrome dialogs. No public exploit has been identified at time of analysis and the CVE is absent from CISA KEV, though the zero-privilege, network-accessible attack surface and High Chromium severity designation make patching a clear priority.
Out-of-bounds read in the WebRTC subsystem of Google Chrome on macOS (versions prior to 148.0.7778.216) enables remote attackers to exfiltrate potentially sensitive data from browser process memory by luring a user to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H/I:N/A:N) confirms network-reachable, unauthenticated exploitation with confidentiality-only impact, but mandates user interaction, limiting fully passive attack scenarios. No active exploitation has been confirmed in CISA KEV, and an EPSS score of 0.03% at the 10th percentile reflects low observed exploitation probability at time of analysis; no public exploit code has been identified.
Cross-origin data leakage in Google Chrome's Media component on Windows (versions prior to 148.0.7778.216) permits exfiltration of sensitive origin-isolated content, but only as a second-stage primitive requiring prior renderer process compromise. The confidentiality impact is constrained (CVSS 3.1/Low, CWE-200), with no integrity or availability consequences. No public exploit code exists and the EPSS score of 0.03% (11th percentile) reflects negligible real-world exploitation probability at time of analysis.
UI spoofing in Google Chrome's OptimizationGuide component (all versions prior to 148.0.7778.216) enables a remote unauthenticated attacker who has already compromised the renderer process to present false browser UI elements to the user via a crafted HTML page. The root cause is CWE-20 (Improper Input Validation) - OptimizationGuide fails to adequately validate untrusted data sourced from the renderer, allowing that data to influence trusted browser UI surfaces. With a CVSS score of 4.2, EPSS at 0.05% (15th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world risk is moderate-low despite the network vector, heavily gated by the renderer-compromise prerequisite.
Memory disclosure in Google Chrome's Media component on ChromeOS allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory via a specially crafted HTML page. Affected versions are all Chrome builds prior to 148.0.7778.216 on ChromeOS. This vulnerability is a chaining primitive - it cannot be exploited standalone and requires a prior renderer compromise, placing it in the context of multi-stage attack chains rather than direct exploitation. No public exploit code exists and no active exploitation has been identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE component prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE, Chrome's translation layer for graphics APIs. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%, 15th percentile), but the Chromium-assigned 'High' severity reflects its value as the second stage in a browser exploit chain.
Inappropriate implementation in the Skia graphics library within Google Chrome prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms unauthenticated network exploitation with high confidentiality impact, constrained only by the requirement for user interaction. No public exploit has been identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates minimal observed exploitation activity.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page abusing the WebShare component. Chromium rates the issue High severity, and CVSS scores it 8.3 reflecting the scope-change impact, though EPSS is currently low at 0.04% and no public exploit is identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 is possible through an out-of-bounds read and write vulnerability in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of Chrome's sandbox and potentially execute code at a higher privilege level. No public exploit identified at time of analysis, and EPSS is very low at 0.03%, but Google rates the underlying Chromium severity as High.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the Gamepad component. The flaw is rated High by Chromium and carries a CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), but EPSS is only 0.03% (11th percentile) and no public exploit identified at time of analysis. The bug is a second-stage primitive in a multi-stage exploit chain rather than a standalone RCE.
Cross-origin data leakage in Google Chrome's WebRTC component on Windows exposes limited confidential data to remote attackers via a race condition in all Chrome versions prior to 148.0.7778.216. An unauthenticated remote attacker (PR:N) can exploit this by luring a victim to a crafted HTML page, exploiting a timing window in WebRTC's concurrent execution to read cross-origin data. No public exploit has been identified at time of analysis and EPSS stands at 0.03% (9th percentile), indicating very low real-world exploitation pressure despite Chrome's internal 'High' severity classification.
Cross-origin data leakage in Google Chrome on iOS prior to 148.0.7778.216 exposes sensitive information from cross-origin resources to remote attackers via a crafted HTML page. The flaw is confined to Chrome's iOS-specific implementation (distinct from Chrome on Android, Windows, or macOS), meaning the affected population is limited to iOS users running unpatched Chrome builds. With a CVSS score of 4.3 (Medium), no CISA KEV listing, and an EPSS of 0.03% (11th percentile), no public exploit identified at time of analysis, this is a real but lower-priority disclosure issue - though the zero-privilege-required network vector merits timely patching.
Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory to remote attackers who can deliver a crafted HTML page to a victim. Unauthenticated (PR:N) remote exploitation is confirmed by the CVSS vector, though user interaction is required - the victim must open a malicious page. Confidentiality impact is rated High (C:H) with no integrity or availability consequence, making this a targeted information-disclosure primitive rather than a code-execution path. No public exploit or CISA KEV listing exists at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low observed exploitation pressure.
Uninitialized use (CWE-457) in ANGLE, Chrome's graphics abstraction layer, exposes cross-origin data to attackers who have already compromised the renderer process in Google Chrome prior to 148.0.7778.216. Exploitation requires delivering a crafted HTML page to a victim who interacts with it, making this a post-compromise data exfiltration primitive rather than an initial access vector. The CVSS score of 3.1 and EPSS of 0.03% (11th percentile) are consistent with the constrained prerequisites; no public exploit code exists and no active exploitation has been confirmed.
Cross-origin data leakage in Google Chrome's WebGL implementation on Android affects all Chrome versions prior to 148.0.7778.216. The WebGL graphics subsystem performs an out-of-bounds read (CWE-125) when processing attacker-controlled content, exposing adjacent memory contents across origin boundaries to the initiating page. Remote unauthenticated attackers can trigger this condition by serving a crafted HTML page, but victim interaction is required - the user must visit the malicious page. No active exploitation is confirmed (not listed in CISA KEV), and EPSS of 0.03% (10th percentile) indicates low exploitation probability at time of analysis.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer affects all versions prior to 148.0.7778.216, enabling remote unauthenticated attackers (PR:N) to read cross-process memory contents via a crafted HTML page. The root cause is an uninitialized variable (CWE-457) in ANGLE - Chrome's OpenGL ES abstraction layer - where stale memory contents can be read and exfiltrated across security origins. No public exploit code has been identified at time of analysis and the EPSS score of 0.03% (11th percentile) indicates very low current exploitation probability; however, the low attack complexity (AC:L) and zero privilege requirement make opportunistic targeting feasible once exploitation techniques mature.
Cross-origin data leakage in Google Chrome's WebGL implementation on Android allows remote unauthenticated attackers to exfiltrate sensitive cross-origin content from a victim's browser session. Affected are all Chrome for Android releases prior to 148.0.7778.216. Exploitation requires the victim to visit a crafted HTML page, but no prior privileges or authentication are needed on the attacker's side. No public exploit identified at time of analysis and EPSS remains at 0.03%, indicating low automated or widespread exploitation pressure.
Remote code execution in Google Chrome for Windows prior to 148.0.7778.216 stems from an out-of-bounds read in the ANGLE graphics abstraction layer, enabling attackers who lure a user to a malicious page to execute arbitrary code in the renderer context. Chromium rates the severity High and CVSS scores it 8.8 due to network reach and high impact across confidentiality, integrity, and availability, though successful exploitation requires user interaction (visiting the crafted page). No public exploit has been identified at time of analysis, but ANGLE bugs have historically been chained into browser sandbox escapes.
Cross-origin information disclosure in Google Chrome for Android allows a remote attacker to leak sensitive cross-origin data by luring a victim to a crafted HTML page that exploits uninitialized memory in the WebGL implementation. Affected are all Chrome for Android releases prior to 148.0.7778.216. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV), with EPSS at 0.03% (10th percentile) reflecting minimal current exploitation activity.
Cross-origin data disclosure in Google Chrome on Android (prior to 148.0.7778.216) stems from uninitialized GPU memory that a renderer-compromised attacker can read via a crafted HTML page. This is a second-stage, chained vulnerability - exploitation requires that the renderer process has already been compromised through a separate, unspecified vector. CVSS rates this Low (3.1) consistent with the constrained impact (C:L only) and high attack complexity; EPSS of 0.03% (11th percentile) confirms no public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome on Android (prior to 148.0.7778.216) via an out-of-bounds read in the WebGL rendering engine allows remote attackers to exfiltrate memory contents when a victim visits a crafted HTML page. The CVSS score of 4.3 (Medium) reflects a network-reachable, low-complexity attack requiring no privileges but dependent on user interaction, with confidentiality impact limited to partial disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, and an EPSS score of 0.03% (10th percentile) corroborates low active exploitation likelihood; however, the platform-specific scope (Android Chrome) and cross-origin data exposure potential make this relevant for organizations with mobile browser threat models.
Uninitialized memory exposure in the WebGL subsystem of Google Chrome on Android prior to 148.0.7778.216 allows unauthenticated remote attackers to read potentially sensitive data from browser process memory. Exploitation requires the victim to visit a specially crafted HTML page, placing this in the drive-by/social-engineering threat category rather than fully automated attacks. No public exploit code identified at time of analysis, and EPSS of 0.03% (10th percentile) reflects minimal current exploitation pressure despite the High CVSS confidentiality impact.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page exploiting insufficient input validation in the ANGLE graphics layer. The flaw carries a CVSS 8.3 (High) rating with scope change and full CIA impact, but EPSS is very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. Chrome's security team rated this High severity and a patched stable channel build is available.
Out-of-bounds read in Google Chrome's ANGLE graphics abstraction layer (versions prior to 148.0.7778.216) allows remote unauthenticated attackers to potentially read limited memory contents from within the browser's process space when a user visits a crafted HTML page. The flaw originates from an inappropriate implementation within ANGLE's rendering pipeline - Chrome's cross-platform graphics engine - resulting in a CWE-125 out-of-bounds read condition with limited confidentiality impact (C:L) and no integrity or availability consequences. No public exploit code has been identified at time of analysis, and EPSS scores this at 0.03% (11th percentile), indicating very low real-world exploitation probability.
GPU memory disclosure in Google Chrome on Android (versions prior to 148.0.7778.216) exposes potentially sensitive process memory to unauthenticated remote attackers via crafted HTML pages. The root cause is an inappropriate implementation within Chrome's GPU subsystem on Android, classified as CWE-200, which permits out-of-bounds or unauthorized memory reads during rendering operations. No public exploit code exists and no active exploitation is confirmed; EPSS probability sits at a low 0.03%, though the Android-only scope and requirement for user interaction are the primary limiting factors rather than intrinsic exploitation difficulty.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds memory access in the ANGLE graphics translation layer that lets a remote attacker run arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and the EPSS score of 0.04% (12th percentile) indicates very low observed exploitation likelihood at this time.
Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory contents to unauthenticated remote attackers who can lure a user to a crafted HTML page. All Google Chrome desktop versions prior to 148.0.7778.216 are affected, with the vulnerability carrying a CVSS 6.5 and exclusively a confidentiality impact - no integrity or availability loss. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation activity, consistent with a typical Chrome graphics-component disclosure ahead of a stable channel patch.
Cross-origin data leakage in Google Chrome's Dawn WebGPU implementation on Windows affects all versions prior to 148.0.7778.216. The out-of-bounds read (CWE-125) in the Dawn graphics layer allows remote unauthenticated attackers to exfiltrate cross-origin data by enticing a user to visit a crafted HTML page, exploiting improper buffer boundary enforcement during GPU operations. No public exploit code or CISA KEV listing exists at time of analysis; EPSS at 0.03% (11th percentile) indicates very low automated exploitation likelihood, consistent with the moderate CVSS 4.3 score and required user interaction.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers insufficient input validation in the GPU component. Chromium rates the severity High and CVSS scores it 8.3, but EPSS exploitation probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds read in the GPU process triggered by a crafted HTML page. Google rates the underlying issue as High severity, and while a vendor patch is shipped, EPSS shows only 0.03% (11th percentile) exploitation probability and no public exploit code or active exploitation has been identified at the time of analysis.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by serving a crafted HTML page that triggers an out-of-bounds read and write in the Dawn WebGPU implementation. Chromium rates the underlying issue as Critical severity, and CVSS 8.3 with scope change reflects the cross-boundary impact, though EPSS is low at 0.03% and no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that abuses insufficient UI input validation. Chromium rates the underlying issue Critical, though current intelligence shows no public exploit identified at time of analysis and a very low EPSS score (0.05%, 15th percentile), indicating the bug is patched before broad weaponization. Exploitation requires chaining with a separate renderer compromise and user interaction, raising the practical bar despite the high CVSS of 8.3.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer (prior to 148.0.7778.216) allows unauthenticated remote attackers to read sensitive cross-origin information by luring a victim to a crafted HTML page. The root cause is an integer overflow in ANGLE, Chrome's graphics translation engine, which is internally rated Critical by the Chrome security team despite a CVSS score of only 4.3. No public exploit has been identified at time of analysis, and the EPSS exploitation probability is very low at 0.03% (11th percentile), though the cross-origin data leakage class of vulnerability has historically attracted targeted exploitation in browser ecosystems.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in WebGL. Chromium rates the underlying severity as Critical, and while no public exploit is identified at time of analysis, the EPSS score is low (0.04%, 14th percentile) and the CVSS:3.1 base is 8.3 due to high attack complexity and required user interaction. The flaw is part of a multi-stage exploit chain rather than a one-shot RCE.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to potentially break out of the renderer sandbox via an out-of-bounds read in the WebGL component when a victim visits a crafted HTML page. Chromium rates the underlying issue as Critical severity, and while no public exploit is identified at time of analysis (EPSS 0.03%), the combination of scope-change (S:C) and full CIA impact makes this a high-priority browser patch for Android fleets.
Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.
Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.
Authentication bypass in FUXA 1.3.0-2773 renders the `secureEnabled=true` configuration ineffective, exposing project topology, alarm configurations, and scheduler data to unauthenticated or invalid-token HTTP requests. The flaw originates in `server/api/jwt-helper.js`, where `verifyToken()` silently converts missing or malformed JWT tokens into a guest context rather than rejecting the request - and downstream route handlers accept that guest context without further authorization checks. Publicly available exploit code exists (documented reproduction steps in GitHub advisory GHSA-r9g5-7q8j-958c), and a vendor-confirmed fix was released in v1.3.1.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.
Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.
Uninitialized variable use in Ubuntu Linux 6.8's AppArmor AF_INET/AF_INET6 socket mediation code allows an authenticated local user to cause incorrect enforcement of fine-grained network socket access controls. The flaw resides in Ubuntu-specific SAUCE patches layered on top of the mainline Linux 6.8 kernel, meaning it is not present in upstream distributions. No public exploit code or active exploitation has been identified at time of analysis; Canonical has issued a fix via the Ubuntu Noble kernel repository.
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
StrongDM Desktop Application on Microsoft Windows exposes authentication secrets - including JSON Web Tokens and asymmetric key material - by writing them in cleartext to C:\Users\<username>\.sdm\state.kv, a per-user state file protected solely by default NTFS user-level permissions. Versions prior to Desktop Application 23.74.0 and Desktop Client 53.77.0 are affected. A local attacker meeting the required access prerequisites could read this file and extract live credentials, potentially enabling impersonation of the victim against StrongDM-managed infrastructure. No public exploit code exists and the vulnerability is not in the CISA KEV catalog; the low CVSS 4.0 score of 2.0 reflects the constrained local attack surface and required attack conditions.
Excessive RBAC permissions in the Metal3 ip-address-manager (IPAM) controller's ClusterRole expose Kubernetes Secrets to post-compromise abuse. The metal3-ipam-controller-manager-role granted full CRUD on core/v1 Secrets - yet PR diff evidence confirms the controller never accesses Secrets in normal operation, making these permissions entirely unnecessary. If the controller pod is compromised via a supply chain attack or container escape, an attacker inheriting the controller's service account token can read, modify, or delete any Secret in the namespace, turning a narrow container compromise into cluster-wide credential exfiltration. No public exploit exists and no CISA KEV listing, but the confidentiality impact is rated High (C:H) by NVD.
Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensitive secrets via JVM thread name inspection. The root cause (CWE-522 - Insufficiently Protected Credentials) is TeamCity embedding credential values directly into thread names, which surfaces in thread dumps, monitoring interfaces, and diagnostic tooling accessible to low-privileged users. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) makes it a significant credential theft vector in enterprise CI/CD environments where TeamCity routinely holds access tokens to source repositories, cloud infrastructure, and deployment targets.
Sensitive data exposure in JetBrains TeamCity before 2025.11.2 allows authenticated low-privileged users to read confidential values stored in default build agent parameters. The root cause (CWE-526) indicates that sensitive information - such as API keys, tokens, or credentials - is passed or stored through agent environment/configuration parameters without adequate access restrictions. With a CVSS score of 4.3 and no public exploit or KEV listing, this represents a moderate-priority information disclosure risk, most dangerous in environments where agent parameters are used to propagate secrets across pipelines.
Information disclosure in JetBrains YouTrack before version 2026.1.13162 exposes sensitive data through fetchApp requests, exploitable by a high-privileged user with required interaction. The CVSS vector (PR:H/UI:R/S:C) indicates this requires an authenticated administrator-level account, some form of user interaction, and crosses a security scope boundary - meaning disclosed data may reach an unintended security context. No public exploit exists and no KEV listing is present; this is a low-severity (CVSS 3.4) internal information leakage issue most relevant to hardened or compliance-sensitive YouTrack deployments.
Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.
Out-of-bounds read in liboqs prior to 0.16.0 affects the XMSS and XMSS^MT stateful signature verification routines, exploitable by any unauthenticated remote attacker who can supply a crafted public key to a verifying process. The flaw arises when a correctly-sized signature buffer is paired with a public key whose OID bytes reference a different XMSS parameter set, causing the library to derive a larger sig_bytes value and index past the end of the caller-supplied buffer, with the primary observable effect being a process crash. No active exploitation is confirmed (not in CISA KEV) and no independently published exploit has been identified at time of analysis, though a proof-of-concept scenario is embedded in the upstream fix commit's test suite.
Authentication bypass in NI SystemLink Enterprise Dashboard (versions 2026-04 and prior) allows a remote, unauthenticated attacker to send a crafted HTTP request that circumvents authentication controls, leading to privilege escalation or disclosure of sensitive information. The flaw carries a CVSS 4.0 base score of 9.3 and is network-reachable with low attack complexity and no user interaction. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Discount over-redemption via race condition in Shopper (shopperlabs/shopper prior to v2.8.0) allows concurrent unauthenticated checkout requests to bypass a coupon's global usage_limit, resulting in committed orders carrying unauthorized discounts the merchant never intended to grant. The CreateOrderFromCartAction::execute method created the Order database row before atomically reserving the discount slot, opening a classic TOCTOU window that becomes reliably exploitable under the high-concurrency traffic of flash sales or Black Friday events. A compounding bug rendered usage_limit_per_user entirely non-functional in all pre-2.8.0 versions - the underlying counter was never incremented anywhere in the codebase - meaning per-user caps provided zero protection regardless of a customer's redemption history. No public exploit identified at time of analysis; this CVE is not listed in CISA KEV.
Authenticated administrator access on the Danelec MacGregor Voyage Data Recorder (VDR) G4E web interface permits direct editing of sensitive authentication files, including the ability to overwrite the root password. The CVSS vector (AV:A/AC:L/PR:H/UI:N) confirms exploitation requires both adjacent network positioning and existing high-privilege credentials, meaning this is not a remotely exploitable unauthenticated attack path. Reported by ICS-CERT under advisory ICSA-26-148-01 as a maritime OT device concern, no public exploit code and no CISA KEV listing have been identified at time of analysis.
Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.
Backup download functionality in the Danelec MacGregor Voyage Data Recorder G4E exposes account credentials and password hashes to any authenticated low-privileged user. An attacker with a valid low-privilege account operating on the same adjacent network segment - typically the onboard vessel LAN - can retrieve a device backup file containing credential material, enabling offline password cracking and potential privilege escalation. No public exploit identified at time of analysis, but the maritime OT context and CISA ICS advisory issuance (ICSA-26-148-01) underscore relevance to vessel operational security.
Hardcoded default credentials in the Danelec MacGregor Voyage Data Recorder (VDR) G4e allow adjacent attackers to gain administrative access to the maritime black-box recorder without any password change being enforced at deployment. The flaw was reported through ICS-CERT (advisory ICSA-26-148-01) and carries a CVSS 4.0 score of 8.7, reflecting high confidentiality and integrity impact over an adjacent network with no privileges or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.
Unauthenticated administrator password reset in KMW KM-IP521 and KM-IP421 CCTV cameras allows remote network-based attackers to reset the admin credential to a known value and obtain full control of the device, including live video feeds and configuration. The flaw is classified under CWE-620 (Unverified Password Change) and was disclosed via CISA's ICS-CERT coordination channel with a CVSS 9.1 rating. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the trivial attack complexity and lack of authentication make it high-priority for any internet- or LAN-exposed deployments.
Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.
WebSocket frame parsing in XX-Net V5.16.6 corrupts application-layer data when the local HTTP server's WebSocket_receive_worker routine unconditionally consumes 4 bytes as a masking key regardless of the RFC 6455 MASK bit, causing payload data to be silently misinterpreted. Attackers with local system access and no privileges can send unmasked WebSocket frames to the embedded simple_http_server.py endpoint, causing the first 4 bytes of any payload to be misread as a mask key and the remainder to be incorrectly XOR-decoded. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; an upstream fix exists as a GitHub commit and open pull request but a formally released patched version has not been independently confirmed.
Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in FreePBX api module (versions prior to 17.0.8) allows OAuth2 access tokens to be issued without verifying the client_secret, because the ClientRepository validateClient() method unconditionally returns true. An attacker who knows or guesses a valid client_id can mint tokens granting API access to the PBX, leading to unauthorized read and write operations against telephony configuration. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Immobilizer bypass in the 2025 Indian Motorcycle Scout Bobber + Tech (Polaris Inc.) allows a physically adjacent attacker to permanently defeat the engine immobilizer by passively capturing a single WCM-to-ECM seed/key exchange. The Wireless Control Module derives its authentication response using a reversible, non-cryptographic operation, meaning the persistent per-vehicle ECM immobilizer secret can be mathematically reconstructed from one captured exchange - no brute force required. Once recovered, the secret enables independent ECM authentication and engine start without the physical key fob, nullifying the immobilizer entirely. No public exploit code has been identified at time of analysis, and no patch has been released; specific protocol details have been withheld by the researcher pending vendor remediation.
Out-of-bounds read in the Waterfall WF-500 RX Host (firmware 7.10.0.0 R2601141040) enables an attacker who already controls the TX Host to execute code on the receiving (RX) side, bypassing the unidirectional security guarantee the data diode is designed to enforce. Discovered by Nozomi Networks Labs with no public exploit identified at time of analysis and an EPSS score of 0.02%, the issue is significant because it undermines the OT/IT segmentation use case the product exists to provide. The vulnerability is not listed in CISA KEV and there is no evidence of active exploitation.
Stored cross-site scripting in Mautic 7's Projects component allows authenticated low-privilege users with project create/edit permissions to inject script payloads into project names that execute when administrators hover over project tags or popovers on campaign, email, or form detail views. Exploitation yields script execution in an administrator's authenticated session, enabling configuration tampering, privilege escalation through administrative actions, and exfiltration of sensitive data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Credential exposure in Red Hat Quay 3's config-tool GitLab OAuth validator allows OAuth client_id and client_secret to leak into system logs. The config-tool incorrectly appends these sensitive values as URL query parameters on POST requests to the GitLab endpoint, causing them to appear in server access logs, reverse proxy logs, and monitoring infrastructure. A highly privileged attacker with read access to those log systems can harvest the exposed OAuth credentials and use them for unauthorized GitLab API access. No public exploit code exists and this is not listed in CISA KEV.
Administrator account takeover in Network Optix Nx Witness VMS before 6.1.2 allows remote unauthenticated attackers to hijack authenticated user sessions through a CORS misconfiguration in the REST API when the product runs in default Standard security mode on Linux or Windows. By luring a logged-in operator to a malicious cross-origin page, the attacker's site can read credentialed REST responses and steal the session token, achieving full administrative takeover; no public exploit identified at time of analysis, but the issue is trivially weaponizable given the well-understood CORS attack pattern.
The Wireless Control Module (WCM) in the 2025 Indian Motorcycle Scout Bobber + Tech exposes the user-set vehicle unlock PIN through a fatally weak authentication design in the Infotainment Digital Round display. The display's PIN verification relies on a non-cryptographic computation, meaning a passive observer who captures a single complete authentication exchange from the in-vehicle network can mathematically recover the exact PIN - no brute-force or active interaction required. Reported by ASRG against a product manufactured by Polaris Inc., this vulnerability defeats the motorcycle's primary user-authentication control; it is not listed in CISA KEV and no public exploit code has been identified at time of analysis.
Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.
Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.
Poll Maker WordPress plugin (versions ≤6.3.7) leaks the complete WP_User object - including bcrypt password hashes, email addresses, login names, registration dates, roles, and capabilities - through an AJAX endpoint that performs no nonce verification or capability check beyond confirming the requestor is logged in. Any subscriber-level authenticated user on an affected site can call the `ays_poll_get_user_information` action and retrieve user data that WordPress deliberately withholds from all of its standard interfaces, including the REST API. No public exploit has been identified at time of analysis, but the attack requires only a valid subscriber session and a single POST request, and the recovered bcrypt hash enables offline password-cracking attacks.
Symlink-following vulnerability in the Canon PIXMA/PIXUS CUPS Printer Driver installer for macOS allows a local authenticated attacker to manipulate directory permissions beyond their authorization. By placing a specially crafted symbolic link in a path the installer traverses, the attacker can redirect installer-time permission changes to arbitrary directories during a privileged installation run. Affected versions are 16.91.0.0 and earlier across Japan (iX6800 Series), the US, and Europe (MG2500 and iX6800 Series); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Symlink following in the Canon My Image Garden macOS installer (version 3.6.8 and earlier) enables a locally authenticated attacker to manipulate file permissions outside their authorization scope. During installation - which typically runs with elevated privileges - an attacker who pre-places a crafted symbolic link at a path the installer accesses can redirect file operations to arbitrary targets, achieving unauthorized integrity impact on the host system. No public exploit code and no CISA KEV listing exist at time of analysis; however, the Canon PSIRT has published formal advisories confirming the issue.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting the Skia graphics library. Exploitation requires user interaction (visiting a malicious page) and chained renderer compromise, raising attack complexity, but the resulting scope change and full CIA impact make it a high-severity issue. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%, 15th percentile).
Cross-origin data leakage in Google Chrome versions prior to 148.0.7778.216 stems from an integer overflow in the ANGLE graphics translation layer, allowing a remote attacker who lures a user to a crafted HTML page to bypass same-origin protections and exfiltrate sensitive data from other domains. The flaw carries a CVSS 8.8 rating due to network reachability and high impact across confidentiality, integrity, and availability, though Chromium itself rates the severity as Medium. EPSS is very low at 0.03% (11th percentile) and no public exploit identified at time of analysis, indicating limited near-term exploitation pressure despite the high CVSS.
Integer overflow in ANGLE (Chrome's graphics translation layer) in Google Chrome prior to 148.0.7778.216 enables remote attackers to read sensitive data from the renderer process memory by enticing a victim to visit a crafted HTML page. The vulnerability is limited to confidentiality impact - no code execution or integrity impact is indicated by CVSS (C:H/I:N/A:N). With an EPSS of 0.03% and no CISA KEV listing, active exploitation is not currently observed, though the network-accessible attack vector and low complexity make the attack straightforward once a victim visits attacker-controlled content.
Sandbox escape in Google Chrome's Headless component prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is an out-of-bounds read (CWE-125) reported by the Chrome team itself; no public exploit is identified at the time of analysis and EPSS is very low (0.03%), but the high CVSS (8.3) reflects scope-changed sandbox escape impact.
Cross-origin data leak in Google Chrome's Skia graphics engine affects all versions prior to 148.0.7778.216, exploitable only after an attacker has already achieved renderer process compromise via a separate vulnerability. The flaw (CWE-200) allows the compromised renderer to exfiltrate cross-origin data by processing a crafted HTML page, with impact limited to partial confidentiality loss. No public exploit identified at time of analysis; EPSS at 0.03% (11th percentile) and absence of CISA KEV listing confirm low widespread exploitation probability, though the renderer-compromise prerequisite implies real-world use would appear in chained exploit scenarios.
Uninitialized GPU memory use in Google Chrome on Android prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from the browser's GPU process memory. Exploitation requires user interaction - a victim must visit a crafted HTML page - and is confined to the Android platform, narrowing real-world exposure relative to the CVSS C:H impact rating. No public exploit code exists and this vulnerability is absent from CISA KEV; EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' collectively indicate low near-term exploitation probability.
UI spoofing in Google Chrome's Passwords component (all versions prior to 148.0.7778.216) allows a remote, unauthenticated attacker to manipulate browser-native password UI elements by delivering a crafted HTML page to a victim. The flaw arises from insufficient input validation (CWE-20) in the Passwords subsystem, enabling attacker-controlled content to render deceptive credential prompts that are visually indistinguishable from legitimate Chrome dialogs. No public exploit has been identified at time of analysis and the CVE is absent from CISA KEV, though the zero-privilege, network-accessible attack surface and High Chromium severity designation make patching a clear priority.
Out-of-bounds read in the WebRTC subsystem of Google Chrome on macOS (versions prior to 148.0.7778.216) enables remote attackers to exfiltrate potentially sensitive data from browser process memory by luring a user to a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H/I:N/A:N) confirms network-reachable, unauthenticated exploitation with confidentiality-only impact, but mandates user interaction, limiting fully passive attack scenarios. No active exploitation has been confirmed in CISA KEV, and an EPSS score of 0.03% at the 10th percentile reflects low observed exploitation probability at time of analysis; no public exploit code has been identified.
Cross-origin data leakage in Google Chrome's Media component on Windows (versions prior to 148.0.7778.216) permits exfiltration of sensitive origin-isolated content, but only as a second-stage primitive requiring prior renderer process compromise. The confidentiality impact is constrained (CVSS 3.1/Low, CWE-200), with no integrity or availability consequences. No public exploit code exists and the EPSS score of 0.03% (11th percentile) reflects negligible real-world exploitation probability at time of analysis.
UI spoofing in Google Chrome's OptimizationGuide component (all versions prior to 148.0.7778.216) enables a remote unauthenticated attacker who has already compromised the renderer process to present false browser UI elements to the user via a crafted HTML page. The root cause is CWE-20 (Improper Input Validation) - OptimizationGuide fails to adequately validate untrusted data sourced from the renderer, allowing that data to influence trusted browser UI surfaces. With a CVSS score of 4.2, EPSS at 0.05% (15th percentile), no KEV listing, and no public exploit identified at time of analysis, real-world risk is moderate-low despite the network vector, heavily gated by the renderer-compromise prerequisite.
Memory disclosure in Google Chrome's Media component on ChromeOS allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory via a specially crafted HTML page. Affected versions are all Chrome builds prior to 148.0.7778.216 on ChromeOS. This vulnerability is a chaining primitive - it cannot be exploited standalone and requires a prior renderer compromise, placing it in the context of multi-stage attack chains rather than direct exploitation. No public exploit code exists and no active exploitation has been identified at time of analysis.
Sandbox escape in Google Chrome's ANGLE component prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE, Chrome's translation layer for graphics APIs. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%, 15th percentile), but the Chromium-assigned 'High' severity reflects its value as the second stage in a browser exploit chain.
Inappropriate implementation in the Skia graphics library within Google Chrome prior to 148.0.7778.216 enables remote attackers to read potentially sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms unauthenticated network exploitation with high confidentiality impact, constrained only by the requirement for user interaction. No public exploit has been identified at time of analysis, and EPSS at 0.03% (11th percentile) indicates minimal observed exploitation activity.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page abusing the WebShare component. Chromium rates the issue High severity, and CVSS scores it 8.3 reflecting the scope-change impact, though EPSS is currently low at 0.04% and no public exploit is identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 is possible through an out-of-bounds read and write vulnerability in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of Chrome's sandbox and potentially execute code at a higher privilege level. No public exploit identified at time of analysis, and EPSS is very low at 0.03%, but Google rates the underlying Chromium severity as High.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the Gamepad component. The flaw is rated High by Chromium and carries a CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C), but EPSS is only 0.03% (11th percentile) and no public exploit identified at time of analysis. The bug is a second-stage primitive in a multi-stage exploit chain rather than a standalone RCE.
Cross-origin data leakage in Google Chrome's WebRTC component on Windows exposes limited confidential data to remote attackers via a race condition in all Chrome versions prior to 148.0.7778.216. An unauthenticated remote attacker (PR:N) can exploit this by luring a victim to a crafted HTML page, exploiting a timing window in WebRTC's concurrent execution to read cross-origin data. No public exploit has been identified at time of analysis and EPSS stands at 0.03% (9th percentile), indicating very low real-world exploitation pressure despite Chrome's internal 'High' severity classification.
Cross-origin data leakage in Google Chrome on iOS prior to 148.0.7778.216 exposes sensitive information from cross-origin resources to remote attackers via a crafted HTML page. The flaw is confined to Chrome's iOS-specific implementation (distinct from Chrome on Android, Windows, or macOS), meaning the affected population is limited to iOS users running unpatched Chrome builds. With a CVSS score of 4.3 (Medium), no CISA KEV listing, and an EPSS of 0.03% (11th percentile), no public exploit identified at time of analysis, this is a real but lower-priority disclosure issue - though the zero-privilege-required network vector merits timely patching.
Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory to remote attackers who can deliver a crafted HTML page to a victim. Unauthenticated (PR:N) remote exploitation is confirmed by the CVSS vector, though user interaction is required - the victim must open a malicious page. Confidentiality impact is rated High (C:H) with no integrity or availability consequence, making this a targeted information-disclosure primitive rather than a code-execution path. No public exploit or CISA KEV listing exists at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low observed exploitation pressure.
Uninitialized use (CWE-457) in ANGLE, Chrome's graphics abstraction layer, exposes cross-origin data to attackers who have already compromised the renderer process in Google Chrome prior to 148.0.7778.216. Exploitation requires delivering a crafted HTML page to a victim who interacts with it, making this a post-compromise data exfiltration primitive rather than an initial access vector. The CVSS score of 3.1 and EPSS of 0.03% (11th percentile) are consistent with the constrained prerequisites; no public exploit code exists and no active exploitation has been confirmed.
Cross-origin data leakage in Google Chrome's WebGL implementation on Android affects all Chrome versions prior to 148.0.7778.216. The WebGL graphics subsystem performs an out-of-bounds read (CWE-125) when processing attacker-controlled content, exposing adjacent memory contents across origin boundaries to the initiating page. Remote unauthenticated attackers can trigger this condition by serving a crafted HTML page, but victim interaction is required - the user must visit the malicious page. No active exploitation is confirmed (not listed in CISA KEV), and EPSS of 0.03% (10th percentile) indicates low exploitation probability at time of analysis.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer affects all versions prior to 148.0.7778.216, enabling remote unauthenticated attackers (PR:N) to read cross-process memory contents via a crafted HTML page. The root cause is an uninitialized variable (CWE-457) in ANGLE - Chrome's OpenGL ES abstraction layer - where stale memory contents can be read and exfiltrated across security origins. No public exploit code has been identified at time of analysis and the EPSS score of 0.03% (11th percentile) indicates very low current exploitation probability; however, the low attack complexity (AC:L) and zero privilege requirement make opportunistic targeting feasible once exploitation techniques mature.
Cross-origin data leakage in Google Chrome's WebGL implementation on Android allows remote unauthenticated attackers to exfiltrate sensitive cross-origin content from a victim's browser session. Affected are all Chrome for Android releases prior to 148.0.7778.216. Exploitation requires the victim to visit a crafted HTML page, but no prior privileges or authentication are needed on the attacker's side. No public exploit identified at time of analysis and EPSS remains at 0.03%, indicating low automated or widespread exploitation pressure.
Remote code execution in Google Chrome for Windows prior to 148.0.7778.216 stems from an out-of-bounds read in the ANGLE graphics abstraction layer, enabling attackers who lure a user to a malicious page to execute arbitrary code in the renderer context. Chromium rates the severity High and CVSS scores it 8.8 due to network reach and high impact across confidentiality, integrity, and availability, though successful exploitation requires user interaction (visiting the crafted page). No public exploit has been identified at time of analysis, but ANGLE bugs have historically been chained into browser sandbox escapes.
Cross-origin information disclosure in Google Chrome for Android allows a remote attacker to leak sensitive cross-origin data by luring a victim to a crafted HTML page that exploits uninitialized memory in the WebGL implementation. Affected are all Chrome for Android releases prior to 148.0.7778.216. No public exploit code exists and no active exploitation has been confirmed (not in CISA KEV), with EPSS at 0.03% (10th percentile) reflecting minimal current exploitation activity.
Cross-origin data disclosure in Google Chrome on Android (prior to 148.0.7778.216) stems from uninitialized GPU memory that a renderer-compromised attacker can read via a crafted HTML page. This is a second-stage, chained vulnerability - exploitation requires that the renderer process has already been compromised through a separate, unspecified vector. CVSS rates this Low (3.1) consistent with the constrained impact (C:L only) and high attack complexity; EPSS of 0.03% (11th percentile) confirms no public exploit identified at time of analysis.
Cross-origin data leakage in Google Chrome on Android (prior to 148.0.7778.216) via an out-of-bounds read in the WebGL rendering engine allows remote attackers to exfiltrate memory contents when a victim visits a crafted HTML page. The CVSS score of 4.3 (Medium) reflects a network-reachable, low-complexity attack requiring no privileges but dependent on user interaction, with confidentiality impact limited to partial disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, and an EPSS score of 0.03% (10th percentile) corroborates low active exploitation likelihood; however, the platform-specific scope (Android Chrome) and cross-origin data exposure potential make this relevant for organizations with mobile browser threat models.
Uninitialized memory exposure in the WebGL subsystem of Google Chrome on Android prior to 148.0.7778.216 allows unauthenticated remote attackers to read potentially sensitive data from browser process memory. Exploitation requires the victim to visit a specially crafted HTML page, placing this in the drive-by/social-engineering threat category rather than fully automated attacks. No public exploit code identified at time of analysis, and EPSS of 0.03% (10th percentile) reflects minimal current exploitation pressure despite the High CVSS confidentiality impact.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page exploiting insufficient input validation in the ANGLE graphics layer. The flaw carries a CVSS 8.3 (High) rating with scope change and full CIA impact, but EPSS is very low at 0.05% (15th percentile) and there is no public exploit identified at time of analysis. Chrome's security team rated this High severity and a patched stable channel build is available.
Out-of-bounds read in Google Chrome's ANGLE graphics abstraction layer (versions prior to 148.0.7778.216) allows remote unauthenticated attackers to potentially read limited memory contents from within the browser's process space when a user visits a crafted HTML page. The flaw originates from an inappropriate implementation within ANGLE's rendering pipeline - Chrome's cross-platform graphics engine - resulting in a CWE-125 out-of-bounds read condition with limited confidentiality impact (C:L) and no integrity or availability consequences. No public exploit code has been identified at time of analysis, and EPSS scores this at 0.03% (11th percentile), indicating very low real-world exploitation probability.
GPU memory disclosure in Google Chrome on Android (versions prior to 148.0.7778.216) exposes potentially sensitive process memory to unauthenticated remote attackers via crafted HTML pages. The root cause is an inappropriate implementation within Chrome's GPU subsystem on Android, classified as CWE-200, which permits out-of-bounds or unauthorized memory reads during rendering operations. No public exploit code exists and no active exploitation is confirmed; EPSS probability sits at a low 0.03%, though the Android-only scope and requirement for user interaction are the primary limiting factors rather than intrinsic exploitation difficulty.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from an out-of-bounds memory access in the ANGLE graphics translation layer that lets a remote attacker run arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and the EPSS score of 0.04% (12th percentile) indicates very low observed exploitation likelihood at this time.
Out-of-bounds read in Chrome's ANGLE graphics layer exposes process memory contents to unauthenticated remote attackers who can lure a user to a crafted HTML page. All Google Chrome desktop versions prior to 148.0.7778.216 are affected, with the vulnerability carrying a CVSS 6.5 and exclusively a confidentiality impact - no integrity or availability loss. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) reflects low current exploitation activity, consistent with a typical Chrome graphics-component disclosure ahead of a stable channel patch.
Cross-origin data leakage in Google Chrome's Dawn WebGPU implementation on Windows affects all versions prior to 148.0.7778.216. The out-of-bounds read (CWE-125) in the Dawn graphics layer allows remote unauthenticated attackers to exfiltrate cross-origin data by enticing a user to visit a crafted HTML page, exploiting improper buffer boundary enforcement during GPU operations. No public exploit code or CISA KEV listing exists at time of analysis; EPSS at 0.03% (11th percentile) indicates very low automated exploitation likelihood, consistent with the moderate CVSS 4.3 score and required user interaction.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers insufficient input validation in the GPU component. Chromium rates the severity High and CVSS scores it 8.3, but EPSS exploitation probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds read in the GPU process triggered by a crafted HTML page. Google rates the underlying issue as High severity, and while a vendor patch is shipped, EPSS shows only 0.03% (11th percentile) exploitation probability and no public exploit code or active exploitation has been identified at the time of analysis.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by serving a crafted HTML page that triggers an out-of-bounds read and write in the Dawn WebGPU implementation. Chromium rates the underlying issue as Critical severity, and CVSS 8.3 with scope change reflects the cross-boundary impact, though EPSS is low at 0.03% and no public exploit has been identified at time of analysis.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that abuses insufficient UI input validation. Chromium rates the underlying issue Critical, though current intelligence shows no public exploit identified at time of analysis and a very low EPSS score (0.05%, 15th percentile), indicating the bug is patched before broad weaponization. Exploitation requires chaining with a separate renderer compromise and user interaction, raising the practical bar despite the high CVSS of 8.3.
Cross-origin data leakage in Google Chrome's ANGLE graphics layer (prior to 148.0.7778.216) allows unauthenticated remote attackers to read sensitive cross-origin information by luring a victim to a crafted HTML page. The root cause is an integer overflow in ANGLE, Chrome's graphics translation engine, which is internally rated Critical by the Chrome security team despite a CVSS score of only 4.3. No public exploit has been identified at time of analysis, and the EPSS exploitation probability is very low at 0.03% (11th percentile), though the cross-origin data leakage class of vulnerability has historically attracted targeted exploitation in browser ecosystems.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in WebGL. Chromium rates the underlying severity as Critical, and while no public exploit is identified at time of analysis, the EPSS score is low (0.04%, 14th percentile) and the CVSS:3.1 base is 8.3 due to high attack complexity and required user interaction. The flaw is part of a multi-stage exploit chain rather than a one-shot RCE.
Sandbox escape in Google Chrome on Android prior to 148.0.7778.216 allows remote attackers to potentially break out of the renderer sandbox via an out-of-bounds read in the WebGL component when a victim visits a crafted HTML page. Chromium rates the underlying issue as Critical severity, and while no public exploit is identified at time of analysis (EPSS 0.03%), the combination of scope-change (S:C) and full CIA impact makes this a high-priority browser patch for Android fleets.
Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.
Remote denial of service in Lakeside SysTrack Agent (lsiagent.exe) allows unauthenticated network attackers to crash the endpoint monitoring agent by sending a single malformed UDP packet to the Command ID 30 handler. The flaw was reported by VulnCheck and carries a CVSS 4.0 score of 8.7 reflecting high availability impact with no privileges or user interaction required; no public exploit identified at time of analysis, though VulnCheck has published an advisory describing the trigger.
Authentication bypass in FUXA 1.3.0-2773 renders the `secureEnabled=true` configuration ineffective, exposing project topology, alarm configurations, and scheduler data to unauthenticated or invalid-token HTTP requests. The flaw originates in `server/api/jwt-helper.js`, where `verifyToken()` silently converts missing or malformed JWT tokens into a guest context rather than rejecting the request - and downstream route handlers accept that guest context without further authorization checks. Publicly available exploit code exists (documented reproduction steps in GitHub advisory GHSA-r9g5-7q8j-958c), and a vendor-confirmed fix was released in v1.3.1.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated remote attackers to bypass authentication controls via HTTPS and retrieve a subset of accessible data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no special conditions are needed - any network-reachable instance is potentially exploitable without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not available in the provided intelligence, limiting exploitation urgency assessment.
Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.
Unauthorized read access in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by unauthenticated remote attackers via the Mongoapi component over HTTPS. The vulnerability is tagged as an Authentication Bypass, indicating the Mongoapi endpoint fails to enforce access controls, exposing a subset of data accessible through that interface. No public exploit code and no CISA KEV listing exist at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, zero-authentication exploitation is feasible at scale.
Remote takeover of Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28) is achievable by unauthenticated network attackers over HTTP, per Oracle's May 2026 CPU. With CVSS 9.8 and full CIA impact, this is a critical hospitality-sector exposure, though no public exploit is identified at time of analysis and KEV status is not present. EPSS data was not supplied, so probability-of-exploitation cannot be quantified.
Expired access tokens in Kibana remain exploitable due to a logic error in expiration timestamp validation (CWE-672), allowing an unauthenticated actor who possesses an expired token to retrieve content it was originally scoped to access. The flaw affects all tracked Kibana versions per the NVD CPE wildcard, and Elastic has issued a security advisory (ESA-2026-33) with patch versions. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis. The CVSS 5.3 Medium score reflects constrained confidentiality impact with no integrity or availability consequence.
Full administrative compromise of the XCharge C6 EV charger is achievable by a physically connected device that abuses a remote management service exposed on the vehicle-charger signaling channel and protected only by a default administrative credential. Affecting XCharge C6 firmware versions released before May 22, 2026, the issue was disclosed via CISA ICS-CERT advisory ICSA-26-148-08 with a CVSS 4.0 score of 8.6 and no public exploit identified at time of analysis.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated denial of service and information disclosure in RustFS distributed object storage prior to version 1.0.0-beta.2 allows remote attackers to repeatedly invoke profiling endpoints that the admin router whitelists from authentication. Each request triggers a fixed 60-second CPU profiling operation and leaks the server's absolute filesystem path in the response. CVSS 4.0 scores this 8.8 (High) driven by high availability impact; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.
Uninitialized variable use in Ubuntu Linux 6.8's AppArmor AF_INET/AF_INET6 socket mediation code allows an authenticated local user to cause incorrect enforcement of fine-grained network socket access controls. The flaw resides in Ubuntu-specific SAUCE patches layered on top of the mainline Linux 6.8 kernel, meaning it is not present in upstream distributions. No public exploit code or active exploitation has been identified at time of analysis; Canonical has issued a fix via the Ubuntu Noble kernel repository.
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect in Ubuntu-specific AppArmor SAUCE patches, where notification handling code incorrectly sleeps while holding a spinlock. Violating this kernel locking invariant results in kernel panic or deadlock, causing a full system crash or hang. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, low-privilege trigger conditions make it a realistic denial-of-service risk on any multi-user Ubuntu system running the affected kernel versions.
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.