Information Disclosure

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to inject malicious certificates into S/MIME signatures, enabling them to substitute attacker-controlled certificates for future encryption communications with victims. An attacker can exploit this by crafting a specially-formed signed email that embeds unauthorized certificates, which the gateway may then use for subsequent encrypted messages to the targeted recipient, resulting in compromise of encryption confidentiality. No public exploit code or active CISA KEV listing is currently confirmed, but the vulnerability was reported by Swiss national security authority NCSC.ch.

SEPPmail Secure Email Gateway before version 15.0.3 allows attackers to upload PGP keys with mismatched User IDs and email addresses, enabling spoofing and potential information disclosure by circumventing email authentication controls. The vulnerability affects all versions prior to 15.0.3 and was reported by NCSC.ch. No public exploit code or active exploitation has been confirmed at the time of analysis.

W3 Total Cache plugin for WordPress exposes security tokens to unauthenticated remote attackers through User-Agent header manipulation. Versions up to 2.9.3 bypass output buffering when requests contain 'W3 Total Cache' in the User-Agent, leaking W3TC_DYNAMIC_SECURITY tokens embedded in dynamic fragment HTML comments. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicating trivial exploitation requiring no authentication, attackers can extract these tokens from any page using fragment caching, enabling potential security bypass or escalation attacks. Patch available in version 2.9.4+ per upstream changeset.

Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.

Qianniao QN-L23PA0904 firmware v20250721.1640 contains an insecure firmware update mechanism that allows local attackers with SD card access to execute arbitrary code as root by supplying a crafted iu.sh script, enabling complete device compromise including backdoor installation and data exfiltration. No CVSS score is available; exploitation requires physical or logical access to the device's SD card interface. Public research documentation exists detailing the vulnerability.

User enumeration in osTicket v1.18.2's password reset endpoint (/pwreset.php) enables remote attackers to discover valid usernames through response analysis, facilitating targeted account compromise attempts. No CVSS score, CISA KEV status, or confirmed patch information is available; exploitation likelihood depends on whether timing or behavioral differences between valid and invalid usernames can be reliably detected without authentication.

Out-of-bounds read in Mbed TLS 3.x before 3.6.6 allows attackers to leak adjacent CCM context data through the multipart CCM API by passing an oversized tag_len parameter to mbedtls_ccm_finish(), which lacks validation against the internal 16-byte authentication buffer. Mbed TLS 4.x contains the same vulnerability in internal code but does not expose the vulnerable function publicly; exploitation requires direct application-level invocation of the affected API. No public exploit code or active exploitation has been reported, but the attack requires no special privileges.

Information disclosure in phpMyFAQ allows unauthenticated attackers to enumerate custom page content by injecting SQL LIKE wildcards (`%` and `_`) into the search term, bypassing intended search filters. The `searchCustomPages()` method in `Search.php` uses `real_escape_string()` which does not escape LIKE metacharacters, enabling an attacker to craft queries like `_%_` that match all records regardless of intended search scope. This vulnerability has no authentication requirement and affects the publicly accessible search functionality.

Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.

SQL injection in PraisonAI's thread listing function allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve complete database compromise. The vulnerability exists in sql_alchemy.py where thread IDs stored via update_thread are concatenated into raw SQL queries using f-strings without sanitization. Attackers inject malicious SQL through thread_id parameters, which execute when get_all_user_threads loads the thread list. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit confirmed beyond the GitHub security advisory POC, though EPSS data unavailable. Immediate patching required for all PraisonAI Python package installations.

Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information and potentially achieve code execution when processing maliciously crafted V7 files. The vulnerability resides in the VS6ComFile!get_macro_mem_COM function and requires user interaction to open a weaponized file. No public exploit identified at time of analysis, though the local attack vector and file format parsing nature make this a realistic social engineering target for industrial control system environments.

Ella Networks Core API fails to validate matching IMSI identifiers between URL path and JSON request body in the PUT /api/v1/subscriber/{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. CVSS 2.7 reflects the limited scope (no confidentiality impact, low integrity impact, no availability impact), though the audit trail manipulation represents meaningful security degradation for compliance and incident response.

Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory contents and potentially achieve code execution by opening a malicious V7 project file. The vulnerability requires user interaction (opening a crafted file) but no authentication, with an EPSS probability requiring assessment. No public exploit identified at time of analysis, though JPCERT coordination suggests industrial targeting potential.

Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclose sensitive information and potentially achieve code execution when victims open maliciously crafted V7 project files. The vulnerability resides in the VS6ComFile!load_link_inf function during V7 file parsing. CVSS 8.4 reflects high confidentiality and integrity impact with low attack complexity requiring user interaction. No public exploit identified at time of analysis, though JPCERT coordination suggests targeted industrial sector awareness.

IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.

Out-of-bounds read in Nothings stb library up to version 1.26 allows remote attackers to trigger information disclosure via a crafted TTF file processed by the stbtt_InitFont_internal function in stb_truetype.h. Exploitation requires user interaction (opening a malicious font file) and publicly available exploit code exists; however, the vendor has not responded to early disclosure notification.

Heap memory disclosure in OpenEXR 3.4.0 through 3.4.7 allows remote attackers to extract sensitive information through decoded pixel data when processing malicious EXR image files. The vulnerability requires no authentication (PR:N) or user interaction (UI:N), triggering automatically during file parsing under default configurations. With CVSS 8.7 and high confidentiality impact (VC:H), this represents significant risk for applications processing untrusted EXR files. No public exploit identified at time of analysis, though the low attack complexity (AC:L) suggests straightforward exploitation once attack methods are documented.

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.

IBM DataPower Gateway versions 10.6CD (10.6.1.0-10.6.5.0), 10.5.0 (10.5.0.0-10.5.0.20), and 10.6.0 (10.6.0.0-10.6.0.8) disclose sensitive system information from other domains to authenticated administrative users due to improper access control. The vulnerability requires high-privilege administrative access over the network and results in confidentiality impact only; no public exploit code or active exploitation has been confirmed. CVSS 4.1 reflects low real-world risk due to authentication requirement, though patch availability limits exposure window.

IBM Aspera Shares versions 1.9.9 through 1.11.0 implements insufficient cryptographic strength that permits remote attackers without authentication to decrypt sensitive information. The vulnerability stems from use of weaker-than-expected cryptographic algorithms, allowing confidentiality breach of data protected by the application. A vendor patch is available.

IBM Verify Identity Access and Security Verify Access versions 10.0 through 10.0.9.1 and 11.0 through 11.0.2 allow unauthenticated remote attackers to access sensitive information through HTTP request smuggling via inconsistent interpretation of HTTP requests by a reverse proxy. The vulnerability affects both container and non-container deployments and has a CVSS score of 5.3 with confirmed vendor patch availability.

Remote attackers can access sensitive information in IBM Verify Identity Access Container 11.0-11.0.2, IBM Security Verify Access Container 10.0-10.0.9.1, and their non-containerized counterparts through HTTP request smuggling. The vulnerability exploits inconsistent HTTP request interpretation between the application and its reverse proxy, allowing unauthenticated remote access to restricted data with low attack complexity.

AIOHTTP prior to version 3.13.4 allows multiple Host headers in HTTP requests, enabling information disclosure through header injection attacks. An unauthenticated remote attacker can exploit this by crafting malicious requests with duplicate Host headers to potentially bypass security controls or extract sensitive information from affected applications. The vulnerability has been patched in version 3.13.4, and no public exploit code or active exploitation has been identified at the time of analysis.

AIOHTTP's C parser accepts null bytes and control characters in HTTP response headers prior to version 3.13.4, allowing remote attackers to inject malformed headers that bypass validation and cause information disclosure. This vulnerability affects all versions before 3.13.4 and has been patched upstream; exploitation requires no authentication or user interaction but results in limited integrity impact to response headers rather than confidentiality breach.

Improper access controls in D-Link DNS and DNR series NAS devices allow unauthenticated remote attackers to manipulate the cmd argument in the Webdav_Access_List function via /cgi-bin/file_center.cgi, resulting in information disclosure with CVSS 5.5. Public exploit code is available, placing affected devices at immediate risk of unauthorized data access.

AIOHTTP prior to version 3.13.4 leaks sensitive authentication credentials across origin boundaries during HTTP redirects by failing to drop Cookie and Proxy-Authorization headers while inconsistently removing the Authorization header. This information disclosure vulnerability affects all Python applications using vulnerable AIOHTTP versions when following cross-origin redirects, potentially exposing session tokens and proxy credentials to untrusted origins. No public exploit code or active exploitation has been identified, and the EPSS score of 2.7 indicates low exploitation probability despite the low CVSS score reflecting confidentiality impact.

AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working proof-of-concept code demonstrating 10-second SLEEP delays and successful extraction of admin username, bcrypt password hashes, and MySQL version. Vendor-released patches are available in version 2.10.2 via commits 50b9089 and 679c40f. No public exploit identified at time of analysis beyond researcher PoC, with CVSS 8.8 (High) reflecting network accessibility, low complexity, and complete confidentiality/integrity/availability impact.

Local filesystem disclosure in ChangeDetection.io <0.54.7 allows authenticated remote attackers to read arbitrary files via incomplete XPath 3.0/3.1 function blocklist bypass. The SafeXPath3Parser implementation fails to block dangerous file-access functions like json-doc(), enabling sensitive data exfiltration. EPSS data unavailable; no public exploit identified at time of analysis. SSVC assessment indicates partial technical impact with non-automatable exploitation requiring authentication.

ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files outside the model directory through symlink traversal during external data loading, requiring user interaction to load a malicious model file. The vulnerability has a CVSS score of 5.5 (medium severity) and is classified as information disclosure with confirmed patch availability in version 1.21.0.

Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.

Insufficient entropy in cookie encryption within Auth0 PHP SDK versions 8.0.0 through 8.18.x enables brute-force attacks against session cookie encryption keys, potentially allowing authenticated threat actors with network access to forge arbitrary session cookies and bypass authentication controls. Vendor-released patch available in version 8.19.0. No public exploit identified at time of analysis, though CVSS score of 8.2 reflects high severity due to potential for complete authentication bypass with cross-scope impact.

Iperius Backup versions up to 8.7.2 use a hard-coded cryptographic key for IperiusAccounts.ini file encryption, allowing local authenticated attackers with low privileges to decrypt stored credentials and extract sensitive account information. The vulnerability requires high attack complexity and local access, resulting in a CVSS 2.0 score with low confidentiality impact; a publicly available proof-of-concept exploit exists, and vendor-released patch version 8.7.4 fixes the issue.

Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.

Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).

Cisco Nexus Dashboard configuration backup feature allows authenticated administrators to extract sensitive authentication credentials from encrypted backup files, enabling subsequent unauthorized access to internal APIs and arbitrary root-level command execution on the underlying operating system. The vulnerability requires possession of both a valid backup file and its encryption password, limiting exploitation to administrators or attackers with backup file access. CVSS 6.5 reflects the high-privilege requirement (PR:H) despite high confidentiality and integrity impact; no public exploit or active exploitation has been identified.

Account takeover via password reset flow in Payload CMS versions prior to 3.79.1 allows unauthenticated remote attackers to perform actions on behalf of users who initiate password recovery. The vulnerability stems from insufficient input validation and URL construction (CWE-472: External Control of Assumed-Immutable Web Parameter), enabling attackers to intercept or manipulate the password reset process without authentication. Affects all auth-enabled collections using built-in forgot-password functionality. CVSS 9.1 (Critical) with network-accessible, low-complexity exploitation requiring no privileges. EPSS data not available; no public exploit identified at time of analysis, but the GitHub security advisory provides detailed technical context increasing weaponization risk.

Server-side request forgery (SSRF) in Devolutions Server gateway health check feature allows low-privileged authenticated users to bypass input validation and trigger arbitrary requests, potentially disclosing sensitive information from internal systems or network resources. Affected versions are 2026.1.1-2026.1.11 and 2025.3.1-2025.3.17. No public exploit code or active exploitation has been confirmed at time of analysis.

Devolutions Server versions 2026.1.6 through 2026.1.11 expose sensitive one-time password (OTP) keys in the MFA feature, allowing authenticated users with user management privileges to retrieve other users' OTP secrets via API requests. This information disclosure vulnerability enables account takeover by attackers who obtain valid credentials with user management roles, as OTP keys are sufficient to generate valid authentication codes and bypass multi-factor authentication protections.

pymanager allows local attackers to shadow legitimate Python modules by placing malicious modules in the current working directory, leading to arbitrary code execution when the application imports standard library or third-party modules. The vulnerability affects pymanager due to insecure sys.path manipulation that includes the current working directory with high priority, enabling privilege escalation or information disclosure depending on the affected module and execution context. No public exploit code has been identified, but the local attack vector with low complexity makes this a practical risk in shared or untrusted execution environments.

Libinput versions prior to 1.26.0 contain a dangling pointer vulnerability in Lua plugin garbage collection that allows local authenticated attackers to read sensitive data from system logs, requiring the ability to deploy malicious Lua plugin files to system directories and Lua plugin support to be enabled in the compositor. The vulnerability has a CVSS score of 3.3 (low severity) with confirmed patch availability, and poses minimal real-world risk due to high prerequisites including local file write access and plugin enablement.

Tinybeans Private Family Album App v5.9.5-prod contains an arbitrary file overwrite vulnerability in its file import process that enables remote attackers to overwrite critical internal files, resulting in arbitrary code execution or information disclosure. No CVSS score, EPSS data, or KEV status is available for this vulnerability, and no public exploit code has been independently confirmed at the time of analysis.

Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 contains an arbitrary file overwrite vulnerability in its file import process that permits attackers to overwrite critical internal files, resulting in remote code execution or information disclosure. The vulnerability affects a mobile application distributed via Google Play Store. No CVSS score, active exploitation status, or patch information is currently available from vendor sources.

Incorrect permission assignment in Dell AppSync 4.6.0 enables local privilege escalation to high-impact system access. Authenticated attackers with low-privilege local access can exploit misconfigured resource permissions to elevate privileges, achieving full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis. Dell has released security advisory DSA-2026-163 addressing this vulnerability. EPSS data unavailable; CVSS 7.3 reflects significant local threat requiring user interaction.

UNIX symbolic link following in Dell AppSync 4.6.0 allows local authenticated attackers with low privileges to tamper with information and potentially escalate impact to high integrity and availability compromise. CVSS 7.3 (High) with low attack complexity. No public exploit identified at time of analysis. EPSS data not available, but local-only access requirement significantly reduces real-world attack surface compared to remotely exploitable vulnerabilities.

Insufficient permission validation in Checkmk REST API Quick Setup endpoints allows low-privileged authenticated users to perform unauthorized administrative actions or access sensitive information in versions 2.5.0 beta before 2.5.0b2 and 2.4.0 before 2.4.0p25. The vulnerability stems from missing authorization checks that fail to enforce role-based access control on multiple API endpoints, enabling privilege escalation within the monitoring platform.

Race condition in Linux kernel AppArmor subsystem allows use-after-free of i_private data when filesystem callback functions access inode structures after reference counting errors. The vulnerability occurs because AppArmor releases references to private data after removing filesystem entries, but inodes can persist beyond that point and trigger filesystem callbacks that access freed memory. This affects AppArmor security policy enforcement and could lead to information disclosure or denial of service through carefully timed filesystem operations. No active exploitation has been confirmed, and the issue is addressed through upstream kernel fixes.

Double free vulnerability in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or information disclosure by triggering memory corruption during namespace profile replacement. The flaw occurs in aa_replace_profiles() when ns_name is transferred from ent->ns_name without nulling the source pointer, resulting in the same memory region being freed twice. This is a memory corruption issue with kernel-level impact affecting all Linux distributions running vulnerable kernel versions.

Arbitrary file deletion in Joomla! CMS com_joomlaupdate component via the autoupdate server mechanism allows remote attackers to delete files on affected servers due to insufficient input validation. The vulnerability affects all versions of Joomla! CMS through the update component and carries moderate-to-high real-world risk because file deletion can compromise system integrity, availability, and potentially enable privilege escalation or secondary attacks when combined with other weaknesses.

Unauthenticated remote database cluster compromise in Canonical Juju (versions 3.2.0-3.6.19 and 4.0-4.0.4) allows complete data exfiltration and manipulation through missing TLS certificate validation on Dqlite database endpoints. The controller's database cluster accepts unauthorized node joins from any network-accessible attacker, granting full read/write access to all stored credentials, configurations, and orchestration data. With CVSS 10.0 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents a critical authentication bypass in infrastructure-as-code environments. No public exploit identified at time of analysis, though exploitation requires only network access to the Dqlite port without authentication complexity.

Packet filter (pf) rule hash calculation regression in FreeBSD causes rules with address range syntax (x.x.x.x - y.y.y.y) differing only in address ranges to be silently dropped as duplicates, loading only the first rule and potentially causing unexpected packet filtering behavior including unintended blocking or allowing of traffic. The regression affects pf's duplicate detection mechanism but does not impact rules using CIDR notation (address/mask-bits syntax). Only the first of multiple such rules is loaded, creating a silent configuration failure with no warning to administrators.

Export All URLs WordPress plugin before version 5.1 exposes private post URLs and sensitive data through predictably named CSV export files stored in the publicly accessible wp-content/uploads/ directory, allowing unauthenticated attackers to enumerate and retrieve these files via brute-force attacks against a simple 6-digit filename pattern.

Out-of-bounds read in WebCodecs component of Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via specially crafted HTML pages. The vulnerability affects all Chrome versions below the patched release and requires only HTML delivery (no authentication); exploitation could disclose sensitive data from the browser process memory, though the Chromium project assessed this as Medium severity.

Information disclosure in Google Chrome's WebGL implementation prior to version 146.0.7680.178 allows remote attackers to extract potentially sensitive data from process memory by serving a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger memory disclosure via WebGL rendering.

Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.

Information disclosure in Google Chrome's WebUSB implementation prior to version 146.0.7680.178 allows remote attackers to extract sensitive data from process memory by delivering a crafted HTML page, exploiting insufficient policy enforcement in the WebUSB API. The vulnerability affects all Chrome versions before 146.0.7680.178 across all platforms. No public exploit code or active exploitation has been confirmed at the time of this analysis.

Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.

Foxit PDF Editor allows PDF JavaScript and document actions (WillPrint/DidPrint) to modify form fields, annotations, and optional content groups immediately before or after redaction, encryption, or printing, potentially causing sensitive content to remain visible or unencrypted despite user expectations. The vulnerability affects all versions of Foxit PDF Editor and requires local access with user interaction (opening a malicious PDF). CVSS score is 4.7 with high confidentiality impact; no public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis.

Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by open_basedir PHP restrictions, enabling remote unauthenticated attackers to map internal directory structures. This information disclosure vulnerability (CWE-209) affects XenForo installations and has been addressed in version 2.3.7 with vendor-confirmed security fixes. No public exploit code or active exploitation is identified at time of analysis, though the unauthenticated remote attack vector and low complexity make reconnaissance straightforward for targeted attacks.

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account pages on shared systems. Local users with access to a shared machine or browser can retrieve cached account data belonging to other users who previously accessed XenForo, enabling unauthorized information disclosure without authentication. No public exploit code or active exploitation has been identified; remediation requires upgrading to XenForo 2.3.7 or later.

Mbed TLS versions 3.3.0 through 3.6.5 and 4.0.0 are vulnerable to algorithm downgrade attacks via signature algorithm injection, allowing attackers to force the use of weaker cryptographic algorithms during TLS handshakes. This information disclosure vulnerability affects all applications using the affected Mbed TLS library versions and could enable attackers to compromise the confidentiality of encrypted communications by downgrading to algorithms with known weaknesses.

Sage DPW versions before 2021_06_000 leak valid username existence through differential login response timing and messaging, enabling account enumeration without authentication. The vulnerability has a low CVSS score (3.7) reflecting limited confidentiality impact and high attack complexity, though it reduces the security barrier for subsequent targeted attacks against known valid accounts. No active exploitation has been confirmed.

Sage DPW 2025_06_004 and earlier versions enable username enumeration through differential login responses, allowing remote attackers to discover valid user accounts without authentication. The vulnerability affects all versions before 2021_06_000, though on-premise administrators in newer versions can disable this behavior through configuration options.

Pharmacy Product Management System 1.0 accepts negative price and total cost values in sales transactions due to insufficient input validation in add-sales.php, enabling attackers to manipulate financial records, corrupt sales reports, and cause financial loss. The vulnerability allows unauthenticated or low-privilege users to submit arbitrary negative values that bypass business logic controls. Publicly available exploit code exists demonstrating this business logic flaw.

Mbed TLS before version 3.6.6 and TF-PSA-Crypto before version 1.1.0 contain a PRNG seed misuse vulnerability that enables information disclosure. An attacker who gains access to a seeded PRNG instance can potentially predict or replicate pseudo-random number generation, compromising cryptographic material confidentiality. The vulnerability affects cryptographic libraries used in embedded systems and IoT devices, with confirmed availability of vendor security advisories but no CVSS score assigned at time of analysis.

Mbed TLS 3.x before 3.6.6, 4.x before 4.1.0, and TF-PSA-Crypto before 1.1.0 contain a predictable seed vulnerability in their pseudo-random number generator (PRNG) implementation that compromises the cryptographic strength of generated random values. Attackers with knowledge of the seed initialization mechanism can predict PRNG output, enabling them to forge cryptographic material, decrypt communications, or impersonate legitimate parties. No active exploitation has been confirmed, but the information disclosure nature of this vulnerability affects all applications relying on these libraries for cryptographic operations.

Arbitrary file overwrite in Ora Tools PDF Reader & Editor APP v4.3.5 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the Android application and has been publicly disclosed; however, CVSS scoring, CISA KEV status, and vendor patch availability have not been independently confirmed at time of analysis.

Arbitrary file overwrite in Docudepot PDF Reader v1.0.34 enables attackers to overwrite critical internal files through the file import process, resulting in arbitrary code execution or information exposure. The vulnerability affects the mobile PDF viewer application across Android platforms. No public exploit code or active exploitation has been confirmed at time of analysis, though the severity of potential impact (RCE) warrants immediate investigation and patching.

SourceCodester Loan Management System v1.0 accepts negative integer values for loan plan duration due to insufficient input validation on the months parameter, allowing attackers to create loan plans with invalid negative durations that may cause unexpected system behavior or financial miscalculations. Publicly available exploit code exists, though real-world impact depends on downstream business logic that consumes these invalid loan plans.

Finite-field Diffie-Hellman (FFDH) in Mbed TLS 3.5.x, 3.6.0 through 3.6.5, and TF-PSA-Crypto 1.0 lacks contributory behavior due to improper validation of peer-supplied parameters, allowing an attacker to restrict the shared secret to a small set of predictable values. While the vulnerability does not directly impact TLS (which does not depend on contributory behavior), it poses a significant risk to protocols that do rely on this property, including those where an active network attacker or malicious peer can exploit the weakness. No CVSS score or public exploit code has been assigned at the time of analysis.

Compiler-induced timing side channel in Mbed TLS through 4.0.0 and TF-PSA-Crypto through 1.0.0 allows information disclosure of RSA private keys and CBC/ECB-decrypted plaintext when LLVM's select-optimize feature is enabled during compilation. The vulnerability arises from compiler optimization that violates constant-time implementation guarantees, potentially exposing cryptographic material to timing analysis attacks despite developers' explicit use of constant-time code patterns.

Heap buffer overflow in iccDEV's icAnsiToUtf8() function allows local attackers to cause denial of service via a crafted ICC color profile processed by the iccToXml tool. The vulnerability exists in versions prior to 2.3.1.6 and stems from unsafe string handling that treats non-null-terminated buffers as C-strings, triggering out-of-bounds memory reads. CVSS 6.2 with local attack vector and no authentication required; vendor-released patch available in version 2.3.1.6.

Heap buffer overflow in iccDEV's CIccApplyCmmSearch::costFunc() function allows local attackers to trigger an out-of-bounds memory read via malformed JSON configuration input to the iccApplySearch tool, resulting in denial of service. The vulnerability affects iccDEV versions prior to 2.3.1.6 and has been patched; no public exploit identified at time of analysis, though the issue is straightforward to trigger with crafted input.

Local integrity modification in iccDEV prior to version 2.3.1.6 affects the CIccCLUT::Iterate() function and CLUT dumping output in CIccMBB::Describe(), allowing local attackers without privileges to alter ICC color profile data integrity. The vulnerability requires local access and produces incorrect LUT (Look-Up Table) dump output that could compromise color management workflows relying on accurate profile representation.

Local denial of service in iccDEV prior to version 2.3.1.6 allows unauthenticated local attackers to crash applications processing ICC color profiles by crafting malicious profiles that trigger undefined behavior through invalid enum values in CIccOpDefEnvVar::Exec(). The vulnerability requires local file access but no privilege escalation, with an EPSS score of 6.2 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.

Undefined Behavior in iccDEV prior to version 2.3.1.6 allows local attackers to cause a denial of service by supplying a crafted ICC color profile containing invalid enum values for icChannelFuncSignature, which triggers an application crash during profile processing in CIccCalculatorFunc::ApplySequence(). The vulnerability requires local file access or the ability to provide a malicious ICC profile to an application using the library; no public exploit code has been identified.

Symlink race condition in Anthropic Python SDK async filesystem memory tool (versions 0.86.0-0.86.x) allows local authenticated attackers to escape sandbox restrictions and read or write arbitrary files outside the designated memory directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) flaw where path validation occurs before symlink resolution, enabling an attacker with memory directory write access to redirect file operations via symlink manipulation. The synchronous implementation is unaffected. Vendor-released patch: version 0.87.0.

Denial of service in iccDEV prior to version 2.3.1.6 caused by undefined behavior from unsafe implicit conversion of negative signed integers to unsigned size_t in IccProfLib/IccIO.cpp. Local attackers can exploit this condition to crash applications using vulnerable iccDEV libraries by providing specially crafted ICC color profile files, resulting in high availability impact with no authentication required.

Denial of service via crafted ICC color profile in iccDEV library prior to version 2.3.1.6 triggers undefined behavior through invalid left shift operations on 32-bit unsigned integers, causing application crashes. The vulnerability affects all iccDEV versions before 2.3.1.6 and requires only local file access to exploit (no authentication or user interaction required beyond opening a malicious profile). No public exploit code or active exploitation has been identified at time of analysis.

Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccToXml XML conversion tool via undefined behavior caused by implicit conversion of negative signed integers to unsigned 32-bit values. The vulnerability has CVSS 6.2 (medium severity) and affects all versions before the patched release; no public exploit code has been identified, but the issue is straightforward to trigger with malformed ICC color profiles containing negative integer values.

Denial of service via undefined behavior in iccDEV versions prior to 2.3.1.6 allows local attackers to crash the iccDumpProfile tool by supplying a crafted ICC color profile. The vulnerability exploits an unsafe memory operation in IccUtil.cpp triggered during profile parsing, resulting in application termination with no authentication required. No public exploit code or active exploitation has been reported at time of analysis.

Denial of service via division by zero in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccTiffDump utility by supplying a crafted TIFF file, resulting in undefined behavior and availability impact. The vulnerability requires local file access and no authentication, but exploitation is limited to denial of service rather than code execution or information disclosure. CVSS 6.2 reflects medium severity with high availability impact; no public exploitation or CISA KEV status reported.

HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.

WWBN AVideo 26.0 and prior exposes sensitive user data through 21 unauthenticated API endpoints via the CreatePlugin template generator. The list.json.php template lacks authentication checks present in its companion add.json.php and delete.json.php templates, allowing remote attackers to enumerate and retrieve user PII, payment logs, IP addresses, user agents, and internal system records without authentication. No vendor patch exists at time of analysis.

Database corruption in SonicWall Email Security appliance via improper input sanitization allows authenticated admin users to corrupt the application database by submitting crafted input. The vulnerability requires valid administrative credentials and affects all versions of SonicWall Email Security as indicated by the CPE wildcard matching. No CVSS scoring, public exploit code, or CISA KEV status is available at this time, limiting precise risk quantification.

SonicWall Email Security appliance becomes unresponsive due to improper input validation when an authenticated administrator submits malformed input, causing a denial of service. The vulnerability affects all versions of SonicWall Email Security and requires valid admin credentials to exploit. While CVSS scoring is unavailable, the attack vector is remote and authenticated, limiting exposure to insider threats or compromised admin accounts.

Nautobot REST API user creation and modification endpoints bypass Django's configured password validation rules, allowing authenticated administrators to set or modify user passwords that fail to meet organizational security standards. Versions prior to 2.4.30 and 3.0.10 are affected; an authenticated admin with high privileges can create accounts with weak passwords despite configured AUTH_PASSWORD_VALIDATORS rules. CVSS score is 2.7 (low severity) due to requirement for authenticated administrative access; however, organizations with strict password policies relying on Nautobot's config-driven enforcement face integrity risk.

Remote file inclusion in SourceCodester Leave Application System 1.0 allows unauthenticated attackers to manipulate the page parameter and access arbitrary files, resulting in information disclosure. The CVSS 4.0 score of 6.9 reflects low confidentiality impact with network-based attack vector and no user interaction required. Publicly available exploit code exists, increasing practical risk despite the moderate CVSS rating.

Discourse 2026.1.0 through 2026.3.0-beta allows authenticated moderators to bypass authorization controls in the Category Chatables Controller, disclosing sensitive information about hidden group names and user counts. The vulnerability affects multiple release branches and has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0. With a CVSS score of 5.3 and low attack complexity, this represents a meaningful information disclosure risk requiring prompt patching.