Information Disclosure
Monthly
File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.
Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (`custom_*`) to any caller possessing a valid API key via the guest-tier `serviceapikey/get_info` endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. No public exploit has been identified and no CISA KEV listing exists, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any party holding or able to obtain a valid API key. Vendor patch is confirmed available in version 0.8.0.
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.
Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.
Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the GitHub Security Advisory rates it CVSS 4.0 8.7 (High).
FOSSBilling prior to version 0.8.0 exposes sensitive administrative data to low-privileged staff accounts through an asymmetric access control flaw: write-side admin API endpoints correctly enforce fine-grained permissions, but their corresponding read endpoints lack any authorization guards entirely. Any authenticated staff user can call these read endpoints over the network and retrieve data beyond their intended access scope. No public exploit code has been identified and the vulnerability is not in CISA KEV; risk is primarily an insider-threat scenario within organizations with staff-level access to the billing platform.
FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0 fails to validate IPN-supplied payment amounts against invoice totals, enabling authenticated clients to underpay invoices while having them marked as fully paid. The PayPal IPN field `mc_gross` is credited directly to the client balance without cross-checking the corresponding invoice amount, and a pre-existing $0.05 floating-point epsilon in the credit-payment logic expands the exploitable gap to $0.04 per invoice. No public exploit code exists and the vulnerability is not in CISA KEV; however, the attack is trivially executable by any registered client on a system with the PayPalEmail adapter enabled.
Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the attack is straightforward to automate for any authenticated user with knowledge of a valid promo code.
Complete database export and overwrite in the 9router npm application is possible for any authenticated user via the /api/settings/database endpoint, which is guarded only by the ALWAYS_PROTECTED session check (JWT or CLI token). A low-privileged attacker can GET the full database - including plaintext API keys, OAuth tokens, and OIDC client secrets - and POST an attacker-crafted database that wipes and replaces all tables, including the password hash, yielding total takeover. No CISA KEV listing exists and no standalone exploit is published, but the advisory (GHSA-qvfm-67h2-2qfx) includes detailed reproduction steps, and the default password '123456' makes obtaining the required session trivial in unhardened deployments.
Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).
Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and the victim to visit the attacker's shared app; no public exploit code or CISA KEV listing has been identified at time of analysis.
HSTS header delivery is permanently broken in gofiber/fiber's helmet middleware due to a logic error that compares the HTTP protocol version string ('HTTP/1.1', 'HTTP/2.0') against the literal string 'https' - a comparison that is always false in any real deployment, making the entire HSTS conditional block dead code. Applications using Fiber that configure HSTSMaxAge expecting HSTS protection receive none, silently eliminating a security control that operators believe is active. A maintainer-runnable POC confirming the bug has been published with the advisory; no CISA KEV listing exists, but any application relying on helmet for HSTS protection has had that protection stripped since the erroneous code was introduced.
Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.
Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding oracle, allowing a local attacker to recover RSA plaintext by adaptively querying the oracle. Affected are optee_os versions 4.5.0 through 4.10.x built with Hisilicon HPRE support (CFG_HISILICON_ACC_V3=y) on Arm TrustZone-based platforms. No public exploit code or CISA KEV listing exists; exploitation is constrained by local access requirements and the high query volume characteristic of Bleichenbacher-class attacks.
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to NXP CAAM-equipped platforms with the RSA driver enabled.
Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via a hidden vendor backdoor: after normal MD5-based login fails, the /bin/httpd login() routine at 0x4c88b8 falls back to a plaintext strcmp() against the 'sys.rzadmin.password' config value, granting role=2 (admin) with any username. Reported through CERT/CC (VU#213560), it is not in CISA KEV and has no public exploit identified at time of analysis, with a low EPSS score of 0.24% (15th percentile). The flaw is a classic CWE-912 hidden-functionality backdoor mapped to CVSS 9.8.
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon HPRE hardware crypto driver, enabling a local attacker to recover RSA-OAEP plaintext through approximately 1000-2000 adaptive chosen ciphertext queries. The root cause is a non-constant-time `memcmp()` used for label hash verification combined with distinguishable error paths - classic CWE-208 timing side-channel conditions. Impact is heavily constrained by a non-default build requirement: only Hisilicon D06 (plat-d06) hardware built with `CFG_HISILICON_ACC_V3=y` is exposed, and no public exploit or active exploitation has been identified at time of analysis.
Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.
Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).
Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.
Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.
c-ares, the widely-embedded asynchronous DNS resolver library, received a security fix in version 1.34.7 addressing CVE-2026-33630, disclosed via the oss-security mailing list. The vulnerability was reported by Haruto Kimura of Stella and is also tracked under GHSA-pjmc-gx33-gc76 and GHSA-jv8r-gqr9-68wj. The nature of the flaw, its exploitability, and precise impact are not determinable from the available input data - no description, CVSS vector, or CWE was provided.
Information disclosure in HP Deskjet 2800 Series printers running firmware TBP1CN2612AR or earlier lets an unauthenticated attacker on the network read sensitive configuration - including plaintext Wi‑Fi Direct credentials, device identity, and administrative security state - by sending plain GET requests to administrative API endpoints. The same data is gated behind administrator login in the web UI, so these API endpoints bypass the product's own access-control model. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).
Improper TLS certificate validation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) lets a network-positioned attacker intercept and tamper with supposedly encrypted communications. Because APROL fails to properly verify certificates (CWE-295), an adversary able to sit between components can decrypt sensitive process data and inject manipulated messages. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the CVSS 4.0 base score of 9.1 reflects the high confidentiality and integrity impact.
Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege vector warrants prompt patching.
Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0 allows remote unauthenticated attackers to send crafted input that the framework fails to validate, yielding limited information disclosure and partial integrity/availability impact per the CVSS vector. The flaw is reported directly by the Apache Software Foundation and is fixed in 4.18.3 and 4.21.0; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. The moderate 7.3 (High) score reflects easy network reachability but limited per-impact severity (C:L/I:L/A:L).
Information disclosure in SUSE Rancher AI Agent 1.0 before 1.0.2 writes API keys and raw LLM response text (which may contain sensitive data) into logfiles when the DEBUG loglevel is enabled, letting a local attacker with access to those logs harvest credentials and confidential model output. Rated CVSS 4.0 base 7.0, the flaw requires local access and high privileges plus a non-default debug configuration. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.
Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets an attacker steer which backend SOAP operation gets invoked. Because the operationName / operationNamespace selection headers lacked the Camel/camel prefix, HttpHeaderFilterStrategy failed to strip them at the HTTP boundary, so in any route bridging an HTTP consumer (e.g. platform-http) into a cxf: producer, an HTTP client could inject these headers and force CxfProducer to call a different WSDL operation than intended - for example swapping a read for a destructive write. No public exploit is identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV.
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. On releases before 4.19.0, the most severe impact is full SMTP host redirection: the producer reconnects to an attacker-controlled server and authenticates with the endpoint's configured credentials, resulting in credential theft. On 4.19.0 through pre-4.21.0, host redirection is blocked, but attackers can still weaken transport security (disabling STARTTLS, manipulating SSL trust, or injecting a SOCKS proxy) and intercept outgoing mail content. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS client that can publish to a consumed subject to inject arbitrary Camel-internal control headers into the Exchange because the consumer's default DefaultHeaderFilterStrategy has no inbound filter rules. An attacker can override headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery to redirect HTTP producers, rename files, or alter queries in downstream route steps. No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile) and CISA SSVC lists exploitation as none, but the flaw is remotely reachable without credentials when the NATS server runs with its default (no-auth) configuration.
Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. NVD scores it CVSS 9.8, though EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis.
Sensitive information exposure in Prog Management System (developed by PROG MIS) allows unauthenticated remote attackers to access a specific page that discloses the database account name and password. With valid database credentials leaked, an attacker gains a direct path to full compromise of the backing database and any data it holds. There is no public exploit identified at time of analysis, but the flaw is trivially exploitable given the CVSS 4.0 score of 9.3 (critical) and reported unauthenticated network vector.
Divide-by-zero in GPAC's TeXML file handler crashes the process when a crafted file carries a zero or invalid txml_timescale value, triggering an unhandled arithmetic exception in txtin_probe_duration. The affected version is the development snapshot 26.03-DEV-rev342-g80071f700-master; exploitation is constrained to local users able to supply malicious input files, with impact limited to a process-level denial of service. No active exploitation or public proof-of-concept has been identified; an upstream fix commit is available on GitHub but no patched stable release has been independently confirmed.
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.
Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.
Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. No public exploit identified at time of analysis and it is not listed in CISA KEV.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
CVE-2026-58212 is reported by Ubuntu with no publicly available description, CVSS score, CWE classification, or technical detail at time of analysis. The sole intelligence signal is attribution to the Ubuntu vendor source, leaving the affected component, vulnerability class, and impact entirely uncharacterized. No meaningful risk assessment is possible without additional data from Ubuntu's security tracker or an upstream advisory.
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT disabled; per the GHSA-p957-7v2w-g93g advisory and the fixing commit, an unauthenticated attacker can send an MQTT-over-WebSocket upgrade request to the WebSocket endpoint while MQTT is turned off, triggering an uncaught exception (CWE-248) that crashes the server (CVSS 7.5, availability-only impact). This is a Linux Foundation CNCF messaging component fixed in nats-server 2.12.12 and 2.14.3. No public exploit identified at time of analysis; not listed in CISA KEV, and EPSS is low at 0.53% (41st percentile), consistent with the SSVC assessment of exploitation 'none' and only partial technical impact.
Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.
Camel-internal control header injection in the Apache Camel AWS2-SQS component (camel-aws2-sqs) lets any principal holding sqs:SendMessage on a consumed SQS queue override downstream producer behaviour in a route. Because Sqs2HeaderFilterStrategy defined only an outbound filter and no inbound filter, DefaultHeaderFilterStrategy copied sender-supplied attributes such as CamelHttpUri, CamelFileName and CamelSqlQuery verbatim into the Exchange, so an attacker can redirect HTTP producers, rename files or override SQL queries. This is a design flaw with no public exploit identified at time of analysis; EPSS is low (0.16%, 6th percentile) and it is not on CISA KEV.
Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.
Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.
Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but when the HTTP ingress is unauthenticated the attack requires only a standard HTTP client and a known Kafka topic name.
Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. No public exploit code or CISA KEV listing exists at time of analysis, but the attack requires no credentials when the bridging HTTP consumer is unauthenticated, making it trivially reproducible against any qualifying deployment.
Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). Publicly available exploit code exists (CVSS 4.0 E:P), though no active exploitation is confirmed and the vulnerability is not listed in the CISA KEV catalog.
Integer overflow in radare2's binary analysis function exposes local users on systems running version 6.1.6 or earlier to limited confidentiality, integrity, and availability impacts. The flaw resides in the `core_anal_bytes` function within `libr/core/cmd_anal.inc` and requires only low-privilege local access to trigger via crafted binary input. A public proof-of-concept exploit has been disclosed, though no confirmed active exploitation (CISA KEV) is recorded; the CVSS 4.0 score of 1.9 reflects the tightly constrained local-only attack surface and limited impact scope.
Local privilege abuse in TUBITAK BILGEM Pardus-Parental-Control (versions up to and including 0.5.1, fixed in 0.7.0) lets a low-privileged local user exploit insecure file/resource permissions to tamper with the tool's DNS configuration and perform DNS spoofing. Because the CVSS scope is changed (S:C), the impact reaches beyond the application to system-wide name resolution, enabling redirection of traffic, bypass of parental filtering, and interception of connections. There is no public exploit identified at time of analysis, but the reachable local vector and low complexity make this a practical concern on shared or managed Pardus endpoints.
Sensitive information exposure in Pardus Domain Joiner (versions 0.5.2 up to but not including 0.5.4) lets a local low-privileged user harvest secrets — most plausibly domain-join credentials — that the tool passes as visible arguments when invoking a child process. TUBITAK BILGEM's utility enrolls Pardus (a Turkish Debian-based distribution) endpoints into a directory/domain, so the leaked material can be Active Directory or LDAP bind credentials. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix in 0.5.4 confirms the issue is vendor-acknowledged.
Arbitrary MongoDB collection disclosure in cve-search allows a remote, unauthenticated attacker to read any application database collection through the POST /fetch_cve_data endpoint by manipulating the collection name, projected fields, and regex filter parameters. Attackers can dump the mgmt_users collection to harvest administrative usernames and password hashes for offline cracking. Publicly available exploit code exists (referenced in the project issue tracker) and a vendor patch is available, though no active exploitation has been reported.
Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.
Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.
Insufficient session expiration in SourceCodester Online Boat Reservation System 1.0 allows a remote, low-privileged attacker to reuse a previously issued session token after it should have been invalidated, gaining unauthorized access to authenticated application functionality. The CWE-613 root cause indicates the application fails to properly terminate sessions on logout or timeout. A publicly available exploit demonstrates the flaw, as confirmed by a Medium writeup linked in the references.
Insufficiently random temporary file naming in markdownify-mcp (zcaceres, versions through 1.1.0) exposes transiently written content to local users who can predict or race the generated file path. The saveToTempFile function in src/Markdownify.ts affects the webpage-to-markdown, youtube-to-markdown, and bing-search-to-markdown conversion pipelines, allowing a co-located attacker to read converted content before cleanup. No active exploitation has been confirmed (not in CISA KEV), though a proof-of-concept is publicly available; the overall risk is low given the local-only, high-complexity attack requirements reflected in the CVSS 4.0 score of 2.0.
Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in `_deduplicate_results` within `InsightEngine/agent.py`. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. No active exploitation has been confirmed by CISA KEV; a fix pull request (PR #689) has been submitted but not yet merged.
State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.
Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.
Divide-by-zero in RT-Thread's lightweight process (lwp) syscall handler allows a low-privileged remote attacker to crash the RTOS by sending crafted read, write, or sys_ioctl system calls with malicious parameters to the affected handler in components/lwp/lwp_syscall.c. Affected versions are 5.2.2 and below. A public proof-of-concept exploit has been disclosed via GitHub issue #11429, though this vulnerability has not been added to the CISA KEV catalog, suggesting exploitation remains opportunistic rather than broadly weaponized. The upstream fix exists only as a pull request (PR #11453) awaiting merge acceptance.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Set gc_in_progress to true in unix_gc(). Igor Ushakov reported that unix_gc() could run with gc_in_progress being false if the work is scheduled while running: Thread 1 Thread 2 Thread 3 -------- -------- -------- unix_schedule_gc() unix_schedule_gc() `- if (!gc_in_progress) `- if (!gc_in_progress) |- gc_in_progress = true | `- queue_work() | unix_gc() <----------------/ | | |- gc_in_progress = true ... `- queue_work() | | `- gc_in_progress = false | | unix_gc() <---------------------------------------------' | ... /* gc_in_progress == false */ | `- gc_in_progress = false unix_peek_fpl() relies on gc_in_progress not to confuse GC by MSG_PEEK. Let's set gc_in_progress to true in unix_gc().
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.
Protection mechanism failure in NousResearch hermes-agent (≤ 0.15.2) allows remote authenticated attackers to bypass shell execution controls via the shell.exec function in tui_gateway/server.py, resulting in low-level confidentiality, integrity, and availability impact. The vulnerability is classified under CWE-693 and carries a CVSS 4.0 score of 5.3 (Medium), with a publicly available proof-of-concept exploit hosted on GitHub. No patch has been issued - the vendor did not respond to the researcher's disclosure - meaning all deployments of hermes-agent up to and including version 0.15.2 remain exposed.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.
Local privilege escalation in Unity Parsec for Windows (all builds through v2026-05-04.0) lets an unprivileged local user coerce an instance of parsecd.exe to run as NT AUTHORITY\SYSTEM while honoring a user-controlled AppData environment variable, allowing the attacker to redirect the privileged process to resources under their control and gain SYSTEM. The flaw is a CWE-648 misuse of privileged APIs; publicly available exploit code exists (a dedicated CVE GitHub repository and a researcher write-up), and it is fixed in Parsec for Windows 150-104a. It is not listed in CISA KEV and no EPSS score was supplied, so there is no evidence of widespread active exploitation.
File path collision in FOSSBilling's downloadable product service allows an authenticated administrator to silently overwrite another product's stored file by uploading a file with an identical original filename. Because FOSSBilling stores uploaded files at a path derived solely from md5(<original filename>), two uploads sharing the same filename map to the same storage location - the later upload wins, and customers downloading the earlier product receive the substituted file instead. No public exploit exists and this is not in CISA KEV, but the integrity and information-disclosure impact are concrete: customers may receive incorrect - potentially confidential - product files. Version 0.8.1 patches the issue.
Unauthenticated information disclosure in FOSSBilling 0.5.3-0.7.2 exposes administrator-defined custom API key configuration fields (`custom_*`) to any caller possessing a valid API key via the guest-tier `serviceapikey/get_info` endpoint. The affected fields may contain business-sensitive operational data including pricing tiers, feature flags, rate limits, expiry overrides, and access scope data as populated by billing administrators. No public exploit has been identified and no CISA KEV listing exists, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any party holding or able to obtain a valid API key. Vendor patch is confirmed available in version 0.8.0.
Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.
Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.
Account takeover in FOSSBilling 0.5.6 through 0.7.2 arises because the reset_password guest API endpoint reuses an existing, unexpired ClientPasswordReset token rather than rotating it on each request. An attacker who has captured a victim's earlier reset link retains a valid path to hijack the account even after the victim requests a fresh reset, since the original token is never invalidated and its 15-minute window is anchored to the first request. No public exploit is identified at time of analysis, and the CVSS 4.0 score is 7.7 (High); version 0.8.0 fixes the flaw.
Privilege escalation and unauthorized access in FOSSBilling before 0.8.0 lets authenticated low-privileged staff accounts invoke admin API endpoints they should not reach, exposing sensitive data and enabling actions reserved for higher-privilege roles. The flaw stems from the framework-level can_always_access module flag combined with weak per-endpoint permission checks, so any staff login becomes a stepping stone to sensitive settings. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the GitHub Security Advisory rates it CVSS 4.0 8.7 (High).
FOSSBilling prior to version 0.8.0 exposes sensitive administrative data to low-privileged staff accounts through an asymmetric access control flaw: write-side admin API endpoints correctly enforce fine-grained permissions, but their corresponding read endpoints lack any authorization guards entirely. Any authenticated staff user can call these read endpoints over the network and retrieve data beyond their intended access scope. No public exploit code has been identified and the vulnerability is not in CISA KEV; risk is primarily an insider-threat scenario within organizations with staff-level access to the billing platform.
FOSSBilling's PayPalEmail payment adapter prior to version 0.8.0 fails to validate IPN-supplied payment amounts against invoice totals, enabling authenticated clients to underpay invoices while having them marked as fully paid. The PayPal IPN field `mc_gross` is credited directly to the client balance without cross-checking the corresponding invoice amount, and a pre-existing $0.05 floating-point epsilon in the credit-payment logic expands the exploitable gap to $0.04 per invoice. No public exploit code exists and the vulnerability is not in CISA KEV; however, the attack is trivially executable by any registered client on a system with the PayPalEmail adapter enabled.
Race condition in FOSSBilling's cart checkout flow allows authenticated clients to exploit promo codes beyond their configured usage limits by submitting concurrent checkout requests. Affected versions prior to 0.8.0 fail to atomically check and increment promo code usage counts (CWE-367), enabling a single limited-use or one-time-use code to be redeemed unlimited times. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the attack is straightforward to automate for any authenticated user with knowledge of a valid promo code.
Complete database export and overwrite in the 9router npm application is possible for any authenticated user via the /api/settings/database endpoint, which is guarded only by the ALWAYS_PROTECTED session check (JWT or CLI token). A low-privileged attacker can GET the full database - including plaintext API keys, OAuth tokens, and OIDC client secrets - and POST an attacker-crafted database that wipes and replaces all tables, including the password hash, yielding total takeover. No CISA KEV listing exists and no standalone exploit is published, but the advisory (GHSA-qvfm-67h2-2qfx) includes detailed reproduction steps, and the default password '123456' makes obtaining the required session trivial in unhardened deployments.
Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. No public exploit is identified and there is no evidence of exploitation before remediation, but the bug was live in consensus since NU5 (May 31, 2022) and was fixed via the NU6.2 hard fork on June 3, 2026.
Privilege retention in FOSSBilling before 0.8.0 allows a suspended or deactivated client, staff, or admin to keep full authenticated access because the session identity loaders in src/di.php never re-check account status. Suspending or deactivating a user does not terminate their live session - access persists until the session expires naturally. This is an authenticated (PR:L) session-management flaw with no public exploit identified at time of analysis and no CISA KEV listing; the vendor rates it 8.7 (CVSS 4.0).
Cross-boundary information disclosure in Coder's workspace app proxy allows an attacker who controls a shared workspace app to read a victim user's private app responses by forging the X-Forwarded-Host header. The proxy trusts this client-supplied header for routing decisions while simultaneously authorizing the request with the victim's own session cookie - which the browser attaches to any subdomain because cookies are scoped to the wildcard parent domain - enabling the attacker to steer responses from private apps back through their own JavaScript. Exploitation requires subdomain app routing (wildcard hostname) to be enabled and the victim to visit the attacker's shared app; no public exploit code or CISA KEV listing has been identified at time of analysis.
HSTS header delivery is permanently broken in gofiber/fiber's helmet middleware due to a logic error that compares the HTTP protocol version string ('HTTP/1.1', 'HTTP/2.0') against the literal string 'https' - a comparison that is always false in any real deployment, making the entire HSTS conditional block dead code. Applications using Fiber that configure HSTSMaxAge expecting HSTS protection receive none, silently eliminating a security control that operators believe is active. A maintainer-runnable POC confirming the bug has been published with the advisory; no CISA KEV listing exists, but any application relying on helmet for HSTS protection has had that protection stripped since the erroneous code was introduced.
Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.
Sensitive key material can be exposed in Qualcomm Snapdragon platforms because AES-GCM key wrapping is performed with a hardcoded/static initialization vector instead of a unique per-call nonce. A local, low-privileged attacker who can collect multiple wrapped outputs can exploit the resulting IV/nonce reuse to recover confidentiality and forge integrity of wrapped keys. There is no public exploit identified at time of analysis, and the issue is disclosed via Qualcomm's July 2026 security bulletin.
Remote image auto-fetch in the OpenAI Codex desktop app for macOS (versions prior to 26.527.31326) enables silent exfiltration of session secrets via indirect prompt injection. An attacker who can place malicious instructions into content processed by Codex - such as a tool result, API response, or file read during a session - can manipulate the model into generating a Markdown image tag whose URL encodes sensitive data; the app then automatically fetches that URL, transmitting API keys, source code, or tool-returned data to an attacker-controlled server with no additional user action. No active exploitation is confirmed (not listed in CISA KEV), no public proof-of-concept is identified, and EPSS sits at 0.16% (6th percentile), indicating low current exploitation probability despite the high-value target profile of affected users.
RSA PKCS#1 v1.5 decryption in OP-TEE's Hisilicon HPRE hardware accelerator driver exposes a Bleichenbacher-style padding oracle, allowing a local attacker to recover RSA plaintext by adaptively querying the oracle. Affected are optee_os versions 4.5.0 through 4.10.x built with Hisilicon HPRE support (CFG_HISILICON_ACC_V3=y) on Arm TrustZone-based platforms. No public exploit code or CISA KEV listing exists; exploitation is constrained by local access requirements and the high query volume characteristic of Bleichenbacher-class attacks.
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.
RSA-OAEP decryption in OP-TEE OS versions 3.9.0 through 4.10.x exposes a Manger-style padding oracle via the NXP CAAM hardware crypto driver, enabling local low-privileged attackers to recover RSA-OAEP plaintext through approximately 1,000-2,000 adaptive chosen-ciphertext queries. The flaw arises from non-constant-time memcmp() usage during label hash verification combined with multiple distinguishable error paths that leak oracle-exploitable timing and response information. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained to NXP CAAM-equipped platforms with the RSA driver enabled.
Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via a hidden vendor backdoor: after normal MD5-based login fails, the /bin/httpd login() routine at 0x4c88b8 falls back to a plaintext strcmp() against the 'sys.rzadmin.password' config value, granting role=2 (admin) with any username. Reported through CERT/CC (VU#213560), it is not in CISA KEV and has no public exploit identified at time of analysis, with a low EPSS score of 0.24% (15th percentile). The flaw is a classic CWE-912 hidden-functionality backdoor mapped to CVSS 9.8.
RSA-OAEP decryption in OP-TEE OS versions 4.5.0 through 4.10.x exposes a Manger-style padding oracle via the Hisilicon HPRE hardware crypto driver, enabling a local attacker to recover RSA-OAEP plaintext through approximately 1000-2000 adaptive chosen ciphertext queries. The root cause is a non-constant-time `memcmp()` used for label hash verification combined with distinguishable error paths - classic CWE-208 timing side-channel conditions. Impact is heavily constrained by a non-default build requirement: only Hisilicon D06 (plat-d06) hardware built with `CFG_HISILICON_ACC_V3=y` is exposed, and no public exploit or active exploitation has been identified at time of analysis.
Channel-binding downgrade in the pgjdbc PostgreSQL JDBC Driver (releases 42.7.4 through 42.7.11) lets an active man-in-the-middle silently strip SCRAM-SHA-256-PLUS channel binding down to plain SCRAM-SHA-256 even when the client explicitly set channelBinding=require, defeating the exact protection that setting promises. The flaw stems from the bundled com.ongres.scram:scram-client returning an empty binding for certificates whose signature algorithm lacks a tls-server-end-point hash, combined with pgJDBC's ScramAuthenticator failing to reject that empty binding. No public exploit identified at time of analysis and it is not listed in CISA KEV; it is fixed in 42.7.12.
Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).
Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.
Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.
c-ares, the widely-embedded asynchronous DNS resolver library, received a security fix in version 1.34.7 addressing CVE-2026-33630, disclosed via the oss-security mailing list. The vulnerability was reported by Haruto Kimura of Stella and is also tracked under GHSA-pjmc-gx33-gc76 and GHSA-jv8r-gqr9-68wj. The nature of the flaw, its exploitability, and precise impact are not determinable from the available input data - no description, CVSS vector, or CWE was provided.
Information disclosure in HP Deskjet 2800 Series printers running firmware TBP1CN2612AR or earlier lets an unauthenticated attacker on the network read sensitive configuration - including plaintext Wi‑Fi Direct credentials, device identity, and administrative security state - by sending plain GET requests to administrative API endpoints. The same data is gated behind administrator login in the web UI, so these API endpoints bypass the product's own access-control model. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Improper data-query neutralization (NoSQL injection) in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows an authenticated, low-privileged attacker to manipulate input parameters and read resources or data beyond their authorization scope. The flaw enables information disclosure across authorization boundaries and, per the vendor's CVSS 4.0 vector, can impact downstream systems. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation is restricted to accounts holding specific permissions.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).
Improper TLS certificate validation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) lets a network-positioned attacker intercept and tamper with supposedly encrypted communications. Because APROL fails to properly verify certificates (CWE-295), an adversary able to sit between components can decrypt sensitive process data and inject manipulated messages. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the CVSS 4.0 base score of 9.1 reflects the high confidentiality and integrity impact.
Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege vector warrants prompt patching.
Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper input validation in Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0 allows remote unauthenticated attackers to send crafted input that the framework fails to validate, yielding limited information disclosure and partial integrity/availability impact per the CVSS vector. The flaw is reported directly by the Apache Software Foundation and is fixed in 4.18.3 and 4.21.0; there is no public exploit identified at time of analysis and it is not on the CISA KEV list. The moderate 7.3 (High) score reflects easy network reachability but limited per-impact severity (C:L/I:L/A:L).
Information disclosure in SUSE Rancher AI Agent 1.0 before 1.0.2 writes API keys and raw LLM response text (which may contain sensitive data) into logfiles when the DEBUG loglevel is enabled, letting a local attacker with access to those logs harvest credentials and confidential model output. Rated CVSS 4.0 base 7.0, the flaw requires local access and high privileges plus a non-default debug configuration. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure in uniFLOW Universal Login Manager (ULM) Standalone exposes sensitive SMTP and LDAP integration configuration data to authenticated administrators via the Remote User Interface (RUI). The flaw, classified under CWE-522 (Insufficiently Protected Credentials), applies exclusively to Standalone ULM deployments - environments integrated with uniFLOW Server or uniFLOW Online are explicitly confirmed unaffected. No public exploit code has been identified at time of analysis, and exploitation requires high-privilege access on an adjacent network, substantially limiting real-world risk.
Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0) lets an attacker steer which backend SOAP operation gets invoked. Because the operationName / operationNamespace selection headers lacked the Camel/camel prefix, HttpHeaderFilterStrategy failed to strip them at the HTTP boundary, so in any route bridging an HTTP consumer (e.g. platform-http) into a cxf: producer, an HTTP client could inject these headers and force CxfProducer to call a different WSDL operation than intended - for example swapping a read for a destructive write. No public exploit is identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV.
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. On releases before 4.19.0, the most severe impact is full SMTP host redirection: the producer reconnects to an attacker-controlled server and authenticates with the endpoint's configured credentials, resulting in credential theft. On 4.19.0 through pre-4.21.0, host redirection is blocked, but attackers can still weaken transport security (disabling STARTTLS, manipulating SSL trust, or injecting a SOCKS proxy) and intercept outgoing mail content. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS client that can publish to a consumed subject to inject arbitrary Camel-internal control headers into the Exchange because the consumer's default DefaultHeaderFilterStrategy has no inbound filter rules. An attacker can override headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery to redirect HTTP producers, rename files, or alter queries in downstream route steps. No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile) and CISA SSVC lists exploitation as none, but the flaw is remotely reachable without credentials when the NATS server runs with its default (no-auth) configuration.
Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. NVD scores it CVSS 9.8, though EPSS is low (0.15%, 5th percentile) and there is no public exploit identified at time of analysis.
Sensitive information exposure in Prog Management System (developed by PROG MIS) allows unauthenticated remote attackers to access a specific page that discloses the database account name and password. With valid database credentials leaked, an attacker gains a direct path to full compromise of the backing database and any data it holds. There is no public exploit identified at time of analysis, but the flaw is trivially exploitable given the CVSS 4.0 score of 9.3 (critical) and reported unauthenticated network vector.
Divide-by-zero in GPAC's TeXML file handler crashes the process when a crafted file carries a zero or invalid txml_timescale value, triggering an unhandled arithmetic exception in txtin_probe_duration. The affected version is the development snapshot 26.03-DEV-rev342-g80071f700-master; exploitation is constrained to local users able to supply malicious input files, with impact limited to a process-level denial of service. No active exploitation or public proof-of-concept has been identified; an upstream fix commit is available on GitHub but no patched stable release has been independently confirmed.
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.
Improper authorization in SourceCodester Online Examination & Learning Management System 1.0 allows unauthenticated remote attackers to manipulate enrollment records by supplying arbitrary student_id, schedule_id, or action values to /ajax_enroll.php. The vulnerability is an Insecure Direct Object Reference (IDOR) - the application performs no ownership or privilege check before processing enrollment actions on behalf of any student. A public proof-of-concept has been disclosed (referenced by VulDB submission 850695 and GitHub advisory OE-LMS-IDOR-ajax_enroll.md); no active exploitation via CISA KEV has been confirmed at time of analysis.
Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. No public exploit identified at time of analysis and it is not listed in CISA KEV.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
CVE-2026-58212 is reported by Ubuntu with no publicly available description, CVSS score, CWE classification, or technical detail at time of analysis. The sole intelligence signal is attribution to the Ubuntu vendor source, leaving the affected component, vulnerability class, and impact entirely uncharacterized. No meaningful risk assessment is possible without additional data from Ubuntu's security tracker or an upstream advisory.
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT disabled; per the GHSA-p957-7v2w-g93g advisory and the fixing commit, an unauthenticated attacker can send an MQTT-over-WebSocket upgrade request to the WebSocket endpoint while MQTT is turned off, triggering an uncaught exception (CWE-248) that crashes the server (CVSS 7.5, availability-only impact). This is a Linux Foundation CNCF messaging component fixed in nats-server 2.12.12 and 2.14.3. No public exploit identified at time of analysis; not listed in CISA KEV, and EPSS is low at 0.53% (41st percentile), consistent with the SSVC assessment of exploitation 'none' and only partial technical impact.
Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.
Camel-internal control header injection in the Apache Camel AWS2-SQS component (camel-aws2-sqs) lets any principal holding sqs:SendMessage on a consumed SQS queue override downstream producer behaviour in a route. Because Sqs2HeaderFilterStrategy defined only an outbound filter and no inbound filter, DefaultHeaderFilterStrategy copied sender-supplied attributes such as CamelHttpUri, CamelFileName and CamelSqlQuery verbatim into the Exchange, so an attacker can redirect HTTP producers, rename files or override SQL queries. This is a design flaw with no public exploit identified at time of analysis; EPSS is low (0.16%, 6th percentile) and it is not on CISA KEV.
Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.
Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.
Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but when the HTTP ingress is unauthenticated the attack requires only a standard HTTP client and a known Kafka topic name.
Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. No public exploit code or CISA KEV listing exists at time of analysis, but the attack requires no credentials when the bridging HTTP consumer is unauthenticated, making it trivially reproducible against any qualifying deployment.
Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). Publicly available exploit code exists (CVSS 4.0 E:P), though no active exploitation is confirmed and the vulnerability is not listed in the CISA KEV catalog.
Integer overflow in radare2's binary analysis function exposes local users on systems running version 6.1.6 or earlier to limited confidentiality, integrity, and availability impacts. The flaw resides in the `core_anal_bytes` function within `libr/core/cmd_anal.inc` and requires only low-privilege local access to trigger via crafted binary input. A public proof-of-concept exploit has been disclosed, though no confirmed active exploitation (CISA KEV) is recorded; the CVSS 4.0 score of 1.9 reflects the tightly constrained local-only attack surface and limited impact scope.
Local privilege abuse in TUBITAK BILGEM Pardus-Parental-Control (versions up to and including 0.5.1, fixed in 0.7.0) lets a low-privileged local user exploit insecure file/resource permissions to tamper with the tool's DNS configuration and perform DNS spoofing. Because the CVSS scope is changed (S:C), the impact reaches beyond the application to system-wide name resolution, enabling redirection of traffic, bypass of parental filtering, and interception of connections. There is no public exploit identified at time of analysis, but the reachable local vector and low complexity make this a practical concern on shared or managed Pardus endpoints.
Sensitive information exposure in Pardus Domain Joiner (versions 0.5.2 up to but not including 0.5.4) lets a local low-privileged user harvest secrets — most plausibly domain-join credentials — that the tool passes as visible arguments when invoking a child process. TUBITAK BILGEM's utility enrolls Pardus (a Turkish Debian-based distribution) endpoints into a directory/domain, so the leaked material can be Active Directory or LDAP bind credentials. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix in 0.5.4 confirms the issue is vendor-acknowledged.
Arbitrary MongoDB collection disclosure in cve-search allows a remote, unauthenticated attacker to read any application database collection through the POST /fetch_cve_data endpoint by manipulating the collection name, projected fields, and regex filter parameters. Attackers can dump the mgmt_users collection to harvest administrative usernames and password hashes for offline cracking. Publicly available exploit code exists (referenced in the project issue tracker) and a vendor patch is available, though no active exploitation has been reported.
Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.
Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.
Insufficient session expiration in SourceCodester Online Boat Reservation System 1.0 allows a remote, low-privileged attacker to reuse a previously issued session token after it should have been invalidated, gaining unauthorized access to authenticated application functionality. The CWE-613 root cause indicates the application fails to properly terminate sessions on logout or timeout. A publicly available exploit demonstrates the flaw, as confirmed by a Medium writeup linked in the references.
Insufficiently random temporary file naming in markdownify-mcp (zcaceres, versions through 1.1.0) exposes transiently written content to local users who can predict or race the generated file path. The saveToTempFile function in src/Markdownify.ts affects the webpage-to-markdown, youtube-to-markdown, and bing-search-to-markdown conversion pipelines, allowing a co-located attacker to read converted content before cleanup. No active exploitation has been confirmed (not in CISA KEV), though a proof-of-concept is publicly available; the overall risk is low given the local-only, high-complexity attack requirements reflected in the CVSS 4.0 score of 2.0.
Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.
Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.
Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in `_deduplicate_results` within `InsightEngine/agent.py`. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. No active exploitation has been confirmed by CISA KEV; a fix pull request (PR #689) has been submitted but not yet merged.
State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.
Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.
Divide-by-zero in RT-Thread's lightweight process (lwp) syscall handler allows a low-privileged remote attacker to crash the RTOS by sending crafted read, write, or sys_ioctl system calls with malicious parameters to the affected handler in components/lwp/lwp_syscall.c. Affected versions are 5.2.2 and below. A public proof-of-concept exploit has been disclosed via GitHub issue #11429, though this vulnerability has not been added to the CISA KEV catalog, suggesting exploitation remains opportunistic rather than broadly weaponized. The upstream fix exists only as a pull request (PR #11453) awaiting merge acceptance.
In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation path In __ip6_append_data(), when the paged-allocation branch is taken (MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are computed as alloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen; datalen already includes fraggap (datalen = length + fraggap). When fraggap is non-zero, this is not the first skb and transhdrlen is zero. The fraggap bytes carried over from the previous skb are copied just past the fragment headers in the new skb's linear area. The linear area is therefore undersized by fraggap bytes while pagedlen is overstated by the same amount, and the copy writes past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a UDPv6 socket using MSG_MORE together with MSG_SPLICE_PAGES. The bad accounting was introduced by commit 773ba4fe9104 ("ipv6: avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix __ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative copy value caused -EINVAL to be returned. That later commit allowed MSG_SPLICE_PAGES to proceed in this case, making the corruption triggerable. The non-paged branch sets alloclen to fraglen, which already accounts for fraggap because datalen does. Bring the paged branch in line by adding fraggap to alloclen and subtracting it from pagedlen. After this adjustment, copy no longer collapses to -fraggap on the paged path, so remove the stale comment describing that old arithmetic. Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
In the Linux kernel, the following vulnerability has been resolved: af_unix: Set gc_in_progress to true in unix_gc(). Igor Ushakov reported that unix_gc() could run with gc_in_progress being false if the work is scheduled while running: Thread 1 Thread 2 Thread 3 -------- -------- -------- unix_schedule_gc() unix_schedule_gc() `- if (!gc_in_progress) `- if (!gc_in_progress) |- gc_in_progress = true | `- queue_work() | unix_gc() <----------------/ | | |- gc_in_progress = true ... `- queue_work() | | `- gc_in_progress = false | | unix_gc() <---------------------------------------------' | ... /* gc_in_progress == false */ | `- gc_in_progress = false unix_peek_fpl() relies on gc_in_progress not to confuse GC by MSG_PEEK. Let's set gc_in_progress to true in unix_gc().
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free.
Protection mechanism failure in NousResearch hermes-agent (≤ 0.15.2) allows remote authenticated attackers to bypass shell execution controls via the shell.exec function in tui_gateway/server.py, resulting in low-level confidentiality, integrity, and availability impact. The vulnerability is classified under CWE-693 and carries a CVSS 4.0 score of 5.3 (Medium), with a publicly available proof-of-concept exploit hosted on GitHub. No patch has been issued - the vendor did not respond to the researcher's disclosure - meaning all deployments of hermes-agent up to and including version 0.15.2 remain exposed.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.
Local privilege escalation in Unity Parsec for Windows (all builds through v2026-05-04.0) lets an unprivileged local user coerce an instance of parsecd.exe to run as NT AUTHORITY\SYSTEM while honoring a user-controlled AppData environment variable, allowing the attacker to redirect the privileged process to resources under their control and gain SYSTEM. The flaw is a CWE-648 misuse of privileged APIs; publicly available exploit code exists (a dedicated CVE GitHub repository and a researcher write-up), and it is fixed in Parsec for Windows 150-104a. It is not listed in CISA KEV and no EPSS score was supplied, so there is no evidence of widespread active exploitation.