Information Disclosure

A race condition exists in the Linux kernel's NFC rawsock implementation where the tx_work function can execute concurrently with socket teardown, leading to use-after-free vulnerabilities when accessing NCI device structures. This affects all Linux kernel versions with the vulnerable NFC rawsock code path, particularly impacting systems where processes are forcefully terminated (e.g., via SIGKILL). An attacker with local access to trigger socket teardown race conditions could cause kernel memory corruption, information disclosure, or denial of service.

A credential disclosure vulnerability exists in the Linux kernel's Dell WMI System Management (dell-wmi-sysman) module where the set_new_password() function performs hex dumps of memory buffers containing plaintext password data, including both current and new passwords. This affects all Linux kernel versions with the vulnerable dell-wmi-sysman driver, allowing local attackers with access to kernel logs or debug output to extract sensitive authentication credentials. While no CVSS score, EPSS probability, or active KEV status is currently assigned, the patch availability across six stable kernel branches indicates the vulnerability has been formally addressed by the Linux kernel maintainers.

The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.

A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.

A use-after-free (UAF) vulnerability exists in the Linux kernel's network queue discipline (qdisc) subsystem when shrinking the number of transmit queues on network interfaces. The vulnerability occurs because qdisc_reset_all_tx_gt() can reset and free skb buffers concurrently with the lockless dequeue path (qdisc_run_begin/end), allowing freed memory to be accessed during packet dequeuing. All Linux kernels with lockless qdisc support are affected, and the vulnerability has been demonstrated via a practical reproduction case involving virtio-net devices under heavy traffic while changing queue pair counts. Multiple stable kernel patches are available addressing the issue.

A use-after-free vulnerability exists in the Linux kernel's cfg80211 WiFi subsystem where the rfkill_block work queue is not properly cancelled during wireless device (wiphy) unregistration, allowing a worker thread to access freed memory. This affects all Linux kernel versions in the cfg80211 module (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while no CVSS score or EPSS data is available, the vulnerability can trigger a kernel crash or information disclosure when a WiFi device is removed while rfkill operations are pending.

A kernel stack memory leak exists in the Linux kernel's RDMA/irdma driver within the irdma_create_user_ah() function, where 4 bytes of uninitialized kernel stack memory are leaked to user space through the rsvd (reserved) field of the irdma_create_ah_resp structure. This information disclosure vulnerability affects all Linux kernel versions with the vulnerable irdma driver code, allowing any unprivileged user with access to RDMA operations to read sensitive kernel stack data. While no CVSS score or EPSS metric is currently available, the vulnerability is classified as Information Disclosure and has been patched across multiple stable kernel branches, indicating upstream recognition and remediation.

A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.

A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.

The Linux kernel CIFS client contains an information disclosure vulnerability where debug logging in the cifs_set_cifscreds() function exposes plaintext usernames and passwords in kernel logs when debug logging is enabled. This affects all versions of the Linux kernel with CIFS client support, allowing any local user or administrator with access to kernel logs to recover plaintext SMB credentials. While no CVSS score, EPSS data, or KEV status is publicly available, the severity is elevated due to the direct exposure of authentication credentials in commonly-accessible debug logs.

This vulnerability is a race condition in the Linux kernel's BPF devmap subsystem that occurs on PREEMPT_RT kernels, where per-CPU bulk queue structures can be accessed concurrently by multiple preemptible tasks on the same CPU. An attacker or unprivileged local process can trigger use-after-free, double-free, or memory corruption conditions by crafting specific XDP (eXpress Data Path) redirect operations that cause concurrent access to shared queue structures, potentially leading to kernel crashes, information disclosure, or privilege escalation. The vulnerability affects all Linux kernel versions with the vulnerable devmap code path and has been patched upstream, though CVSS and EPSS scores are not yet assigned and no public exploit or KEV status is currently documented.

The Xen privcmd driver in the Linux kernel allows unprivileged domain users (domU) to issue arbitrary hypercalls that can bypass Secure Boot protections by modifying kernel memory contents. This vulnerability affects Linux kernel across multiple distributions (particularly Debian with 8 tracked releases) and impacts systems running Xen hypervisor with Secure Boot enabled, where a root process in an unprivileged guest domain could circumvent boot integrity protections. The fix restricts privcmd hypercall access to target a specific domain when running in unprivileged domU contexts, preventing unauthorized memory modification while preserving legitimate device model functionality.

The PeproDev Ultimate Invoice WordPress plugin through version 2.2.5 contains an information disclosure vulnerability in its bulk download invoices feature, which generates ZIP archives with predictably named files containing exported invoice PDFs. An unauthenticated or low-privileged attacker can brute force the predictable ZIP file naming scheme to retrieve and download archives containing sensitive personally identifiable information (PII) from invoices. A public proof-of-concept exploit is available via WPScan, making this vulnerability actively exploitable in the wild.

An authorization and state management flaw in Apple's WebKit browser engine allows maliciously crafted webpages to fingerprint users by exploiting improper state handling during web interactions. This vulnerability affects Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 across all Apple platforms. An attacker can exploit this by hosting a specially crafted webpage that leverages the state management weakness to extract browser or device identifiers without user knowledge, enabling user tracking and profiling attacks. No CVSS score, EPSS data, or public proof-of-concept details are currently available, though Apple has released fixes across all affected platforms.

A permissions enforcement vulnerability in Apple's operating systems allows third-party applications to enumerate installed applications on a user's device without proper authorization. This information disclosure issue affects iOS, iPadOS, macOS, and visionOS versions prior to 26.4, enabling attackers to gain insight into a user's software ecosystem for profiling or targeting purposes. Apple has addressed this with additional access restrictions in the patched versions, though no CVSS score, EPSS data, or known active exploitation has been publicly disclosed.

A logging issue in Apple's operating systems allows improper data redaction in system logs, enabling installed applications to access sensitive user data that should have been masked. This vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.3 and earlier, iPadOS 26.3 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.3 and earlier, and visionOS 26.3 and earlier. An attacker with the ability to install or control an application on an affected device could exploit inadequate log data filtering to extract confidential user information that should be protected by the operating system's redaction mechanisms.

An access control vulnerability in macOS allows applications to connect to network shares without explicit user consent, bypassing the sandbox restrictions designed to prevent unauthorized network access. This affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, where a malicious or compromised application could silently establish connections to network resources. Apple has addressed this issue through additional sandbox restrictions in the specified patch versions; no public exploit code or active exploitation via KEV has been reported, but the nature of the vulnerability suggests moderate real-world risk due to the ease with which local applications could abuse this capability.

A logging issue in Apple's operating systems allows improper data redaction, potentially enabling applications to disclose kernel memory contents. This information disclosure vulnerability affects iOS and iPadOS (versions prior to 18.7.7 and 26.4), macOS (Sequoia 15.7.5, Sonoma 14.8.5, Tahoe 26.4), visionOS 26.4, and watchOS 26.4. An untrusted application with standard execution privileges could exploit this to read sensitive kernel memory that should have been redacted from logs, potentially exposing cryptographic material, memory addresses useful for ASLR bypass, or other privileged information. No CVSS score, EPSS data, or public proof-of-concept has been disclosed at this time, and this does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.

This vulnerability involves improper handling of symbolic links (symlinks) in macOS, which could allow an application to access sensitive user data without proper authorization. The issue affects multiple macOS versions including Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4, representing an information disclosure vulnerability with potential impact on user privacy. Apple has released patches to address the symlink handling deficiency, though specific attack complexity and exploitation metrics are not publicly detailed.

A permissions enforcement vulnerability in macOS allows applications to modify protected portions of the file system that should be restricted from unauthorized access. This issue affects macOS Sequoia, Sonoma, and Tahoe across multiple versions prior to their patched releases (15.7.5, 14.8.5, and 26.4 respectively). An attacker controlling or tricking a user into running a malicious application could leverage this permissions bypass to modify system-critical files, potentially enabling privilege escalation, persistence mechanisms, or system compromise.

Sandbox escape vulnerability in macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) allows locally-installed applications to break out of their sandbox restrictions through a race condition. An attacker with the ability to run an application on an affected system could exploit this to gain unauthorized access outside the application's intended security boundaries. No patch is currently available for this HIGH severity vulnerability (CVSS 8.1).

A file access control vulnerability in macOS Tahoe allows attackers to bypass input validation mechanisms and gain unauthorized access to protected portions of the file system. The vulnerability affects macOS versions prior to Tahoe 26.4, and has been classified as an Information Disclosure issue by Apple. An attacker exploiting this vulnerability can read or access files and directories that should be restricted from their privilege level, potentially exposing sensitive user data, system configuration files, or other protected resources.

Xcode versions prior to 26.4 contain an out-of-bounds read vulnerability that can be triggered by local users with user interaction to cause unexpected application or system termination. This denial-of-service condition affects developers and build systems using vulnerable Xcode installations. No patch is currently available.

This vulnerability allows attackers to bypass Content Security Policy (CSP) enforcement in Apple's WebKit engine through maliciously crafted web content, affecting Safari and all Apple platforms including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability stems from improper state management during web content processing, enabling attackers to circumvent a critical security control that prevents injection attacks and unauthorized script execution. While no CVSS score or EPSS data is currently available, the broad platform impact across Apple's entire ecosystem and the fundamental nature of CSP bypass as an information disclosure vector indicate significant real-world risk.

An input validation flaw in iOS and iPadOS allows malicious applications to bypass security controls and access sensitive user data without proper authorization. The vulnerability affects iOS and iPadOS versions prior to 26.3, where insufficient input validation in an unspecified component permits unauthorized data disclosure. Apple has patched this vulnerability in iOS 26.3 and iPadOS 26.3, and there are no public indicators of active exploitation or proof-of-concept availability.

macOS versions prior to Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 contain an out-of-bounds read vulnerability that allows local applications to access and disclose sensitive kernel memory. An attacker with the ability to run code on an affected system can exploit this memory disclosure to obtain privileged information that may aid in further system compromise. No patch is currently available for this HIGH severity vulnerability.

Maliciously crafted media files containing out-of-bounds memory access in Apple's audio processing can crash affected applications across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. An attacker can trigger a denial of service by triggering the vulnerability through a specially crafted audio stream, though no patch is currently available. This impacts multiple recent OS versions where an out-of-bounds read occurs during media file processing.

A privacy vulnerability in macOS Tahoe allows applications to access sensitive user data that should have been protected through proper data isolation. The vulnerability affects macOS versions prior to 26.4, where sensitive data was not adequately segregated from application access. An attacker or malicious application could exploit this flaw to read protected user information without proper authorization, representing a direct information disclosure risk.

A privacy vulnerability in Apple's operating systems allows third-party applications to enumerate a user's installed applications, resulting in unauthorized information disclosure about device software inventory. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sonoma prior to 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4 across all affected product lines. An attacker can exploit this vulnerability by crafting a malicious application that leverages the enumeration capability to profile a user's installed software, potentially enabling further targeted attacks or privacy inference attacks based on application usage patterns.

This vulnerability is a privacy issue in Apple macOS where improved private data redaction for log entries was not properly implemented, allowing applications to potentially access user-sensitive data that should have been redacted. The vulnerability affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, with no public indicators of active exploitation or proof-of-concept code. While CVSS and EPSS scores are unavailable, the nature of the issue suggests moderate real-world risk due to its reliance on application-level exploitation requiring user interaction or system access.

macOS systems running Sequoia 15.7.4 or earlier, Sonoma 14.8.4 or earlier, and Tahoe 26.3 or earlier contain a use-after-free vulnerability in SMB share handling that could allow an attacker to crash the operating system by mounting a specially crafted network share. The vulnerability requires user interaction to mount the malicious share and results in denial of service rather than code execution or data compromise. No patch is currently available for this vulnerability.

A sandbox escape vulnerability in Apple's WebKit browser engine allows malicious websites to process restricted web content outside the security sandbox, potentially enabling unauthorized access to protected system resources. The vulnerability affects Safari and all Apple operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has addressed this issue through improved memory handling in Safari 26.4 and corresponding OS updates across all affected platforms.

Type confusion in Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows local attackers to trigger unexpected application termination through memory corruption. The vulnerability affects multiple OS versions and currently lacks a publicly available patch. An attacker with local access can exploit this to cause denial of service by crashing targeted applications.

macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, or Tahoe 26.3 and earlier are vulnerable to a race condition in application state handling that allows local attackers to trigger unexpected system termination and cause denial of service. The vulnerability requires specific timing conditions but does not require user interaction or elevated privileges to exploit. Apple has released patches for affected versions, though exploitation likelihood remains low.

A permissions issue across Apple's ecosystem allows applications to fingerprint users by accessing information that should be restricted. The vulnerability affects iOS and iPadOS versions prior to 26.4, tvOS prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4. Attackers can exploit this by deploying a malicious app that leverages inadequate permission restrictions to collect device and user identifiers for tracking and profiling purposes. The issue has been addressed by Apple through additional permission restrictions in the patched versions, indicating this is a known vulnerability with an available fix.

A sandbox escape vulnerability in macOS allows malicious applications to break out of their sandbox restrictions through a permissions issue. This affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An attacker who distributes a malicious app could potentially gain unauthorized access to system resources and user data that should be protected by the sandbox security boundary.

Sandboxed processes on Apple macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can escape sandbox isolation due to a race condition in state handling, allowing local attackers to bypass security restrictions and potentially execute arbitrary operations with elevated privileges. No patch is currently available for affected systems. The vulnerability requires local access and specific timing conditions but carries high impact across confidentiality, integrity, and availability.

A downgrade vulnerability affecting Intel-based Mac computers allows malicious applications to bypass code-signing restrictions and access user-sensitive data. The vulnerability impacts macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), macOS Tahoe (versions before 26.3 and 26.4), and affects all Intel-based Mac systems running vulnerable versions. An attacker can craft an application that exploits insufficient code-signing validation to downgrade security protections and exfiltrate sensitive user information.

An information disclosure vulnerability in macOS allows applications to determine kernel memory layout through improper memory management, enabling potential attacks that rely on kernel address space layout randomization (KASLR) bypass. This issue affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). An unprivileged application can exploit this to leak kernel memory addresses, which is a critical prerequisite for more sophisticated kernel exploitation attacks. No CVSS score, EPSS probability, or evidence of active exploitation in CISA KEV catalog has been published, though the vulnerability was patched by Apple across three major OS versions, suggesting it was discovered through responsible disclosure rather than in-the-wild exploitation.

A logic error in Apple's script message handler implementation allows malicious websites to access script message handlers intended for other origins, resulting in unauthorized cross-origin information disclosure. This vulnerability affects Safari 26.4 and earlier, iOS/iPadOS 18.7.7 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. An attacker can craft a malicious website that exploits improper state management in the message handler routing mechanism to intercept sensitive data intended for legitimate web applications, potentially exposing authentication tokens, user data, or other confidential information passed through script messaging interfaces.

This vulnerability involves improper handling of symbolic links in Apple operating systems that could allow an application to access user-sensitive data without proper authorization. The flaw affects iOS and iPadOS versions prior to 26.3, macOS Sequoia versions prior to 15.7.4, macOS Sonoma versions prior to 14.8.4, and macOS Tahoe versions prior to 26.3 and 26.4. An attacker with the ability to execute code in a sandboxed application context could potentially bypass security restrictions to access protected user information, though no active exploitation in the wild has been confirmed at this time.

An information disclosure vulnerability in macOS Tahoe allows applications to access sensitive user data through insufficient access controls. The vulnerability affects all versions of macOS prior to version 26.4, where the flaw was remediated through improved permission checking mechanisms. While specific technical details are limited, the vulnerability enables malicious or compromised applications to bypass privacy protections and exfiltrate user information.

An authorization bypass vulnerability in Apple's operating systems allows third-party applications to access sensitive user data through improper state management during authorization checks. The vulnerability affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Tahoe 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier across multiple Apple devices and platforms. An attacker can exploit this by crafting a malicious application that circumvents authorization controls to read protected user information without explicit user consent. No CVSS score, EPSS probability, or active exploitation status has been disclosed by Apple, though the vulnerability spans all major Apple operating systems indicating broad platform impact.

An information disclosure vulnerability in Apple's operating systems allows applications to enumerate a user's installed apps without proper authorization. This affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS versions prior to 26.4. An attacker can distribute a malicious app that queries the system to discover what applications a user has installed, potentially enabling targeted attacks or privacy violations. No CVSS score, EPSS data, or known public exploits are currently documented, but the vulnerability has been fixed across all Apple platforms, indicating Apple assessed this as requiring immediate remediation.

Remote attackers can trigger denial-of-service conditions against multiple Apple operating systems (iOS, iPadOS, macOS variants) through network requests that bypass insufficient input validation. The vulnerability affects iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. No patch is currently available for this high-severity vulnerability with a 7.5 CVSS score.

This vulnerability affects Apple's Safari browser and related Apple operating systems (iOS, iPadOS, macOS Tahoe, and visionOS) due to improper memory handling when processing maliciously crafted web content. The flaw can lead to unexpected process crashes, resulting in a denial of service condition affecting all users of the impacted Safari versions and OS versions below 26.4. While no CVSS score or EPSS data is currently published, the vulnerability has been patched by Apple, suggesting it was discovered through internal security review or responsible disclosure rather than active exploitation.

An information leakage vulnerability affecting Apple's operating systems across multiple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) allows third-party applications to access sensitive user data through insufficient validation mechanisms. The vulnerability impacts all versions prior to the 26.4 release across affected platforms, enabling malicious or compromised applications to bypass access controls and exfiltrate private user information. While no CVSS score, EPSS data, or active exploitation in the wild has been publicly disclosed, the breadth of affected platforms and the fundamental nature of information disclosure vulnerabilities suggest moderate to significant real-world risk.

An authorization flaw in macOS allows applications to bypass state management controls and access sensitive user data without proper authorization. The vulnerability affects macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. While no CVSS score, EPSS data, or public exploit code is currently available, Apple has silently patched this issue across three major macOS versions, suggesting it posed a meaningful risk to user privacy and data confidentiality.

Protected system files on macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can be deleted by attackers with root privileges due to improper state management. This integrity-impacting vulnerability affects administrators and privileged users who could leverage elevated access to remove critical system components. No patch is currently available for this medium-severity issue.

A symlink validation vulnerability in Apple's iOS, iPadOS, and macOS operating systems allows malicious applications to bypass file system protections and access sensitive user data through improper handling of symbolic links. The vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, and macOS Tahoe 26.4 and earlier. An attacker with the ability to install or execute an application on the affected system could leverage this weakness to read restricted files and access private user information without proper authorization.

A privacy vulnerability in macOS Tahoe allows documents to be inadvertently written to temporary files during print preview operations, potentially exposing sensitive information to unauthorized access. This affects macOS versions prior to 26.4. An attacker with local file system access could retrieve unencrypted documents from temporary storage, circumventing user expectations of privacy during print operations.

A logic flaw in macOS Tahoe allows local users to elevate their privileges through improved checks that were insufficient in earlier versions. This vulnerability affects macOS versions prior to 26.4 and enables privilege escalation attacks from standard user accounts to higher privilege levels. Apple has patched this issue in macOS Tahoe 26.4, and no active exploitation or public proof-of-concept code has been reported.

An authorization bypass vulnerability in macOS allows applications to access sensitive user data through improper state management. The vulnerability affects macOS Sonoma 14.8.4 and earlier versions, as well as macOS Tahoe 26.3 and earlier, enabling unprivileged apps to circumvent authorization checks and obtain restricted user information. Apple has addressed this issue through patched releases, and no public exploitation activity or proof-of-concept code has been reported at this time.

A permissions enforcement vulnerability in macOS allows applications to bypass file system protections and modify protected system files or directories through inadequate access controls. This affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). Apple has addressed the issue by removing vulnerable code, and no active exploitation or proof-of-concept has been publicly disclosed at this time.

A kernel state information disclosure vulnerability exists across Apple's entire platform ecosystem that allows a malicious application to leak sensitive kernel memory without requiring elevated privileges. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sequoia prior to 15.7.5, macOS Tahoe 26.4, and tvOS, visionOS, and watchOS 26.4. An attacker can craft a specially designed app that exploits improper authentication mechanisms to access protected kernel state, potentially exposing cryptographic keys, memory addresses, or other sensitive operating system internals that could be chained with other vulnerabilities.

macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, and Tahoe 26.3 and earlier contain a race condition in state handling that allows local applications to escalate privileges to root. The vulnerability stems from improper synchronization during critical operations, enabling an attacker with local access to exploit the timing window and gain elevated system privileges. Patches have been released for affected macOS versions.

A privacy vulnerability in Apple's Mail application allows the "Hide IP Address" and "Block All Remote Content" user preferences to fail inconsistently across certain mail content, potentially exposing user IP addresses and loading remote content despite explicit user configuration. This affects iOS, iPadOS, and multiple macOS versions. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation in the wild (KEV status not listed), the vulnerability represents a direct circumvention of privacy controls that users explicitly enable to protect their identity and security posture.

A logic issue in macOS Tahoe allows a malicious application to escape its sandbox and execute code outside of the restricted security boundary. This vulnerability affects macOS versions prior to 26.4 and represents a critical sandbox bypass that could enable arbitrary code execution with elevated privileges. While no CVSS score or active exploitation data is currently available, the sandbox escape capability makes this a high-priority patch for all affected macOS users.

A privacy vulnerability in macOS allows applications to access sensitive user data through improper handling of temporary files. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.4), and macOS Tahoe (versions prior to 26.3). An unprivileged application could exploit weak temporary file protections to read or manipulate sensitive data, though no active exploitation in the wild or public proof-of-concept has been confirmed at this time.

An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.

NATS.io nats-server versions prior to v2.12.6 and v2.11.15 expose MQTT user passwords through unsecured monitoring endpoints. The vulnerability incorrectly classifies MQTT passwords as non-authenticating identity statements (JWT), causing them to leak via monitoring APIs accessible over the network without authentication. With a CVSS score of 8.6 and network-based attack vector requiring no privileges, this poses significant risk to credential confidentiality in MQTT deployments, though no active exploitation (KEV) or public proof-of-concept is currently documented.

This is an injection vulnerability affecting TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator due to insufficient validation and sanitization of user-supplied input. The vulnerability allows attackers to disclose sensitive information including local files and host system details, and may enable manipulation of application behavior. No CVSS score, EPSS data, or active exploitation reports are currently available, but the vendor has issued a security advisory indicating patches are available.

A credential exposure vulnerability exists in NATS.io nats-server where static authentication credentials passed via command-line arguments are disclosed through the monitoring port's /debug/vars endpoint without redaction. NATS.io nats-server versions prior to 2.12.6 and 2.11.15 are affected. An attacker with network access to the monitoring port can retrieve plaintext credentials and gain unauthorized access to the messaging system, though this requires the uncommon configuration of both using command-line credentials and enabling monitoring.

NVIDIA NeMo Framework contains an insecure deserialization vulnerability (CWE-502) that allows authenticated local attackers to execute arbitrary code. The vulnerability affects NVIDIA NeMo Framework installations and can lead to code execution, privilege escalation, information disclosure, and data tampering. According to CISA's SSVC framework, there is currently no evidence of active exploitation in the wild, and the attack is not automatable, though technical impact is rated as total.

Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.

NVIDIA NeMo Framework contains a remote code execution vulnerability in its checkpoint loading mechanism caused by insecure deserialization (CWE-502). Attackers with local access and low privileges can exploit this to achieve code execution, privilege escalation, information disclosure, and data tampering with high impact on confidentiality, integrity, and availability. According to SSVC framework, there is currently no observed exploitation in the wild, though the technical impact is rated as total.

A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.

NVIDIA Model Optimizer for Windows and Linux contains an unsafe deserialization vulnerability in its ONNX quantization feature that allows attackers to execute arbitrary code by providing a malicious input file. Users who process untrusted ONNX model files are at risk of complete system compromise, including code execution, privilege escalation, data tampering, and information disclosure. There is no current evidence of active exploitation (not in CISA KEV) or public proof-of-concept availability.

Tenable OT contains an SSH misconfiguration that permits unauthorized disclosure of socket, port, and service information through the ostunnel user account and improper GatewayPorts settings. This vulnerability affects Tenable Operation Technology across multiple versions and allows attackers to enumerate underlying system architecture and network configuration without requiring high privileges or complex exploitation. While no CVSS score, EPSS data, or confirmed active exploitation is publicly documented, the information disclosure nature of this vulnerability enables reconnaissance for subsequent targeted attacks.

NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.

NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading mechanism that allows remote code execution when a user loads a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. The attack requires local access and low privileges but no user interaction once the malicious file is loaded.

NVIDIA Megatron-LM contains an insecure deserialization vulnerability (CWE-502) during model inferencing that allows remote code execution when a user loads a maliciously crafted input file. This vulnerability has a CVSS score of 7.8 and requires local access with low privileges but no user interaction, enabling attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability affects NVIDIA's large language model training framework widely used in AI research and production environments.

NVIDIA Megatron-LM contains an unsafe deserialization vulnerability (CWE-502) in its checkpoint loading functionality that allows remote code execution when a user is tricked into loading a maliciously crafted checkpoint file. The vulnerability affects NVIDIA Megatron-LM installations and can lead to code execution, privilege escalation, information disclosure, and data tampering with a CVSS score of 7.8. There is no current indication of active exploitation in CISA's KEV catalog, and EPSS data was not provided in the intelligence sources.

NVIDIA Megatron-LM contains a critical unsafe deserialization vulnerability (CWE-502) in its hybrid conversion script that allows remote code execution when a user loads a maliciously crafted file. The vulnerability affects NVIDIA Megatron-LM installations and enables attackers to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. With a CVSS score of 7.8 and local attack vector requiring low privileges and no user interaction, this represents a significant risk for organizations using this large language model training framework.

NVIDIA Megatron LM contains an insecure deserialization vulnerability (CWE-502) in its quantization configuration loading mechanism that enables remote code execution. Attackers with local access and low privileges can exploit this flaw to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The vulnerability has a CVSS score of 7.8 and affects all versions of NVIDIA Megatron LM based on available CPE data.

HCL Traveler contains a sensitive information disclosure vulnerability where error messages expose internal system details including file paths, tokens, credentials, and stack traces. This affects all versions of HCL Traveler as indicated by the CPE string, and requires authenticated access (PR:L) to exploit but can be leveraged by low-privilege users to reconnaissance the application architecture for follow-up attacks. With a CVSS score of 4.3 and confidentiality impact rated as LOW, this is a moderate information disclosure issue that lowers the bar for subsequent targeted attacks rather than directly compromising systems.

A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Astro's remotePatterns path enforcement contains a logic flaw where wildcard matching for /* is unanchored, allowing attackers to bypass path restrictions and access unintended resources on allowed hosts. Versions 2.10.10 through 5.18.0 are affected, enabling information disclosure through server-side image optimization endpoints and other remote fetchers. The vulnerability has been patched in version 5.18.1, and while no public exploit code or active exploitation has been reported in KEV databases, the straightforward nature of the bypass makes this a moderate to high priority for affected deployments.

Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 expose sensitive authentication credentials to authenticated users via the GET /users/me endpoint, including MFA TOTP secrets and recovery codes that should be sanitized. An attacker who obtains a valid user session token can extract these MFA secrets to bypass multi-factor authentication indefinitely and gain unauthorized access to accounts. No CVSS score or EPSS data is currently available, but the vulnerability has confirmed patches available in stable and alpha releases.

An unauthenticated remote code execution vulnerability exists in Zabbix's Frontend 'validate' action that permits blind instantiation of arbitrary PHP classes without authentication. The vulnerability affects Zabbix products across multiple versions as indicated by the CPE wildcard notation, and while the immediate impact appears limited by environment-specific constraints, successful exploitation could lead to information disclosure or arbitrary code execution depending on available PHP classes in the deployment context. No CVSS score, EPSS data, or KEV status is currently published, but the attack vector is unauthenticated and likely has low complexity, suggesting meaningful real-world risk.

Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54 contain a race condition vulnerability that allows attackers to reuse single-use MFA recovery codes an unlimited number of times through concurrent login requests. An attacker with knowledge of a user's password and possession of one valid recovery code can bypass the intended single-use restriction by sending multiple authentication attempts simultaneously within milliseconds, effectively defeating the multi-factor authentication protection mechanism. This vulnerability is tracked as CWE-367 (TOCTOU race condition) and has been patched in the aforementioned versions with fixes available via pull requests 10275 and 10276.

Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.

Wallos, an open-source self-hostable subscription tracker, contains an authentication bypass vulnerability in its password reset mechanism where reset tokens never expire. Versions prior to 4.7.2 are affected, allowing attackers who intercept a password reset link to use it indefinitely days, weeks, or months after generation. An attacker exploiting this vulnerability can gain unauthorized account access and potentially modify subscription data, though the CVSS score of 6.5 reflects moderate real-world risk due to the required interception precondition.

LibVNCServer versions 0.9.15 and earlier contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows malicious VNC servers to disclose sensitive information or crash client applications. The vulnerability affects any application linking against the vulnerable LibVNCServer library, with exploitation requiring a malicious VNC server that manipulates subrectangle header counts to trigger improper bounds checking in the HandleUltraZipBPP() function. A patch is available from the vendor (commit 009008e), and no active exploitation or public proof-of-concept has been reported as of the intelligence sources reviewed.

An authorization bypass vulnerability in Craft CMS allows low-privileged authenticated users to extract private asset editing metadata, including focal point data, from assets they do not have permission to view. The vulnerability affects Craft CMS versions prior to 4.17.8 and 5.9.14, where the actionImageEditor endpoint fails to perform per-asset authorization checks before returning sensitive editor context. While no CVSS score or EPSS metric is currently published, this information disclosure vulnerability enables attackers to gain unauthorized insight into restricted asset configurations.

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the `/api/v1/file/content` API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended `config/` directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the `filename` query parameter with `../` sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.

Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.

Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.