Microsoft

Microsoft Edge (Chromium-based) allows remote attackers to spoof visual elements through a low-complexity network-based attack requiring user interaction, potentially disclosing limited information to unauthenticated users. The vulnerability affects all versions of Microsoft Edge based on Chromium and carries a CVSS score of 4.3 with low confidentiality impact but no code execution or availability risk. A vendor-released patch is available.

Microsoft Edge (Chromium-based) on Android contains a user interface misrepresentation vulnerability that allows unauthenticated remote attackers to conduct spoofing attacks over a network. The vulnerability exploits UI rendering to misrepresent critical information to end users, enabling attackers to deceive users into taking unintended actions. While the CVSS score is moderate (5.4), the attack requires user interaction and only impacts confidentiality and integrity; a vendor-released patch is available.

OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass sender allowlist checks in Microsoft Teams feedback invoke endpoints, enabling unauthorized recording of session feedback. The vulnerability exploits improper authorization logic in feedback processing, granting attackers the ability to trigger feedback recording or reflection operations that should be restricted to authorized senders. No public exploit code has been identified at the time of analysis.

Improperly restricted file permissions on Rapid7 Insight Agent installer certificate files on Windows systems allow locally authenticated standard users to read the agent's private key (client.key), enabling identity material disclosure and potential lateral movement or agent impersonation. CVSS 6.8 (CVSS:4.0 LOCAL/LOW complexity, PR:L) reflects local authentication requirement; CISA KEV status not confirmed. Rapid7 released patched version 4.1.0.2 addressing this permission misconfiguration.

Man-in-the-middle attack against Juniper Networks Apstra allows unauthenticated attackers to impersonate managed network devices and capture credentials due to insufficient SSH host key validation. The vulnerability affects all Apstra versions before 6.1.1, enabling interception of SSH connections between the Apstra orchestration platform and managed infrastructure. No public exploit identified at time of analysis, though the attack requires network positioning between Apstra and target devices.

NTLM credential theft in SiYuan personal knowledge management system (prior to 3.6.4) allows remote attackers to capture Windows user password hashes without authentication or user interaction. Misconfigured Mermaid.js rendering with securityLevel:loose permits unsanitized <img> tags within SVG foreignObject blocks. Protocol-relative URLs in malicious Mermaid diagrams trigger automatic SMB authentication on Windows, transmitting NTLMv2 hashes to attacker-controlled servers when victims open compromised notes. Electron client processes the SVG via innerHTML without secondary sanitization, enabling SSRF to UNC paths.

Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.

DLL injection in GatewayGeo MapServer for Windows version 5 enables authenticated local attackers to escalate privileges to SYSTEM level through crafted executable placement. The vulnerability exploits insecure library loading paths, allowing low-privileged users to inject malicious DLLs that execute with elevated permissions. Publicly available exploit code exists. Affects Windows deployments only; CVSS 8.8 reflects local attack vector requiring low privileges but achieving full system compromise across security boundaries.

Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.

Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)

Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.

Server-Side Request Forgery in mcp-from-openapi (<= 2.1.2) allows unauthenticated remote attackers to retrieve cloud metadata credentials, scan internal networks, and read local files by providing malicious OpenAPI specifications containing $ref pointers to internal URLs (http://169.254.169.254/) or file:// paths. The library's json-schema-ref-parser fetches referenced resources without protocol or hostname restrictions during OpenAPI document initialization, enabling AWS/GCP/Azure credential theft and arbitrary file disclosure with no privileges required beyond spec submission.

Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.

Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.

Moxa MxGeneralIo utility versions prior to 1.4.0/1.5.0 expose IOCTL interfaces allowing authenticated high-privilege local attackers to directly access Model-Specific Registers (MSR) and system memory, enabling privilege escalation on Windows 7 or denial-of-service crashes (BSoD) on Windows 10/11. While CVSS 7.0 reflects high availability impact and network attack vector classification, the actual exploit requires local high-privilege access (PR:H), significantly reducing practical risk. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept has been identified at time of analysis, though vendor advisory confirms patch availability.

Unauthenticated network access to Podman Desktop's HTTP server enables remote denial-of-service attacks and information disclosure via verbose error messages. Attackers can exhaust file descriptors and kernel memory without authentication, causing application crashes or complete host freezes, while error responses leak internal paths and Windows usernames. Fixed in version 1.26.2. EPSS data not available; no public exploit identified at time of analysis.

Server-Side Request Forgery (SSRF) in OpenObserve up to 0.70.3 allows authenticated attackers to bypass IPv6 address validation and access internal network resources, including cloud metadata services. The vulnerability enables retrieval of AWS IMDSv1 credentials at 169.254.169.254, GCP metadata endpoints, and Azure IMDS on cloud deployments, or probing of internal services in self-hosted environments. CVSS score of 7.7 reflects high confidentiality impact with changed scope. No public exploit identified at time of analysis, though exploitation requires only low-complexity authenticated network access.

Local privilege escalation in libssh on Windows systems allows authenticated users with low privileges to conduct man-in-the-middle attacks against SSH connections by creating malicious configuration files in C:\etc. The vulnerability stems from insecure default behavior where libssh automatically loads SSH configuration from a world-writable directory location. Red Hat Enterprise Linux 6-10, RHEL Hardened Images, and OpenShift Container Platform 4 are affected. No public exploit identified at time of analysis, though EPSS data is not available and exploitation complexity is low (CVSS AC:L).

Electron's window.open() handler fails to properly scope named-window lookups to the opener's browsing context group, allowing a renderer to hijack an existing child window opened by a different renderer and potentially inherit elevated webPreferences including privileged preload scripts. This affects Electron versions before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, and poses a remote code execution risk only in applications that open multiple top-level windows with differing trust levels and grant child windows elevated permissions via setWindowOpenHandler. No public exploit identified at time of analysis.

Arbitrary file write in Pega Browser Extension allows remote attackers to compromise system integrity when Robot Runtime users visit malicious websites while running automations in Chrome or Edge. Affects Pega Robotic Automation versions 22.1 and R25. Attack requires user interaction (navigating to attacker-controlled site) but no authentication. No public exploit identified at time of analysis, though attack complexity is low once user visits malicious site.

Improper path validation in Apache ActiveMQ Client and Broker allows authenticated users to traverse the classpath via crafted 'key' values in Stomp consumer creation and Web console message browsing operations, potentially enabling information disclosure or chaining with secondary attacks for greater impact. Affects ActiveMQ Client/Broker versions before 5.19.3 and 6.0.0–6.2.1; patch available in 5.19.4 and 6.2.3 (5.19.3/6.2.2 have platform-specific limitations). EPSS score of 0.04% indicates low real-world exploitation probability despite authenticated attack vector requirement.

Heap buffer overflow in Microsoft SymCrypt versions 103.5.0 through 103.10.x allows local authenticated attackers to cause denial of service or limited integrity compromise via silent truncation of a 64-bit leaf count parameter to 32 bits in the SymCryptXmssSign function during XMSS^MT signature operations with tree height >= 32. Real-world risk is significantly mitigated by the requirement for attacker-controlled signing parameters (uncommon in production), the private-key-operation context, and Microsoft's explicit guidance that XMSS^MT signing should only occur in Hardware Security Modules and is provided in SymCrypt for testing purposes only. No public exploit code or active exploitation has been identified.

Server-Side Request Forgery (SSRF) in pyload-ng allows authenticated users with ADD permission to access internal network resources and cloud metadata endpoints by exploiting unchecked HTTP redirect handling. The vulnerability bypasses CVE-2026-33992 mitigations through redirect chains-pycurl follows up to 10 redirects automatically without validating destination IPs against the SSRF filter. Attackers can retrieve AWS/GCP/Azure instance metadata (including IAM credentials) and probe internal services. While exploitation requires authentication (reducing severity from the Critical unauthenticated CVE-2026-33992), a public proof-of-concept demonstrates the attack and no vendor-released patch has been identified at time of analysis.

Server-Side Request Forgery (SSRF) in Directus headless CMS allows authenticated attackers (or unauthenticated users with public file-import permissions) to bypass IP address deny-list protections and access internal network resources. Attackers exploit IPv4-Mapped IPv6 address notation (e.g., ::ffff:127.0.0.1) to circumvent validation logic, enabling unauthorized requests to localhost services, internal databases, caches, APIs, and cloud instance metadata endpoints (AWS/GCP/Azure IMDS). With CVSS 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicating low attack complexity, network accessibility, and scope change with high confidentiality impact, this represents a significant risk for data exfiltration from cloud environments and internal infrastructure. No public exploit identified at time of analysis, though the technical details in the advisory provide clear exploitation guidance.

Microsoft Bing contains a server-side request forgery (SSRF) vulnerability that allows elevation of privilege through improperly validated requests. The flaw affects Microsoft Bing across all versions and enables attackers to bypass access controls and escalate privileges by causing the application to make unintended requests to internal or external resources. A vendor-released patch is available.

Stackfield Desktop App before version 1.10.2 for macOS and Windows allows arbitrary file writes to the filesystem through a path traversal vulnerability in its decryption functionality when processing the filePath property. A malicious export file can enable attackers to overwrite critical system or application files, potentially leading to code execution or application compromise without requiring user interaction beyond opening the malicious export.

Stored cross-site scripting in Zohocorp ManageEngine Exchange Reporter Plus (pre-5802) allows authenticated attackers to inject malicious scripts via the Permissions Based on Mailboxes report, potentially compromising administrator sessions and stealing high-privilege credentials. Attack requires low complexity and user interaction from a victim administrator. CVSS 7.3 (High) reflects significant confidentiality and integrity impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

Stored cross-site scripting (XSS) in Zohocorp ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers to inject malicious scripts through the Non-Owner Mailbox Permission report, potentially compromising confidentiality and integrity of user sessions. With CVSS 7.3 (High) and EPSS data unavailable, exploitation requires low attack complexity and authenticated access with user interaction. No public exploit identified at time of analysis, and vendor has released patched version 5802.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts via the Folder Message Count and Size report. With CVSS 7.3 (High severity) and requiring low-privilege authentication with user interaction, successful exploitation enables session hijacking and credential theft within the administrative interface. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack surface with low complexity.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers to inject malicious scripts through the Public Folder Client Permissions report, enabling session hijacking and credential theft with medium exploitation complexity. No active exploitation confirmed (not present in CISA KEV), though the network-accessible attack vector and stored nature of the XSS elevate real-world risk for organizations using this Exchange monitoring solution.

Stored cross-site scripting in ManageEngine Exchange Reporter Plus (versions prior to 5802) allows authenticated attackers with low privileges to inject malicious scripts into Equipment Mailbox Details reports, enabling session hijacking and credential theft against administrative users who view the poisoned reports. No active exploitation confirmed (not in CISA KEV), but the vulnerability affects organizations monitoring Microsoft Exchange environments through ManageEngine's reporting platform.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers to inject malicious scripts into the 'Mails Exchanged Between Users' report. With CVSS 7.3 (High severity) and low attack complexity (AC:L), this vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:R) to achieve high confidentiality and integrity impact. No public exploit identified at time of analysis, though authentication requirements lower the barrier for insider threats or compromised accounts.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus before version 5802 allows authenticated attackers with low privileges to inject malicious scripts into the Permissions based on Distribution Groups report, potentially leading to session hijacking and account compromise of administrators viewing the report. No active exploitation confirmed (CISA KEV absent), but the network-accessible attack vector and low complexity make this exploitable with publicly documented vendor advisory details.

Stored cross-site scripting (XSS) in ManageEngine Exchange Reporter Plus versions prior to 5802 allows authenticated attackers with low privileges to inject malicious scripts into Distribution Lists reports that execute when viewed by other users, potentially compromising session tokens and account credentials of administrators or other privileged users. The vulnerability requires user interaction (victim must view the malicious report) but enables high-impact attacks against confidentiality and integrity within the application scope. No public exploit code or active exploitation has been identified at time of analysis.

AIRBUS TETRA Connectivity Server 7.0 on Windows Server allows privilege escalation to SYSTEM via incorrect default directory permissions (CWE-276), enabling local authenticated attackers to execute arbitrary code by placing a crafted file in a vulnerable directory with user interaction. The vulnerability affects TETRA Connectivity Server version 7.0, with patches available for versions 8.0 and 9.0. No public exploit code or active exploitation in the wild has been identified at time of analysis.

Unauthenticated Server-Side Request Forgery (SSRF) in Ech0's /api/website/title endpoint allows remote attackers to access internal network services, cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254), and localhost-bound resources without authentication. The vulnerability accepts arbitrary URLs via the website_url parameter with zero validation, enabling attackers to probe internal infrastructure and exfiltrate partial response data through HTML title tag extraction. CVSS 7.2 reflects the cross-scope impact (S:C) enabling firewall bypass and credential theft. No public exploit identified at time of analysis, though the attack surface requires zero privileges (PR:N) and trivial complexity (AC:L). Vendor patch available per GitHub security advisory GHSA-cqgf-f4x7-g6wc.

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-of-service by forcing the server to download large files into memory via io.ReadAll. Proof-of-concept demonstrates successful exploitation against Docker deployments reaching host-bound services via host.docker.internal. EPSS score not available; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild, though publicly available exploit code exists in the GitHub advisory. Vendor-released patch available.

Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.

Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.

Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.

Electron's setLoginItemSettings() function on Windows fails to quote executable paths in the Run registry key, allowing local attackers with write access to ancestor directories to execute arbitrary programs at login if the app is installed to a path containing spaces. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, and requires high-privilege access and unfavorable conditions (non-standard install paths) to exploit, making real-world impact limited to non-default Windows configurations.

Server-side request forgery in Azure Databricks enables unauthenticated remote attackers to achieve full privilege escalation with critical impact across confidentiality, integrity, and availability. The vulnerability carries a maximum CVSS 10.0 score with network-based attack vector, low complexity, and scope change, indicating attackers can leverage the SSRF to break out of Databricks' security boundary and access underlying cloud infrastructure or customer data. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity suggests straightforward exploitation once attack surface is identified.

Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.

Azure AI Foundry improper authorization permits unauthenticated remote attackers to escalate privileges and achieve complete compromise with high impact to confidentiality, integrity, and availability. The CVSS 10.0 rating reflects network-based attack vector with low complexity, no user interaction, and scope change indicating containerization/isolation escape. EPSS and KEV status not provided, but the authentication bypass affecting a cloud AI platform poses severe risk. No public exploit identified at time of analysis.

Unauthenticated information disclosure in Azure MCP Server allows remote attackers to access sensitive data over the network without authentication. The vulnerability stems from missing authentication controls on critical functions (CWE-306), enabling attackers to bypass security boundaries and extract confidential information with minimal complexity. With CVSS 9.1 (Critical) and network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure for organizations running affected Azure MCP Server instances. No public exploit identified at time of analysis, though the straightforward authentication bypass nature increases likelihood of rapid weaponization.

Information disclosure in Azure SRE Agent can be exploited by remote unauthenticated attackers via improper authentication mechanisms. The vulnerability carries an 8.6 CVSS score with network attack vector requiring low complexity and no user interaction, enabling attackers to extract high-confidentiality data with scope change impact. No public exploit identified at time of analysis, though the authentication bypass nature and network accessibility present significant risk to Azure infrastructure components.

Server-side request forgery in Azure Custom Locations Resource Provider enables authenticated attackers with low-level privileges to elevate access and exfiltrate sensitive data across scope boundaries via network-based SSRF exploitation. This vulnerability affects Microsoft Azure infrastructure with a CVSS score of 9.6 (Critical), featuring scope change that allows attackers to reach resources beyond the vulnerable component's security context. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and network vector indicate straightforward exploitability once authenticated access is obtained.

Remote Code Execution in Group-Office enterprise CRM via insecure deserialization allows authenticated attackers to write arbitrary files and execute code on the server. Affects all versions prior to 6.8.156, 25.0.90, and 26.0.12 across multiple product branches. CVSS 9.9 (Critical) with network-based attack vector requiring only low-privileged authentication. No public exploit identified at time of analysis, though the technical details in the GitHub Security Advisory provide sufficient implementation guidance. EPSS data not available, but the combination of authenticated remote access, low complexity, and direct RCE makes this a priority for patching in exposed Group-Office installations.

Local privilege escalation in Acronis True Image for Windows before build 42902 allows authenticated users with low privileges to escalate to higher privileges through insecure folder permissions. An attacker with local access and user-level privileges can exploit improper permission settings on critical directories to achieve full system compromise, requiring user interaction (file execution or folder navigation). This vulnerability has a CVSS score of 6.7 reflecting high confidentiality, integrity, and availability impact despite the elevated barriers to exploitation.

Local privilege escalation in Acronis True Image (Windows) before build 42902 allows authenticated users with low privileges to gain high-integrity access through DLL hijacking. An attacker with local user access can exploit unsafe DLL loading to execute arbitrary code with elevated permissions, requiring user interaction (e.g., triggering a specific application action). No public exploit code or active exploitation has been confirmed at the time of analysis.

Local privilege escalation in Acronis True Image for Windows before build 42902 exploits DLL hijacking to allow authenticated users to escalate privileges. An attacker with local access and valid credentials can manipulate DLL load paths during application execution, requiring user interaction (such as opening a file or launching a feature), to gain elevated system privileges. This vulnerability has a CVSS score of 6.7 and affects all versions prior to the patched build.

Local privilege escalation in HCL BigFix Platform on Windows allows authenticated users with low privileges to access cryptographic private keys due to overly permissive file system permissions, potentially enabling complete system compromise with cross-scope impact. Authentication required (PR:L). No public exploit identified at time of analysis, though the attack is rated low complexity and fully automated. CVSS 8.8 severity driven by scope change and complete confidentiality/integrity/availability impact.

TOCTOU race condition in Balena Etcher for Windows (versions prior to 2.1.4) enables local privilege escalation to arbitrary code execution when attackers replace legitimate scripts with malicious payloads during disk flashing operations. The vulnerability requires low privileges and user interaction but achieves high impact across confidentiality, integrity, and availability with scope change. No public exploit identified at time of analysis, though technical details are available via researcher disclosure (B1tBreaker). EPSS data not available, but the local attack vector and high complexity reduce immediate remote exploitation risk.

Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.

Path traversal in Payload CMS storage adapter client-upload signed-URL endpoints (S3, GCS, Azure, R2) prior to version 3.78.0 allows authenticated attackers to escape intended storage locations via unsanitized filenames, enabling arbitrary file writes to cloud storage buckets. The vulnerability requires user authentication and affects all four cloud storage integrations across the Payload CMS ecosystem.

AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.

Authentication bypass via OAuth token race condition in tinyauth allows concurrent attackers to hijack user sessions and gain unauthorized access to victim accounts. The vulnerability affects tinyauth v5.0.4 and earlier versions where singleton OAuth service instances share mutable PKCE verifier and access token fields across all concurrent requests. When two users authenticate simultaneously with the same OAuth provider (GitHub, Google, or generic OAuth), the second request overwrites the first user's token, causing the first user to receive a session with the second user's identity and access privileges. Go race detector confirms 99.9% exploit success rate (9,985/10,000 iterations) in concurrent scenarios. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept demonstrates reliable session hijacking with publicly available exploit methodology. EPSS data not available for this recent CVE.

ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files outside the model directory through symlink traversal during external data loading, requiring user interaction to load a malicious model file. The vulnerability has a CVSS score of 5.5 (medium severity) and is classified as information disclosure with confirmed patch availability in version 1.21.0.

ONNX versions prior to 1.21.0 allow local attackers to read arbitrary files by exploiting a hardlink-based path traversal vulnerability in onnx.load(). The vulnerability bypasses existing symlink protections because hardlinks appear as regular files to filesystem checks. An attacker with local file system access can craft a malicious ONNX model file using hardlinks to access sensitive data outside the intended directory, requiring user interaction to load the crafted model. No public exploit code has been identified; EPSS score of 4.7 indicates low exploitation probability despite moderate CVSS impact.

Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.

Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.

OpenClaw before version 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style network paths without proper local-path validation, allowing unauthenticated remote attackers to bypass access restrictions and read local files. With a CVSS score of 6.9 and network-based attack vector requiring no user interaction, this vulnerability presents moderate risk to systems processing untrusted media content. No public exploit code or active exploitation has been confirmed at the time of analysis.

Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.

Path traversal via symlink/junction bypass in @tinacms/graphql FilesystemBridge allows authenticated remote attackers with low privileges to read, write, and delete arbitrary files outside the configured content root. The vulnerability exploits a realpath canonicalization gap where path validation checks lexical string paths but filesystem operations follow symlink targets. Attack complexity is high (CVSS AC:H) as it requires pre-existing symlinks/junctions within the content tree or the ability to create them. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation. Vendor-released patch available via commit f124eabaca10dac9a4d765c9e4135813c4830955.

TinaCMS CLI media handlers can be bypassed via symlink/junction traversal, allowing authenticated low-privilege attackers to list, write, and delete files outside the configured media root directory. The vulnerability exists in @tinacms/cli's dev server media routes despite recent path-traversal hardening, because validation performs only lexical string checks without resolving symlink targets. Attack complexity is high (requires pre-existing symlink under media root), but impact is significant with confirmed read/write primitives. Vendor patch available via GitHub commit f124eaba. EPSS and KEV data not provided; no public exploit identified at time of analysis beyond researcher's local Windows junction proof-of-concept.

FastMCP OAuthProxy allows authentication bypass through a Confused Deputy attack, enabling attackers to hijack victim OAuth sessions and gain unauthorized access to MCP servers. When victims who previously authorized a legitimate MCP client are tricked into opening a malicious authorization URL, the OAuthProxy fails to validate browser-bound consent, redirecting valid authorization codes to attacker-controlled clients. This affects the GitHubProvider integration and potentially all OAuth providers that skip consent prompts for previously authorized applications. No public exploit identified at time of analysis, though detailed reproduction steps are publicly documented in the GitHub security advisory.

Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like `&` (e.g., `fastmcp install claude-code` with server name `test&calc`), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

XML Notepad versions prior to 2.9.0.21 allow remote attackers to leak local file contents or capture NTLM credentials via crafted XML files with malicious DTDs, exploiting disabled-by-default DTD processing that automatically resolves external entities. The vulnerability requires user interaction (opening a malicious XML file) but poses significant confidentiality risk on Windows systems where NTLM credential interception is feasible. Microsoft released patched version 2.9.0.21 to address this XXE (XML External Entity) issue.

Privilege escalation in OpenText Operations Agent versions 12.29 and earlier on Windows allows local attackers to execute arbitrary code by placing malicious executables in specific writeable directories, which the agent subsequently executes with elevated privileges. The vulnerability requires local access and specific conditions to be present but does not require prior authentication to the agent itself. No public exploit code has been identified, and there is no confirmation of active exploitation at time of analysis.

PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. No active exploitation has been confirmed, but the vulnerability affects all deployments on systems lacking /dev/urandom access.

DLL search-order hijacking in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.3363 enables local privilege escalation to system context. An attacker with low privileges and physical or local access can plant a malicious DLL (such as profapi.dll) in the installer directory; when an elevated user runs the installer, the uncontrolled search path causes the malicious DLL to be loaded and executed with system privileges, achieving arbitrary code execution. No public exploit code or active exploitation has been confirmed at the time of analysis.

Zscaler Client Connector on Windows contains an incorrect startup configuration that permits limited traffic to bypass inspection under rare circumstances, resulting in potential information disclosure and integrity compromise. The vulnerability affects all versions of the product and requires user interaction to exploit, with a CVSS score of 5.4 reflecting the combination of network-based attack vector, low complexity, and low impact on confidentiality and integrity. No evidence of active exploitation or public exploit code has been identified.

Authorization bypass in OpenClaw's Microsoft Teams plugin allows unauthenticated remote attackers to circumvent sender allowlists and trigger replies in restricted Teams routes. Affecting OpenClaw versions before 2026.3.8, the flaw manifests when team/channel route allowlists contain empty groupAllowFrom parameters, causing the message handler to synthesize wildcard sender authorization instead of enforcing intended restrictions. No public exploit identified at time of analysis, though CVSS 7.5 reflects network-accessible exploitation with low complexity requiring no authentication. Vendor-released patch available in version 2026.3.8 with upstream commit 88aee916.

Authorization bypass in OpenClaw Microsoft Teams plugin (versions before 2026.3.8) permits unauthenticated attackers to circumvent sender allowlists when team/channel routes are configured with empty groupAllowFrom parameters. Remote attackers can exploit this network-accessible flaw with low complexity to trigger unauthorized message replies and access sensitive information in allowlisted Teams routes. EPSS and KEV data not available for this recent CVE; no public exploit identified at time of analysis.

Local privilege escalation via hardcoded build path in vcpkg's OpenSSL binaries affects Windows users of the C/C++ package manager prior to version 3.6.1#3. The vulnerability allows authenticated local attackers with low privileges to achieve high confidentiality, integrity, and availability impact (CVSS 7.8) by exploiting the hardcoded openssldir path that references the original build machine. Upstream fix available (PR #50518, commit 5111afd); patched version 3.6.1#3 released. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.

InfCode's terminal auto-execution module fails to properly validate PowerShell commands due to an ineffective blacklist and lack of semantic parsing, allowing attackers to bypass command filtering through syntax obfuscation. When a user imports a specially crafted file into the IDE, the Agent executes arbitrary PowerShell commands without user confirmation, leading to remote code execution or sensitive data exfiltration. No public exploit code or active exploitation has been confirmed at time of analysis.

Elevation of privilege in Symantec Data Loss Prevention Windows Endpoint allows authenticated local users to gain SYSTEM-level access and compromise protected resources. Affects all versions prior to 25.1 MP1, 16.1 MP2, 16.0 RU2 HF9, 16.0 RU1 MP1 HF12, and 16.0 MP2 HF15. CVSS 7.8 (High) reflects the local attack vector but complete system compromise upon successful exploitation. No public exploit identified at time of analysis, though the CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) classification suggests potential DLL hijacking or similar trust boundary violations.

Server-side request forgery (SSRF) in FHIR Validator HTTP service allows unauthenticated remote attackers to probe internal network services and cloud metadata endpoints via the /loadIG endpoint, which accepts arbitrary URLs without hostname or domain validation. The vulnerability defaults to allowing all outbound requests, and redirect following bypasses even configured domain restrictions. With the explore=true default setting, each request amplifies reconnaissance capability through multiple outbound HTTP calls, enabling blind network topology mapping and metadata service access.

Server-side request forgery in Docker Model Runner allows unprivileged containers or malicious OCI registries to make arbitrary GET requests to internal services by exploiting unvalidated realm URLs in the OCI registry token exchange flow. Affected versions prior to 1.1.25 (Docker Desktop prior to 4.67.0) permit attackers to access host-local services and reflect response bodies back to the caller, potentially exfiltrating sensitive data from internal endpoints. No public exploit code or active exploitation has been reported at time of analysis.

Path traversal in TinaCMS GraphQL (@tinacms/graphql) enables unauthenticated remote attackers to write and overwrite arbitrary files within the project root, including critical configuration files like package.json and build scripts. The vulnerability stems from platform-specific path validation failures that treat backslash characters differently on Unix-based systems, allowing traversal sequences like 'x\..\..\..\package.json' to bypass security checks. With a CVSS score of 8.1 and publicly available exploit code demonstrating the attack, this represents a critical security risk for TinaCMS deployments, particularly those exposed to untrusted networks. No CISA KEV listing exists, but the proof-of-concept demonstrates clear exploitation paths to arbitrary code execution via build script modification.

Authentication bypass in MinIO allows any authenticated user with s3:PutObject permission to permanently corrupt objects by injecting fake server-side encryption metadata via crafted X-Minio-Replication-* headers. Attackers can selectively render individual objects or entire buckets permanently unreadable through the S3 API without requiring elevated ReplicateObjectAction permissions. Affects all MinIO releases from RELEASE.2024-03-30T09-41-56Z through the final open-source release. Vendor-released patch available in MinIO AIStor RELEASE.2026-03-26T21-24-40Z. No public exploit identified at time of analysis, though the attack mechanism is well-documented in the advisory.

Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.

A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Fleet device management software versions prior to 4.81.1 allow malicious enrolled Windows devices to access Mobile Device Management (MDM) commands intended for other devices, potentially disclosing sensitive configuration data including WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. The vulnerability stems from improper authorization controls in Windows MDM command processing, affecting any organization using Fleet for Windows device management. Vendor-released patch: version 4.81.1.

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Fleet device management software versions prior to 4.81.1 are vulnerable to command injection in the software installer pipeline, enabling remote attackers with high privileges to achieve arbitrary code execution as root on macOS/Linux or SYSTEM on Windows when triggering uninstall operations on crafted software packages. The vulnerability requires high privileges and user interaction but delivers complete system compromise on affected managed hosts. No public exploit code or active exploitation has been identified at time of analysis.

PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.