Microsoft
Monthly
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
Static file disclosure in Hono's serve-static middleware on Windows allows unauthenticated remote attackers to read files protected behind prefix-mounted middleware by submitting a URL-encoded backslash (%5C) in the request path. Hono versions prior to 4.12.25 are affected when deployed on Windows using the Node, Bun, or Deno adapters with an auth or access-control middleware guarding a static subtree. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack primitive is trivially constructable from the public advisory.
Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
NTLMv2 hash disclosure in the `launch-editor` NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local `__open-in-editor` endpoint with a crafted `\\attacker-host\share` UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.
Arbitrary file disclosure in Vite's development server on Windows allows remote unauthenticated attackers to read sensitive files (such as `.env`, `*.pem`, `*.crt`) that are nominally protected by the `server.fs.deny` allowlist. The flaw stems from Windows-specific path-form quirks (NTFS Alternate Data Stream syntax `::$DATA` and 8.3 short filename aliases) that bypass deny-list normalization, and publicly available exploit code exists in the GHSA advisory. Only dev servers explicitly exposed to the network via `--host`/`server.host` are reachable.
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
Divide-by-zero crash in GPAC's MP4Box tool allows denial of service when processing a crafted MP4 file containing a malformed Opus audio track header. The function gf_opus_parse_packet_header() in media_tools/av_parsers.c:11479 fails to validate that nb_frames is non-zero before performing arithmetic (max = header->nb_frames - 1), triggering a SIGFPE along the Opus dump path. A public proof-of-concept file is available, and no authentication or special privileges are required - only the ability to supply a crafted file to the tool. No confirmed active exploitation (not in CISA KEV); impact is limited to process crash with no code execution potential identified.
Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.
Local code execution in Avira Antivirus engine builds prior to 8.3.27.12 on Windows, macOS, and Linux occurs when the scanner parses a malformed POSIX tar archive, triggering a heap out-of-bounds write that can either crash the AV process (DoS) or execute attacker code in the scanner's context. No public exploit identified at time of analysis, but the on-access scanning model means a victim only has to write the malicious tar to disk for the engine to touch it. Reported by GEN (Gen Digital, Avira's parent).
Local code execution in Avira Antivirus engine builds before 8.3.70.104 on Windows, macOS, and Linux allows attackers to trigger a heap buffer out-of-bounds write by having the engine scan a malformed MS-DOS executable. The flaw stems from an integer overflow during parsing and can also crash the antivirus engine process, with no public exploit identified at time of analysis.
Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when the scanner processes a malformed PDF file, leading to a heap out-of-bounds read that can corrupt the antivirus engine process. CVSS 7.8 reflects the high impact on confidentiality, integrity, and availability, but exploitation requires the victim to expose the engine to the attacker's file. No public exploit identified at time of analysis.
Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70.98) allows a malformed Windows PE file to trigger local code execution or crash the antivirus engine process. Because AV engines typically auto-scan files on access, simply writing or dropping a crafted PE onto disk can reach the vulnerable parser, and no public exploit identified at time of analysis. Exploitation requires the victim's AV to scan the file (UI:R), so realistic delivery is via downloads, email attachments, or removable media rather than fully remote unauthenticated execution.
Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.
Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.
Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner parses a malformed Windows MSI installer file, triggering a heap out-of-bounds read. The flaw affects deployments on Windows, macOS, and Linux and requires user interaction to place a crafted MSI where the engine will scan it. No public exploit identified at time of analysis and CVSS scores it 7.8 High.
Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Business Antivirus) on Windows, macOS, and Linux stems from a heap out-of-bounds read in the malformed-ZIP/XML scanner across virus definition builds 25020100 through 25021207. An attacker who lures a user into letting the on-access scanner process a crafted archive can crash the antivirus process or potentially execute code in its context. No public exploit identified at time of analysis and the EPSS signal was not provided.
Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and business products when a crafted malformed PDF is scanned. Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux are all affected through a shared Gen Digital virus definition engine (VPS builds before 25021208). An attacker who can place a specially crafted PDF on a target system - or deliver it via email or download - can force a denial-of-service of the antivirus process; no public exploit has been identified at time of analysis.
Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.
Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) allows a malformed Windows PE file with crafted .NET metadata to crash the AV process or potentially execute code locally on Windows, macOS, and Linux endpoints running virus definitions prior to VPS 25021310. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the bug is reachable via on-access scanning, meaning any user who receives a malicious file may trigger it without explicit action. UI:R in the CVSS vector and the local attack vector temper the urgency relative to the 7.8 base score.
Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.
Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.
Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of service when the engine parses a malformed Windows PE file, affecting Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux on virus definition builds prior to VPS 25040308. Because the flaw lives in the scanner that typically runs with elevated privileges, successful exploitation can escalate to code execution in a high-privilege security context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.
Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compromise the scanning engine by placing a malformed PDF where the engine will scan it on Windows, macOS, or Linux. The flaw is a heap out-of-bounds read (CWE-125) triggered during PDF parsing, and no public exploit identified at time of analysis. CVSS is 7.8 (high) driven by full C/I/A impact on the local host, but exploitation requires user/scanner interaction with the malicious file.
OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.
Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.
Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.
Local privilege escalation in Remote Control for Zoom Contact Center for Windows prior to version 7.0.0 allows an authenticated user with local access to elevate privileges due to insufficient verification of data authenticity. The flaw, reported by Zoom and tracked in bulletin ZSB-26009, carries a CVSS 3.1 base score of 7.8 (High) with no public exploit identified at time of analysis. Exploitation requires existing local authenticated access, which limits opportunistic abuse but makes this a strong post-compromise pivot on workstations running the Zoom Contact Center remote control component.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.
Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.
Denial of service in Apple's SwiftNIO NIOHTTP1 module (versions <= 2.99.0) allows unauthenticated remote attackers to exhaust server memory or crash processes by submitting HTTP/1 requests containing an unbounded number of small, valid header fields. The HTTPDecoder previously enforced only an 80 KB per-field limit with no cap on cumulative header block size or field count, letting hundreds of thousands of headers accumulate before application code runs. No public exploit identified at time of analysis, but the attack is trivial and impacts any HTTP/1 server or client built on NIOHTTP1, including downstream frameworks like Hummingbird 2 (crashes) and Vapor 4 (memory inflation).
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.
Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.
Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to route network traffic outside the VPN tunnel, undermining the core data-in-transit protection the agent is designed to enforce. Only Linux deployments are affected - Windows, macOS, iOS, Android, and ChromeOS are explicitly not impacted. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 confidentiality impact is rated High due to the exposure of unencrypted traffic to untrusted network paths.
Path traversal via crafted .7z archive in bit7z before v4.0.12 on POSIX platforms allows an attacker-controlled symlink to escape the extraction directory by exactly one level - up to the parent directory. Any archive entries extracted after the malicious symlink is placed will write attacker-controlled files to the parent of the intended output path, carrying the permissions of the extracting process. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; the vendor-confirmed fix ships in version 4.0.12.
OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in Lenovo Smart Connect for Windows allows a local authenticated user to bypass authentication checks and execute arbitrary code with elevated privileges. The flaw stems from an authentication bypass weakness (CWE-290) in the Windows client and carries a CVSS 4.0 score of 7.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.
Information disclosure in nezha 2.x server monitoring dashboard exposes private services marked with `EnableShowInService: false` to unauthenticated network visitors through two API endpoints that bypass the intended visibility filter. Attackers who can reach the API can enumerate hidden service names, IDs, and per-server timing data by iterating over public server IDs or guessing numeric service IDs - both low-cardinality spaces in typical deployments. No public exploit is required to leverage this; a fully functional proof-of-concept using only standard `curl` commands is documented in the GitHub security advisory GHSA-vrmh-5mmx-hjwx, and the fix is available in version 2.0.14.
Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.
Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pipelines that use the internal $exchange stage with key-range partitioning and order-preserving delivery. When a single key range fills its consumer buffer, the high watermark is not updated correctly, leading to a reachable assertion (CWE-617) and likely process termination. No public exploit identified at time of analysis.
Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with the internal $_requestReshardingResumeToken option and the exchange option, triggering a reachable invariant that crashes the mongod process. Any logged-in user with low privileges can repeatedly invoke the crash on default deployments, producing service-wide downtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the bug is vendor-confirmed via MongoDB Jira SERVER-124190.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged user on Windows to gain higher privileges by abusing symbolic link or junction resolution before file access. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the high CVSS (7.8) reflects full confidentiality, integrity, and availability impact once exploited. Microsoft has issued a fix through its Security Response Center advisory.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged attacker to gain elevated rights on the host by abusing a critical function that lacks proper authentication checks. The flaw (CWE-306) is reported by Microsoft itself with a CVSS 7.8 (AV:L/AC:L/PR:L) and no public exploit identified at time of analysis, but a vendor patch is available via MSRC.
Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged attacker to bypass a security feature on the affected system, leading to high impact on confidentiality, integrity, and availability. The flaw stems from improper access control (CWE-284) and currently has no public exploit identified at time of analysis. The CVSS 7.8 score reflects local attack vector with low complexity but requires the attacker to already have valid credentials on the target host.
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition (CWE-416). The flaw carries a CVSS 7.8 score with local attack vector and low privileges required, and no public exploit has been identified at time of analysis. Microsoft Security Response Center (MSRC) is the sole referenced authoritative source, indicating this is a vendor-discovered and vendor-tracked issue.
Security feature bypass in Windows Secure Boot enables a local high-privileged attacker to defeat the platform's boot-time integrity protections, achieving high confidentiality and integrity impact across a changed security scope. The flaw stems from a protection mechanism failure (CWE-284, Improper Access Control) that undermines the trust boundary Secure Boot is designed to enforce. At the time of analysis, no public exploit has been identified and the issue is not listed in CISA KEV, but the scope-changed CVSS of 7.9 reflects the severity of subverting a root-of-trust security control.
Security feature bypass in Windows Secure Boot allows a high-privileged local attacker to circumvent the boot integrity protection mechanism, undermining trust in the Windows boot chain. The flaw (CWE-1329, reliance on a component that is not updateable) carries a CVSS 7.9 rating due to scope change and high impact on confidentiality and integrity, and no public exploit has been identified at time of analysis. Successful exploitation could enable pre-OS persistence such as bootkits, defeating a foundational Windows security control.
Secure Boot bypass in Windows allows a local attacker with high privileges to defeat the platform's boot-time integrity protection mechanism, breaking the chain of trust that prevents unauthorized bootloaders and pre-OS code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 due to scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Successful exploitation undermines a foundational anti-tamper control and can enable persistent pre-OS implants such as bootkits.
Local code execution in Microsoft Windows Media is possible through a heap-based buffer overflow that triggers when a user opens or processes a crafted media file. The flaw (CWE-122) carries a CVSS 7.8 with local attack vector and user interaction required, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability within the user's security context.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the platform's protection mechanism and tamper with the pre-OS boot chain. The CVSS 7.9 score reflects a scope-changing impact on confidentiality and integrity from a local vector, and no public exploit identified at time of analysis. The single MSRC reference indicates a Microsoft-tracked issue that primarily threatens code-integrity and boot-trust guarantees rather than runtime availability.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the firmware-level boot integrity protection, breaking the chain of trust intended to prevent unauthorized boot-time code. The CVSS 7.9 rating with scope change (S:C) indicates the bypass affects components beyond the initially compromised context, enabling pre-OS persistence. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Security feature bypass in Microsoft Windows Secure Boot allows a local attacker with high privileges to defeat the platform's boot-time integrity protections, achieving cross-scope confidentiality and integrity impact on the host. The flaw is tracked under CWE-693 (Protection Mechanism Failure) and carries a CVSS 3.1 base score of 7.9 with no public exploit identified at time of analysis. Because the scope is Changed (S:C), successful exploitation lets the attacker influence components outside the originally vulnerable security boundary - typically the trusted boot chain itself.
Out-of-bounds read in the Windows Desktop Window Manager (DWM) Core Library exposes sensitive memory contents to locally authenticated, low-privileged attackers on Windows 11 and Windows Server 2025. The flaw (CWE-125) allows a standard user to read beyond an allocated buffer boundary within the DWM process, resulting in high-confidence information disclosure with no integrity or availability impact. Microsoft has released patches covering all affected build ranges; no public exploit code has been identified at time of analysis.
Local privilege escalation in Windows Narrator Braille component allows an authenticated low-privileged user to gain elevated privileges by exploiting an untrusted search path (CWE-426). The flaw affects the accessibility subsystem on Windows and was reported directly by Microsoft (secure@microsoft.com); no public exploit identified at time of analysis. With CVSS 7.8 and full CIA impact on the local host, successful exploitation grants the attacker code execution at a higher privilege context than they started with.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated attacker with low-level network access to inject malicious scripts into SharePoint-generated web pages, resulting in spoofing attacks against other users. The vulnerability requires victim interaction to trigger script execution, limiting automated exploitation. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; the CVSS score of 4.6 reflects the constrained impact and authentication prerequisite.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.
Security feature bypass in Microsoft Windows Boot Manager enables an authorized local attacker with high privileges to defeat a protection mechanism during the boot process, with scope change extending impact beyond the initial security boundary. The flaw carries a CVSS 7.9 rating reflecting high confidentiality and integrity impact, and no public exploit identified at time of analysis. The scope-changed nature suggests the bypass undermines a trust boundary such as Secure Boot or BitLocker pre-boot integrity.
Local code execution in Microsoft Windows Hyper-V stems from an out-of-bounds read condition (CWE-122 heap-based buffer overflow) that an attacker with high privileges on a guest or host context can leverage to break confidentiality, integrity, and availability boundaries. The CVSS 8.2 score is elevated by a scope change (S:C), indicating the flaw enables crossing the hypervisor isolation boundary. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Storage allows an authorized low-privilege user to gain higher privileges through an untrusted search path weakness (CWE-426). The flaw requires existing local access and a successful race or environmental manipulation, reflected in the high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker with low privileges to inject malicious script content into web pages, enabling spoofing attacks against other users. All three active SharePoint server product lines - Server 2019, Enterprise Server 2016, and Subscription Edition - are affected across broad version ranges. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patches are available for all affected product lines.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users. Affected products span three active SharePoint server product lines - Enterprise Server 2016, Server 2019, and Subscription Edition - all sharing the 16.0.x codebase, with vendor-released patches now available per MSRC. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-site scripting in Microsoft SharePoint Server enables network-based spoofing attacks by injecting malicious scripts into rendered web pages, requiring victim user interaction to trigger. Three SharePoint server product lines are affected across the 16.0.x code branch, with vendor-released patches available for all. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Microsoft SharePoint allows an authenticated low-privilege network attacker to inject malicious script content into SharePoint pages, enabling spoofing attacks against victim users who render the affected content. Three product lines are affected: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, all at specific 16.0.x build levels. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.6 Medium score reflects meaningful risk reduction from the dual prerequisites of authenticated access and required victim interaction.
Cross-site scripting in Microsoft SharePoint Server (Subscription Edition, 2019, and 2016) enables an authenticated low-privileged attacker to inject malicious scripts into web pages served to other users, resulting in spoofing over the network. The CVSS vector (PR:L/UI:R/S:U) confirms exploitation requires valid credentials and victim interaction, constraining the attack surface to authenticated SharePoint environments where a user can be induced to visit attacker-controlled content. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables network-based spoofing attacks against authenticated users who interact with attacker-controlled content. The vulnerability stems from insufficient input neutralization during web page generation (CWE-79), allowing injected script to execute in a victim's browser context. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via Microsoft's Security Response Center.
Local code execution in Microsoft Office stems from a type confusion condition (CWE-122 heap-based memory corruption per tags) that allows an unauthorized attacker to run arbitrary code on the host. The CVSS 8.4 vector indicates local attack vector with no privileges or user interaction required, and no public exploit is identified at time of analysis. The flaw was reported by Microsoft's MSRC and disclosed via the official update guide.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated attacker with low privileges to inject malicious script that, after victim interaction, results in spoofing and disclosure or alteration of sensitive content within a victim's browser session. The CVSS 7.3 (AV:N/AC:L/PR:L/UI:R) rating reflects network-reachable exploitation with low complexity but requires both a valid SharePoint account and user interaction. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Office SharePoint enables an authenticated attacker with low privileges to execute arbitrary code over the network when a victim user is induced to perform an action. The flaw stems from an improper authorization check (CWE-285) that fails to enforce expected access boundaries, yielding full confidentiality, integrity, and availability impact (CVSS 8.0). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft Office Click-To-Run stems from a use-after-free condition (CWE-416) that lets an authorized low-privilege user elevate to higher privileges on the host. The flaw, reported by Microsoft's MSRC, carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting that exploitation requires local access, low privileges, and a successful race-window or memory-state condition. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.
Remote code execution in Microsoft Windows Kerberos implementation allows an authenticated attacker on an adjacent network segment to trigger an integer overflow and execute arbitrary code. The flaw is rated CVSS 7.1 (High) with high attack complexity and requires low-level privileges, and at the time of analysis there is no public exploit identified. Because Kerberos is a core authentication service in Windows domain environments, successful exploitation has direct implications for domain trust and identity security.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
Static file disclosure in Hono's serve-static middleware on Windows allows unauthenticated remote attackers to read files protected behind prefix-mounted middleware by submitting a URL-encoded backslash (%5C) in the request path. Hono versions prior to 4.12.25 are affected when deployed on Windows using the Node, Bun, or Deno adapters with an auth or access-control middleware guarding a static subtree. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack primitive is trivially constructable from the public advisory.
Privilege escalation to SYSTEM in Sony Optical Disc Archive Software for Windows 5.5.3 and earlier arises from incorrect default filesystem permissions (CWE-276), enabling a local low-privileged attacker to plant or replace executable content that the software later runs with SYSTEM-level authority. Reported by JPCERT/CC and tracked under JVN#79926428, the vulnerability is classified as local with passive user interaction required (CVSS 4.0 AV:L/UI:P/AT:P), limiting opportunistic mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
NTLMv2 hash disclosure in the `launch-editor` NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local `__open-in-editor` endpoint with a crafted `\\attacker-host\share` UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.
Arbitrary file disclosure in Vite's development server on Windows allows remote unauthenticated attackers to read sensitive files (such as `.env`, `*.pem`, `*.crt`) that are nominally protected by the `server.fs.deny` allowlist. The flaw stems from Windows-specific path-form quirks (NTFS Alternate Data Stream syntax `::$DATA` and 8.3 short filename aliases) that bypass deny-list normalization, and publicly available exploit code exists in the GHSA advisory. Only dev servers explicitly exposed to the network via `--host`/`server.host` are reachable.
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
Divide-by-zero crash in GPAC's MP4Box tool allows denial of service when processing a crafted MP4 file containing a malformed Opus audio track header. The function gf_opus_parse_packet_header() in media_tools/av_parsers.c:11479 fails to validate that nb_frames is non-zero before performing arithmetic (max = header->nb_frames - 1), triggering a SIGFPE along the Opus dump path. A public proof-of-concept file is available, and no authentication or special privileges are required - only the ability to supply a crafted file to the tool. No confirmed active exploitation (not in CISA KEV); impact is limited to process crash with no code execution potential identified.
Cross-origin credential disclosure in Avira Password Manager's Firefox extension allows a malicious site embedding the targeted page in an iframe to harvest credentials that the extension autofills into the parent context. The flaw stems from incorrect autofill field selection and affects Windows, macOS, and Linux installations; no public exploit identified at time of analysis but the CVSS 7.4 (S:C/C:H) score reflects the cross-origin trust boundary violation.
Local code execution in Avira Antivirus engine builds prior to 8.3.27.12 on Windows, macOS, and Linux occurs when the scanner parses a malformed POSIX tar archive, triggering a heap out-of-bounds write that can either crash the AV process (DoS) or execute attacker code in the scanner's context. No public exploit identified at time of analysis, but the on-access scanning model means a victim only has to write the malicious tar to disk for the engine to touch it. Reported by GEN (Gen Digital, Avira's parent).
Local code execution in Avira Antivirus engine builds before 8.3.70.104 on Windows, macOS, and Linux allows attackers to trigger a heap buffer out-of-bounds write by having the engine scan a malformed MS-DOS executable. The flaw stems from an integer overflow during parsing and can also crash the antivirus engine process, with no public exploit identified at time of analysis.
Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when the scanner processes a malformed PDF file, leading to a heap out-of-bounds read that can corrupt the antivirus engine process. CVSS 7.8 reflects the high impact on confidentiality, integrity, and availability, but exploitation requires the victim to expose the engine to the attacker's file. No public exploit identified at time of analysis.
Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70.98) allows a malformed Windows PE file to trigger local code execution or crash the antivirus engine process. Because AV engines typically auto-scan files on access, simply writing or dropping a crafted PE onto disk can reach the vulnerable parser, and no public exploit identified at time of analysis. Exploitation requires the victim's AV to scan the file (UI:R), so realistic delivery is via downloads, email attachments, or removable media rather than fully remote unauthenticated execution.
Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.
Null pointer dereference in the Avira Antivirus scanning engine crashes the antivirus process when it parses a specially crafted malformed Windows PE file. All platform deployments - Windows, macOS, and Linux - running engine builds prior to 8.3.70.64 are affected, making this a cross-platform availability risk. No public exploit identified at time of analysis and no CISA KEV listing; however, the ease of crafting a malformed PE file as a trigger lowers the practical barrier for targeted disruption of endpoint protection.
Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner parses a malformed Windows MSI installer file, triggering a heap out-of-bounds read. The flaw affects deployments on Windows, macOS, and Linux and requires user interaction to place a crafted MSI where the engine will scan it. No public exploit identified at time of analysis and CVSS scores it 7.8 High.
Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Business Antivirus) on Windows, macOS, and Linux stems from a heap out-of-bounds read in the malformed-ZIP/XML scanner across virus definition builds 25020100 through 25021207. An attacker who lures a user into letting the on-access scanner process a crafted archive can crash the antivirus process or potentially execute code in its context. No public exploit identified at time of analysis and the EPSS signal was not provided.
Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and business products when a crafted malformed PDF is scanned. Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux are all affected through a shared Gen Digital virus definition engine (VPS builds before 25021208). An attacker who can place a specially crafted PDF on a target system - or deliver it via email or download - can force a denial-of-service of the antivirus process; no public exploit has been identified at time of analysis.
Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.
Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) allows a malformed Windows PE file with crafted .NET metadata to crash the AV process or potentially execute code locally on Windows, macOS, and Linux endpoints running virus definitions prior to VPS 25021310. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the bug is reachable via on-access scanning, meaning any user who receives a malicious file may trigger it without explicit action. UI:R in the CVSS vector and the local attack vector temper the urgency relative to the 7.8 base score.
Stack use-after-free in the Gen Digital shared antivirus scanning engine crashes the antivirus process when it parses a malformed Windows PE file. Five Gen Digital products share a common virus definition update stream - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - making all simultaneously vulnerable until the shared definition stream reaches build VPS 25022500. No public exploit has been identified at time of analysis; the impact is limited to a Denial-of-Service of the antivirus process with no confidentiality or integrity loss, and the CVSS score of 5.5 reflects the local, user-interaction-dependent nature of the attack.
Uncontrolled recursion in the Gen Digital shared scanning engine crashes the antivirus process when it encounters a specially crafted malformed Windows PE file, causing a Denial-of-Service across five Gen Digital products - Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus - on Windows, macOS, and Linux. The vulnerability resides in the virus definition update stream rather than the product binary itself, meaning all five products sharing the same Gen Digital VPS stream are simultaneously exposed until updated to definition build VPS 25031700 or later. No public exploit code has been identified at time of analysis, and CVSS scores this at medium severity (5.5) reflecting local access and required user interaction as meaningful limiting factors.
Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of service when the engine parses a malformed Windows PE file, affecting Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux on virus definition builds prior to VPS 25040308. Because the flaw lives in the scanner that typically runs with elevated privileges, successful exploitation can escalate to code execution in a high-privilege security context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.
Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compromise the scanning engine by placing a malformed PDF where the engine will scan it on Windows, macOS, or Linux. The flaw is a heap out-of-bounds read (CWE-125) triggered during PDF parsing, and no public exploit identified at time of analysis. CVSS is 7.8 (high) driven by full C/I/A impact on the local host, but exploitation requires user/scanner interaction with the malicious file.
OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.
Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.
Arbitrary file write in GeoServer's Master Password Dump web page allows an authenticated administrator to write attacker-controlled content to any absolute filesystem path the GeoServer process can write to, including JSP files in a Tomcat webapps directory. Because GeoServer enforces no maximum master password length, an admin can embed malicious JSP code into the master password and dump it to an executable location, escalating to remote code execution on the host. No public exploit identified at time of analysis and the issue is not in CISA KEV.
Local privilege escalation in Remote Control for Zoom Contact Center for Windows prior to version 7.0.0 allows an authenticated user with local access to elevate privileges due to insufficient verification of data authenticity. The flaw, reported by Zoom and tracked in bulletin ZSB-26009, carries a CVSS 3.1 base score of 7.8 (High) with no public exploit identified at time of analysis. Exploitation requires existing local authenticated access, which limits opportunistic abuse but makes this a strong post-compromise pivot on workstations running the Zoom Contact Center remote control component.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.
Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.
Denial of service in Apple's SwiftNIO NIOHTTP1 module (versions <= 2.99.0) allows unauthenticated remote attackers to exhaust server memory or crash processes by submitting HTTP/1 requests containing an unbounded number of small, valid header fields. The HTTPDecoder previously enforced only an 80 KB per-field limit with no cap on cumulative header block size or field count, letting hundreds of thousands of headers accumulate before application code runs. No public exploit identified at time of analysis, but the attack is trivial and impacts any HTTP/1 server or client built on NIOHTTP1, including downstream frameworks like Hummingbird 2 (crashes) and Vapor 4 (memory inflation).
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Local privilege escalation in Google Chrome on Windows prior to 149.0.7827.115 stems from an inappropriate implementation in the Mojo IPC layer, allowing a local attacker who can place a malicious file on the system to elevate to OS-level privileges. The flaw is rated High severity by Chromium and carries CVSS 8.8, with a vendor patch available and no public exploit identified at time of analysis.
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.
Stored cross-site scripting in Xibo CMS prior to 4.4.2 allows authenticated users with elevated DataSet privileges to chain a Stored XSS with an iframe sandbox escape via the Data Connector functionality, executing script in another user's browser context. Scope-changed impact (S:C) with high confidentiality loss means a low-privileged-but-trusted operator can compromise an admin session viewing the affected dataset content. No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged user to execute arbitrary code with elevated privileges, achieving full confidentiality, integrity, and availability compromise of the affected system. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource) and is strictly scoped to Linux deployments - the Windows, macOS, iOS, Android, and ChromeOS agent variants are confirmed unaffected by the vendor. No public exploit code has been identified at time of analysis, and the CVSS 4.0 supplemental metric E:U (Exploitation Unlikely) further tempers immediate mass-exploitation risk, though the complete local system impact warrants timely patching for multi-user Linux environments.
Security control bypass in Palo Alto Networks Prisma Access Agent for Linux enables a local, low-privileged attacker to route network traffic outside the VPN tunnel, undermining the core data-in-transit protection the agent is designed to enforce. Only Linux deployments are affected - Windows, macOS, iOS, Android, and ChromeOS are explicitly not impacted. No public exploit code exists at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 confidentiality impact is rated High due to the exposure of unencrypted traffic to untrusted network paths.
Path traversal via crafted .7z archive in bit7z before v4.0.12 on POSIX platforms allows an attacker-controlled symlink to escape the extraction directory by exactly one level - up to the parent directory. Any archive entries extracted after the malicious symlink is placed will write attacker-controlled files to the parent of the intended output path, carrying the permissions of the extracting process. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; the vendor-confirmed fix ships in version 4.0.12.
OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in Lenovo Smart Connect for Windows allows a local authenticated user to bypass authentication checks and execute arbitrary code with elevated privileges. The flaw stems from an authentication bypass weakness (CWE-290) in the Windows client and carries a CVSS 4.0 score of 7.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks.
Information disclosure in nezha 2.x server monitoring dashboard exposes private services marked with `EnableShowInService: false` to unauthenticated network visitors through two API endpoints that bypass the intended visibility filter. Attackers who can reach the API can enumerate hidden service names, IDs, and per-server timing data by iterating over public server IDs or guessing numeric service IDs - both low-cardinality spaces in typical deployments. No public exploit is required to leverage this; a fully functional proof-of-concept using only standard `curl` commands is documented in the GitHub security advisory GHSA-vrmh-5mmx-hjwx, and the fix is available in version 2.0.14.
Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.
Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pipelines that use the internal $exchange stage with key-range partitioning and order-preserving delivery. When a single key range fills its consumer buffer, the high watermark is not updated correctly, leading to a reachable assertion (CWE-617) and likely process termination. No public exploit identified at time of analysis.
Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with the internal $_requestReshardingResumeToken option and the exchange option, triggering a reachable invariant that crashes the mongod process. Any logged-in user with low privileges can repeatedly invoke the crash on default deployments, producing service-wide downtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the bug is vendor-confirmed via MongoDB Jira SERVER-124190.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged user on Windows to gain higher privileges by abusing symbolic link or junction resolution before file access. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the high CVSS (7.8) reflects full confidentiality, integrity, and availability impact once exploited. Microsoft has issued a fix through its Security Response Center advisory.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged attacker to gain elevated rights on the host by abusing a critical function that lacks proper authentication checks. The flaw (CWE-306) is reported by Microsoft itself with a CVSS 7.8 (AV:L/AC:L/PR:L) and no public exploit identified at time of analysis, but a vendor patch is available via MSRC.
Information disclosure in Microsoft Windows NTLM authentication allows remote unauthenticated attackers to obtain sensitive data and conduct network spoofing attacks against affected Windows 10, Windows 11, and Windows Server installations. The flaw carries a CVSS 7.5 (high) rating due to high confidentiality impact with no privileges or user interaction required, though EPSS exploitation probability is low at 0.08% and no public exploit identified at time of analysis. Microsoft has released patches through MSRC for all affected SKUs.
BitLocker's protection mechanism on Windows fails to enforce a critical authentication or verification step, permitting a physically present attacker to bypass full-disk encryption without credentials, a recovery key, or elevated privileges. Despite a CVSS score of 6.8 (Medium) - moderated by the physical access requirement - the impact ratings are High across confidentiality, integrity, and availability, meaning successful exploitation grants complete access to encrypted data and the underlying system. No public exploit has been identified at time of analysis, and Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in Microsoft PC Manager allows an authenticated low-privileged attacker to bypass a security feature on the affected system, leading to high impact on confidentiality, integrity, and availability. The flaw stems from improper access control (CWE-284) and currently has no public exploit identified at time of analysis. The CVSS 7.8 score reflects local attack vector with low complexity but requires the attacker to already have valid credentials on the target host.
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition (CWE-416). The flaw carries a CVSS 7.8 score with local attack vector and low privileges required, and no public exploit has been identified at time of analysis. Microsoft Security Response Center (MSRC) is the sole referenced authoritative source, indicating this is a vendor-discovered and vendor-tracked issue.
Security feature bypass in Windows Secure Boot enables a local high-privileged attacker to defeat the platform's boot-time integrity protections, achieving high confidentiality and integrity impact across a changed security scope. The flaw stems from a protection mechanism failure (CWE-284, Improper Access Control) that undermines the trust boundary Secure Boot is designed to enforce. At the time of analysis, no public exploit has been identified and the issue is not listed in CISA KEV, but the scope-changed CVSS of 7.9 reflects the severity of subverting a root-of-trust security control.
Security feature bypass in Windows Secure Boot allows a high-privileged local attacker to circumvent the boot integrity protection mechanism, undermining trust in the Windows boot chain. The flaw (CWE-1329, reliance on a component that is not updateable) carries a CVSS 7.9 rating due to scope change and high impact on confidentiality and integrity, and no public exploit has been identified at time of analysis. Successful exploitation could enable pre-OS persistence such as bootkits, defeating a foundational Windows security control.
Secure Boot bypass in Windows allows a local attacker with high privileges to defeat the platform's boot-time integrity protection mechanism, breaking the chain of trust that prevents unauthorized bootloaders and pre-OS code from executing. The flaw (CWE-693, Protection Mechanism Failure) carries a CVSS 7.9 due to scope change and high confidentiality/integrity impact, and no public exploit identified at time of analysis. Successful exploitation undermines a foundational anti-tamper control and can enable persistent pre-OS implants such as bootkits.
Local code execution in Microsoft Windows Media is possible through a heap-based buffer overflow that triggers when a user opens or processes a crafted media file. The flaw (CWE-122) carries a CVSS 7.8 with local attack vector and user interaction required, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability within the user's security context.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the platform's protection mechanism and tamper with the pre-OS boot chain. The CVSS 7.9 score reflects a scope-changing impact on confidentiality and integrity from a local vector, and no public exploit identified at time of analysis. The single MSRC reference indicates a Microsoft-tracked issue that primarily threatens code-integrity and boot-trust guarantees rather than runtime availability.
Secure Boot bypass in Microsoft Windows allows an authorized local attacker with high privileges to defeat the firmware-level boot integrity protection, breaking the chain of trust intended to prevent unauthorized boot-time code. The CVSS 7.9 rating with scope change (S:C) indicates the bypass affects components beyond the initially compromised context, enabling pre-OS persistence. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Security feature bypass in Microsoft Windows Secure Boot allows a local attacker with high privileges to defeat the platform's boot-time integrity protections, achieving cross-scope confidentiality and integrity impact on the host. The flaw is tracked under CWE-693 (Protection Mechanism Failure) and carries a CVSS 3.1 base score of 7.9 with no public exploit identified at time of analysis. Because the scope is Changed (S:C), successful exploitation lets the attacker influence components outside the originally vulnerable security boundary - typically the trusted boot chain itself.
Out-of-bounds read in the Windows Desktop Window Manager (DWM) Core Library exposes sensitive memory contents to locally authenticated, low-privileged attackers on Windows 11 and Windows Server 2025. The flaw (CWE-125) allows a standard user to read beyond an allocated buffer boundary within the DWM process, resulting in high-confidence information disclosure with no integrity or availability impact. Microsoft has released patches covering all affected build ranges; no public exploit code has been identified at time of analysis.
Local privilege escalation in Windows Narrator Braille component allows an authenticated low-privileged user to gain elevated privileges by exploiting an untrusted search path (CWE-426). The flaw affects the accessibility subsystem on Windows and was reported directly by Microsoft (secure@microsoft.com); no public exploit identified at time of analysis. With CVSS 7.8 and full CIA impact on the local host, successful exploitation grants the attacker code execution at a higher privilege context than they started with.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated attacker with low-level network access to inject malicious scripts into SharePoint-generated web pages, resulting in spoofing attacks against other users. The vulnerability requires victim interaction to trigger script execution, limiting automated exploitation. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; the CVSS score of 4.6 reflects the constrained impact and authentication prerequisite.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables low-privileged authenticated attackers to perform spoofing attacks over a network without requiring user interaction. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms network-reachable exploitation by any authenticated SharePoint user with no further interaction required from a victim. No public exploit identified at time of analysis and CISA SSVC classifies exploitation status as none, though vendor patches are available for all three affected product lines.
Security feature bypass in Microsoft Windows Boot Manager enables an authorized local attacker with high privileges to defeat a protection mechanism during the boot process, with scope change extending impact beyond the initial security boundary. The flaw carries a CVSS 7.9 rating reflecting high confidentiality and integrity impact, and no public exploit identified at time of analysis. The scope-changed nature suggests the bypass undermines a trust boundary such as Secure Boot or BitLocker pre-boot integrity.
Local code execution in Microsoft Windows Hyper-V stems from an out-of-bounds read condition (CWE-122 heap-based buffer overflow) that an attacker with high privileges on a guest or host context can leverage to break confidentiality, integrity, and availability boundaries. The CVSS 8.2 score is elevated by a scope change (S:C), indicating the flaw enables crossing the hypervisor isolation boundary. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Storage allows an authorized low-privilege user to gain higher privileges through an untrusted search path weakness (CWE-426). The flaw requires existing local access and a successful race or environmental manipulation, reflected in the high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Azure Stack Edge allows unauthenticated attackers to execute arbitrary code over the network by exploiting external control of file name or path (CWE-73). The CVSS 9.8 score reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft Security Response Center (secure@microsoft.com) and is tagged as an authentication bypass affecting Azure Stack Edge appliances.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker with low privileges to inject malicious script content into web pages, enabling spoofing attacks against other users. All three active SharePoint server product lines - Server 2019, Enterprise Server 2016, and Subscription Edition - are affected across broad version ranges. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patches are available for all affected product lines.
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users. Affected products span three active SharePoint server product lines - Enterprise Server 2016, Server 2019, and Subscription Edition - all sharing the 16.0.x codebase, with vendor-released patches now available per MSRC. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-site scripting in Microsoft SharePoint Server enables network-based spoofing attacks by injecting malicious scripts into rendered web pages, requiring victim user interaction to trigger. Three SharePoint server product lines are affected across the 16.0.x code branch, with vendor-released patches available for all. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Cross-site scripting in Microsoft SharePoint allows an authenticated low-privilege network attacker to inject malicious script content into SharePoint pages, enabling spoofing attacks against victim users who render the affected content. Three product lines are affected: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, all at specific 16.0.x build levels. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.6 Medium score reflects meaningful risk reduction from the dual prerequisites of authenticated access and required victim interaction.
Cross-site scripting in Microsoft SharePoint Server (Subscription Edition, 2019, and 2016) enables an authenticated low-privileged attacker to inject malicious scripts into web pages served to other users, resulting in spoofing over the network. The CVSS vector (PR:L/UI:R/S:U) confirms exploitation requires valid credentials and victim interaction, constraining the attack surface to authenticated SharePoint environments where a user can be induced to visit attacker-controlled content. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Cross-site scripting in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables network-based spoofing attacks against authenticated users who interact with attacker-controlled content. The vulnerability stems from insufficient input neutralization during web page generation (CWE-79), allowing injected script to execute in a victim's browser context. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via Microsoft's Security Response Center.
Local code execution in Microsoft Office stems from a type confusion condition (CWE-122 heap-based memory corruption per tags) that allows an unauthorized attacker to run arbitrary code on the host. The CVSS 8.4 vector indicates local attack vector with no privileges or user interaction required, and no public exploit is identified at time of analysis. The flaw was reported by Microsoft's MSRC and disclosed via the official update guide.
Stored or reflected cross-site scripting in Microsoft Office SharePoint allows an authenticated attacker with low privileges to inject malicious script that, after victim interaction, results in spoofing and disclosure or alteration of sensitive content within a victim's browser session. The CVSS 7.3 (AV:N/AC:L/PR:L/UI:R) rating reflects network-reachable exploitation with low complexity but requires both a valid SharePoint account and user interaction. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Office SharePoint enables an authenticated attacker with low privileges to execute arbitrary code over the network when a victim user is induced to perform an action. The flaw stems from an improper authorization check (CWE-285) that fails to enforce expected access boundaries, yielding full confidentiality, integrity, and availability impact (CVSS 8.0). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft Office Click-To-Run stems from a use-after-free condition (CWE-416) that lets an authorized low-privilege user elevate to higher privileges on the host. The flaw, reported by Microsoft's MSRC, carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting that exploitation requires local access, low privileges, and a successful race-window or memory-state condition. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.
Remote code execution in Microsoft Windows Kerberos implementation allows an authenticated attacker on an adjacent network segment to trigger an integer overflow and execute arbitrary code. The flaw is rated CVSS 7.1 (High) with high attack complexity and requires low-level privileges, and at the time of analysis there is no public exploit identified. Because Kerberos is a core authentication service in Windows domain environments, successful exploitation has direct implications for domain trust and identity security.
Security feature bypass in Microsoft Windows BitLocker allows an attacker with physical access to circumvent the drive encryption protection mechanism. Affected systems can have BitLocker-protected data accessed despite the encryption-at-rest control being enabled, undermining a core platform confidentiality boundary. There is no public exploit identified at time of analysis, but the vulnerability is reported by Microsoft (secure@microsoft.com) as a protection mechanism failure with high impact across confidentiality, integrity, and availability.