Microsoft
Monthly
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.
Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Use-after-free in Envoy's HTTP OAuth2 filter (envoy.filters.http.oauth2) across versions 1.37.0-1.37.4 and 1.38.0-1.38.2 enables unauthenticated remote attackers to crash Envoy worker threads by racing a connection teardown against an in-flight async token exchange. When a downstream client disconnects while the filter is awaiting an async OAuth2 token response, the late AsyncClient callback invokes StreamDecoderFilterCallbacks on an already-freed object, producing undefined behavior and worker crashes. The reporter explicitly disclaims RCE - confirmed impact is availability loss (DoS); allocator-dependent memory corruption effects beyond crash are theoretically possible but not demonstrated. No public exploit or CISA KEV listing identified at time of analysis.
The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.
Local privilege escalation in NEC's ExpressUpdate Agent for Windows allows a low-privileged user who can already access the host to execute arbitrary code with SYSTEM privileges, owing to insufficient access controls on the agent. Reported by NEC under advisory NV26-004, the flaw carries a CVSS 4.0 base score of 8.5 (High) and maps to CWE-782 (exposed IOCTL with insufficient access control). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.
Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.
OS command injection in Warp (the agentic terminal/development environment) affects builds from 0.2024.03.12.08.02.stable_01 up to the fix in 0.2026.05.06.15.42.stable_01 when running under Windows Subsystem for Linux. When wslview cannot open a URL, Warp falls back to a Windows command processor (cmd.exe /c start), so a malicious URL emitted into terminal output executes attacker-controlled Windows commands once the user clicks the link. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix commit clearly documents the injection path.
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.
Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.
LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.
Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.
Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.
Path traversal in the mise HTTP backend allows a repository-controlled `.tool-versions` file to direct `mise install` to create symlinks at arbitrary filesystem locations outside the designated mise installs root on Unix-like systems. Affecting mise up to version 2026.5.16, a developer or CI system that runs `mise install` against a malicious project can have executable symlinks silently placed under attacker-chosen `PATH` directories, enabling replacement of trusted commands with attacker-controlled HTTP content. No public exploit identified at time of analysis beyond the detailed proof-of-concept published in GitHub Security Advisory GHSA-f94h-j2qg-fxw3, and no CISA KEV listing confirms active in-the-wild exploitation.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the constraint that only FIPS-mode clients are affected limits real-world impact to regulated or government environments.
CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. No CISA KEV listing is present, but the trivial complexity and available POC make opportunistic abuse realistic against multi-tenant or shared Gophish deployments.
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.50%), with CISA SSVC marking exploitation status as 'none.'
Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. As a cloud-hosted service, mitigation is largely Microsoft-managed rather than a customer-applied patch.
Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-601) to coerce a victim into following a crafted link that lands on an attacker-controlled site. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation lets an unauthorized remote attacker elevate privileges over the network after user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.
Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. No public exploit identified at time of analysis, but the vendor-confirmed advisory (GHSA-2288-8h3r-cqgg) and CVSS 7.4 indicate a meaningful confidentiality/integrity exposure for affected .NET WCF replacement deployments.
Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.
Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Missing authentication in line-desktop-mcp prior to 1.1.2 lets any network-reachable client invoke MCP tools that read LINE chat history and send messages through the logged-in LINE Desktop application. When started with --http-mode, the server binds 0.0.0.0 and exposes /mcp without an MCP-layer auth check, enabling unauthenticated remote abuse. No public exploit identified at time of analysis, but the fix (1.1.2) and commit are public, making reconstruction trivial.
Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. No public exploit identified at time of analysis, and the vector's Exploit Code Maturity is rated Unproven.
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.37%, 29th percentile), and CISA SSVC currently scores exploitation as 'none.'
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.
Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.
Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. The vendor has shipped a fix in DFIR-ORC v10.3.0, which adds ACL hardening on extraction directories.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.
Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.
Pre-authentication denial of service in libssh2 through 1.11.1 allows a malicious SSH server to pin a connecting client's CPU at 100% for over 60 seconds by advertising an attacker-controlled SSH_MSG_EXT_INFO extension count of 0xFFFFFFFF during key exchange. The flaw is reachable before authentication completes, so any client that initiates an SSH session to a hostile or compromised server endpoint is exposed, and no public exploit identified at time of analysis though VulnCheck has published an advisory and the upstream PR diff is public.
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform man-in-the-middle attacks on HTTPS traffic routed through SOCKS5 proxies. The ProxyAgent silently drops the requestTls option (including ca, cert, key, rejectUnauthorized, and servername) when the proxy URI uses socks5:// or socks://, causing connections to fall back to Node.js's default Mozilla CA bundle instead of the application-configured trust anchor. No public exploit identified at time of analysis, but the CWE-295 improper certificate validation flaw directly defeats corporate CA pinning controls.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Refresh token persistence in NocoDB (npm/nocodb ≤ 0.301.3) allows an attacker who has captured a victim's refresh token to retain persistent account access even after the victim completes a 'Forgot Password' recovery flow. The `passwordForgot` code path omitted the `UserRefreshToken.deleteAllUserToken(user.id)` call present in both `passwordChange` and `passwordReset`, leaving the attacker's stolen refresh cookie valid and exchangeable for new JWTs indefinitely. No public exploit has been identified at time of analysis, and no vendor-released patch version is confirmed in the available advisory data.
Symlink-following in chrome-devtools-mcp (npm, versions 0.20.0 through 1.0.1) allows any local user on the same POSIX host to truncate and overwrite arbitrary files owned by a victim user by pre-placing a symlink at the daemon's deterministic PID file path under /tmp. The attack targets macOS unconditionally and Linux sessions where $XDG_RUNTIME_DIR is unset, because the runtime path falls back to world-accessible /tmp. A detailed proof-of-concept demonstrating SSH key destruction is published in the GitHub Security Advisory; no confirmed active exploitation or CISA KEV listing exists at time of analysis, but the attack requires only a local account and trivial setup.
Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable `os.tmpdir()/pi-extensions` path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. Affects shared dev boxes, CI runners, and HPC login nodes; Windows/macOS default per-user temp directories typically avoid exposure.
Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.
Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is confirmed in n8n 2.24.0.
Denial of service in n8n workflow automation platform (versions prior to 2.24.0) allows an authenticated user with workflow create/edit permissions to trigger global prototype pollution via a crafted table parameter in the Microsoft SQL node. The pollution of Object.prototype persists for the lifetime of the n8n process, causing application-wide validation failures until the server is restarted. No public exploit identified at time of analysis, though the vendor advisory provides clear technical detail.
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's `path` matcher and `file_server` handler, where the matcher treats `\` as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.
Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).
Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.
Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin testing when `crypto.checkPrime`/`checkPrimeSync` is called with default options, causing crafted composites whose smallest prime factor exceeds 17,863 (e.g. 17,881 × 17,891) to be reported as prime. Remote attackers who control bignums fed into a victim Deno application can therefore smuggle composite values past validation, with no public exploit identified at time of analysis beyond the vendor-published reproducer.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
Missing webhook request validation in n8n's MicrosoftAgent365Trigger and StripeTrigger nodes allows unauthenticated remote attackers who know the webhook URL to submit forged payloads and cause arbitrary workflow execution with attacker-controlled data. All n8n npm versions below 2.25.7 and versions 2.26.0-2.26.1 are affected when either node is actively used in a workflow. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:C scoring reflects low-complexity, unauthenticated network exploitation with a scope change indicating potential downstream impact on systems integrated with triggered workflows.
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.
Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Use-after-free in Envoy's HTTP OAuth2 filter (envoy.filters.http.oauth2) across versions 1.37.0-1.37.4 and 1.38.0-1.38.2 enables unauthenticated remote attackers to crash Envoy worker threads by racing a connection teardown against an in-flight async token exchange. When a downstream client disconnects while the filter is awaiting an async OAuth2 token response, the late AsyncClient callback invokes StreamDecoderFilterCallbacks on an already-freed object, producing undefined behavior and worker crashes. The reporter explicitly disclaims RCE - confirmed impact is availability loss (DoS); allocator-dependent memory corruption effects beyond crash are theoretically possible but not demonstrated. No public exploit or CISA KEV listing identified at time of analysis.
The OAuth2 HTTP filter in Envoy Proxy prior to versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1 implements AES-256-CBC encryption for the PKCE CodeVerifier cookie without any authentication tag, creating a classic padding oracle through differential HTTP responses on the /callback endpoint. An attacker who obtains the victim's encrypted CodeVerifier cookie and a stolen authorization code can recover the plaintext PKCE code_verifier in approximately 6,200 crafted requests (~100 seconds), then complete the OAuth token exchange to hijack the victim's access token. No public exploit code or CISA KEV listing has been identified at time of analysis; vendor-confirmed patches are available in all four current release branches.
Local privilege escalation in NEC's ExpressUpdate Agent for Windows allows a low-privileged user who can already access the host to execute arbitrary code with SYSTEM privileges, owing to insufficient access controls on the agent. Reported by NEC under advisory NV26-004, the flaw carries a CVSS 4.0 base score of 8.5 (High) and maps to CWE-782 (exposed IOCTL with insufficient access control). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.
Credential interception in HYPR Passwordless on Windows (all versions before 11.1.1) is possible due to a missing authentication check on a critical internal function (CWE-306), allowing a low-privileged local attacker to capture authentication material during an active user session. The CVSS 4.0 vector's SC:H metric confirms the intercepted credentials are usable against downstream systems that HYPR protects, elevating the downstream blast radius beyond the compromised endpoint. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local privilege escalation to code execution affects Dell Display and Peripheral Manager (DDPM) for Windows in all versions prior to 2.3, where an Improper Access Control flaw (CWE-284) lets a low-privileged local user execute arbitrary code in a higher-privileged context. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact from a local, low-privilege starting point with no user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Session-destruction denial of service in Rocket.Chat's SAML single logout allows an unauthenticated remote attacker to forcibly log out any SAML-authenticated user by submitting a forged, unsigned LogoutRequest to the SP logout endpoint. Because the integration never validates the SAML signature, an attacker who knows only a victim's NameID - typically their email address, as exposed by Okta, Google Workspace, Microsoft Entra ID, and JumpCloud - can repeatedly destroy sessions and script the attack across many accounts to render the instance unusable. No public exploit identified at time of analysis; the CVSS 4.0 base score is 8.7 (availability-only impact), and fixes are available across all maintained release branches.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.
OS command injection in Warp (the agentic terminal/development environment) affects builds from 0.2024.03.12.08.02.stable_01 up to the fix in 0.2026.05.06.15.42.stable_01 when running under Windows Subsystem for Linux. When wslview cannot open a URL, Warp falls back to a Windows command processor (cmd.exe /c start), so a malicious URL emitted into terminal output executes attacker-controlled Windows commands once the user clicks the link. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the fix commit clearly documents the injection path.
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.
Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.
LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.
SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.
Unauthenticated OAuth secret disclosure in FlowiseAI Flowise versions 3.0.13 and earlier allows remote attackers to harvest cleartext SSO client secrets for Google, Microsoft/Azure, GitHub, and Auth0 by sending a single GET request to /api/v1/loginmethod with a guessable organizationId. Affects both FlowiseAI Cloud and self-hosted deployments where the endpoint is reachable; publicly available exploit code exists (vendor GHSA includes a complete request/response PoC), and the leaked credentials enable downstream identity-provider compromise.
Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.
Credential exposure in the Ansible keyring_info module (plugins/modules/keyring_info.py) causes master passwords, SSH key passphrases, and service credentials retrieved from OS-native keystores to be emitted as plaintext in task output, registered variables, and persistent log backends. Any local user with access to Ansible playbook output - including AWX/Tower job logs, Redis or JSON fact caches, and debug task output - can read credentials in full. A proof-of-concept demonstrating plaintext passphrase capture from Ansible output exists, though no confirmed active exploitation (CISA KEV) has been observed. Affected deployments span RHEL 8, 9, and 10 per Red Hat CPE data.
Path traversal in the mise HTTP backend allows a repository-controlled `.tool-versions` file to direct `mise install` to create symlinks at arbitrary filesystem locations outside the designated mise installs root on Unix-like systems. Affecting mise up to version 2026.5.16, a developer or CI system that runs `mise install` against a malicious project can have executable symlinks silently placed under attacker-chosen `PATH` directories, enabling replacement of trusted commands with attacker-controlled HTTP content. No public exploit identified at time of analysis beyond the detailed proof-of-concept published in GitHub Security Advisory GHSA-f94h-j2qg-fxw3, and no CISA KEV listing confirms active in-the-wild exploitation.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Client-side Denial of Service in OpenSSH's Diffie-Hellman Group Exchange implementation allows a malicious SSH server to crash connecting clients running in FIPS mode. When a victim initiates an SSH connection to an attacker-controlled server, the server sends crafted DH-GEX group parameters that trigger a double free (CWE-415) during FIPS known-group validation, terminating the client process. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the constraint that only FIPS-mode clients are affected limits real-world impact to regulated or government environments.
CSV formula injection in @actual-app/cli versions prior to 26.6.0 allows an attacker who can write user-controlled strings into an Actual Budget database to execute arbitrary spreadsheet formulas when the victim exports data using the --format csv flag and opens the resulting file in Excel, LibreOffice Calc, or Google Sheets. The vulnerable `escapeCsv` helper in `packages/cli/src/output.ts` neutralizes only RFC 4180 delimiters and quotes but does not strip formula-trigger prefixes (=, +, -, @, tab, CR), meaning payloads in payee names, account names, categories, notes, or tags survive into the CSV output unchanged. A publicly available proof-of-concept is included in the GHSA-7gh7-258j-4mpq advisory; no CISA KEV listing exists at time of analysis.
Memory exhaustion denial of service in Gophish through 0.12.1 allows authenticated low-privilege users to crash the phishing-campaign server by uploading a zip-bomb Office document as an email template attachment. Publicly available exploit code exists, demonstrating that any account with the User role can trigger an OOM kill of the Gophish process and disrupt ongoing campaigns. No CISA KEV listing is present, but the trivial complexity and available POC make opportunistic abuse realistic against multi-tenant or shared Gophish deployments.
Arbitrary file read in WebP Server Go through 0.14.4 on Windows deployments allows unauthenticated remote attackers to retrieve files outside the configured IMG_PATH by sending HTTP requests containing percent-encoded backslashes (%5C), bypassing the path.Clean() sanitization in handler/router.go. The flaw is platform-specific to Windows hosts because Go normalizes only forward slashes while the Windows file API treats backslashes equivalently; no public exploit identified at time of analysis, though VulnCheck has published an advisory and an upstream fix is merged in 0.15.0.
Authentication bypass in IBM Storage Protect Client and IBM Storage Protect Snapshot for Windows (versions 8.1.0.0 through 8.2.1.0) allows remote unauthenticated attackers to impersonate legitimate clients via hardcoded credentials embedded in the FlashCopy Manager (FCM) authentication mechanism. The flaw, classified as CWE-798 with a CVSS 9.1 critical rating, enables attackers to establish trusted sessions and access protected backup services. There is no public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at 0.33% (24th percentile), but IBM has released a vendor advisory and patch.
Credential theft in Red Hat OpenShift Container Platform's Windows Machine Config Operator (WMCO) allows adjacent-network attackers to intercept SSH sessions to Windows worker nodes and steal WICD and kubelet bootstrap credentials. WMCO fails to verify the remote SSH host key when configuring Windows nodes, enabling a man-in-the-middle attacker positioned on the cluster network to capture credentials sufficient to assume Windows node identities. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Privilege escalation in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform allows a compromised Windows worker node holding WICD credentials to obtain a cluster-administrator client certificate. The WICD CSR auto-approver checks for the system:wicd-nodes organization but fails to reject additional organization values such as system:masters, enabling full cluster takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.
Local privilege escalation to SYSTEM in the PaperCut Print Deploy Client for Windows allows a low-privileged user to hijack execution flow of pc-printer-updater.exe by planting a malicious binary in a directory on the Windows search path. The flaw is a classic uncontrolled search path element (CWE-427) in a SYSTEM-level helper, and no public exploit identified at time of analysis. CVSS 4.0 base score is 7.3 reflecting local vector with attack requirements and user interaction.
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user with page-edit rights to inject arbitrary JavaScript into the data-mw-iframeconfig attribute by supplying a malformed URL or ID containing single quotes for the archiveorg, wistia, or sharepoint services. The flaw is present under the default $wgEmbedVideoRequireConsent=true configuration and executes in the wiki origin for every visitor that loads the affected page, with publicly available exploit code exists in the GHSA advisory.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.50%), with CISA SSVC marking exploitation status as 'none.'
Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. As a cloud-hosted service, mitigation is largely Microsoft-managed rather than a customer-applied patch.
Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-601) to coerce a victim into following a crafted link that lands on an attacker-controlled site. With a CVSS 3.1 base score of 8.8 and high impact across confidentiality, integrity, and availability, successful exploitation lets an unauthorized remote attacker elevate privileges over the network after user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. There is no public exploit identified at time of analysis, EPSS estimates only a 0.39% 30-day exploitation probability, and CISA's SSVC scores exploitation as none - but a vendor patch is available.
Cross-site scripting in Microsoft Edge (Chromium-based) allows an authenticated remote attacker to perform spoofing attacks against users over a network. The flaw stems from improper neutralization of input during web page generation (CWE-79), and while CVSS rates impact as high across confidentiality, integrity, and availability, no public exploit identified at time of analysis.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Open redirect bypass in Miniflux v2 (versions <= 2.3.0) enables unauthenticated remote attackers to redirect victims to arbitrary external URLs by exploiting a backslash normalization discrepancy between server-side URL validation and browser behavior. The self-hosted RSS reader's login handler accepts a redirect_url parameter validated by an IsRelativePath function that blocks // prefixes but permits /\attacker.com - a string that all major browsers (Chrome, Firefox, Safari, Edge, as indicated by advisory tags) silently normalize to //attacker.com during HTTP Location header processing. A publicly documented proof-of-concept is available via GHSA-m999-j542-5w3r; no active exploitation has been confirmed in CISA KEV at time of analysis.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.
Authenticated principal impersonation in CoreWCF (versions >=1.9.0, <1.9.1) occurs because the SPNEGO SecurityContextToken proof key returned in the RequestSecurityTokenResponse (RSTR) is wrapped without confidentiality protection, allowing any on-path observer to recover it. An attacker who captures the unprotected handshake can impersonate the authenticated Windows principal for the SCT lifetime (~10 hours) and decrypt or forge subsequent WS-SecureConversation traffic. No public exploit identified at time of analysis, but the vendor-confirmed advisory (GHSA-2288-8h3r-cqgg) and CVSS 7.4 indicate a meaningful confidentiality/integrity exposure for affected .NET WCF replacement deployments.
Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Credential leakage in @microsoft/kiota-http-fetchlibrary versions 1.0.0-preview.97 through 1.0.0-preview.101 causes Bearer tokens and session cookies to be forwarded to attacker-controlled cross-origin redirect destinations because the default RedirectHandler's header-scrubbing logic silently fails: FetchRequestAdapter lowercases all header keys before the middleware sees them, but scrubSensitiveHeaders performs PascalCase deletes (delete headers.Authorization), targeting keys that no longer exist. This flaw is present in the default middleware chain with no opt-in configuration required, affecting every kiota-generated TypeScript SDK - including Microsoft Graph clients - that uses BaseBearerTokenAuthenticationProvider or any auth provider that sets the Authorization header. Proof-of-concept code exists (CVSS 4.0 E:P), and a vendor patch is available in version 1.0.0-preview.102; no active exploitation has been confirmed in the CISA KEV at time of analysis.
Wondershare PDFelement 5.2.9 contains a privilege escalation vulnerability due to an unquoted service path in the WsAppService Windows service. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Windows Firewall Control 4.8.6.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges by inserting malicious executables in the service path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Missing authentication in line-desktop-mcp prior to 1.1.2 lets any network-reachable client invoke MCP tools that read LINE chat history and send messages through the logged-in LINE Desktop application. When started with --http-mode, the server binds 0.0.0.0 and exposes /mcp without an MCP-layer auth check, enabling unauthenticated remote abuse. No public exploit identified at time of analysis, but the fix (1.1.2) and commit are public, making reconstruction trivial.
Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
HTML injection in pgAdmin 4's Cloud Wizard (versions 6.6 through 9.15.x) allows authenticated users to embed arbitrary HTML into the tool's DOM by exploiting unescaped AWS, Azure, and Google Cloud SDK exception text propagated into JSON response fields and parsed by html-react-parser. The primary impact is self-targeted DOM manipulation - the authenticated user who submits the crafted payload is the one who sees it rendered - with escalation to cross-user exploitation requiring an additional CSRF primitive to forge a valid X-pgA-CSRFToken in a victim's browser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, consistent with its CVSS 4.0 Medium rating of 4.8.
Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. No public exploit identified at time of analysis, and the vector's Exploit Code Maturity is rated Unproven.
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, EPSS exploitation probability is low (0.37%, 29th percentile), and CISA SSVC currently scores exploitation as 'none.'
Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.
Network access control bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows a remote attacker holding compromised administrator credentials to circumvent IP-based network restrictions by injecting an arbitrary X-Forwarded-For HTTP header. Both systems fail to validate or sanitize this header before using it to determine whether a request originates from an allowed network range, meaning a threat actor positioned anywhere on the internet can masquerade as a trusted network source. No public exploit code or CISA KEV listing has been identified at the time of analysis, and the high-privilege prerequisite (compromised admin credentials) significantly constrains opportunistic exploitation.
Insecure Direct Object Reference (IDOR) in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) permits remote unauthenticated attackers to harvest account-specific information from any registered user. By supplying an arbitrary 'user_id' value to the publicly exposed 'update-profile/' API endpoint, an attacker receives a JSON payload disclosing the target account's email address and associated metadata without any credential requirement. No public exploit code or CISA KEV listing exists at time of analysis, but the trivially low attack complexity - no authentication, no interaction, no special configuration - makes automated mass enumeration of the user base a realistic and immediate concern for agencies relying on these procurement dispute systems.
Privilege escalation in the U.S. GAO Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows authenticated remote attackers to elevate their privileges by tampering with the client-supplied 'epds_role_id' parameter, which the server accepts without verification. Reported by CISA-CG and tracked as EUVD-2026-37911 with a CVSS 4.0 score of 8.7, no public exploit identified at time of analysis. Both web applications have been patched by their respective government operators.
Authentication bypass in the U.S. Government Accountability Office Electronic Protest Docketing System (EPDS) and the Civilian Board of Contract Appeals Electronic Docketing System (EDS) allows remote, unauthenticated attackers to reset arbitrary user passwords by calling the '/update-profile/N' API endpoint, which fails to verify the requester's identity. Successful exploitation results in full account takeover of any user - including potentially privileged accounts handling federal bid protests and contract appeals - with no public exploit identified at time of analysis but a CVSS 4.0 base score of 9.3 (Critical) and CISA Coordinated Disclosure tracking.
Authentication bypass in Zitadel identity platform (versions 3.0.0-3.4.11 and 4.0.0-4.15.1) allows an attacker who has obtained a victim's authorization code, refresh token, or device authorization grant to redeem it under a different OAuth client registered on the same instance, because the server fails to validate the client_id binding required by RFC 6749 §4.1.3. No public exploit identified at time of analysis; CVSS 7.4 with high attack complexity reflects the requirement that the attacker first intercept the code or token through a separate weakness such as XSS, log exposure, or referrer leakage.
Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.
Local privilege escalation in ANSSI's DFIR-ORC versions 10.2.7 and prior allows a low-privileged local user to gain administrator rights by planting a malicious DLL in C:\Windows\Temp, which the tool loads automatically when extracted and executed from that shared directory. The flaw is a classic uncontrolled search path (CWE-427) issue and was reported by INCIBE; no public exploit identified at time of analysis and the CVE is not in CISA KEV. The vendor has shipped a fix in DFIR-ORC v10.3.0, which adds ACL hardening on extraction directories.
Unauthenticated remote PowerShell execution in CursorTouch Windows-MCP prior to version 0.7.5 allows attackers to reach the MCP control plane over HTTP and invoke the built-in PowerShell tool as the Windows user running the server. The flaw stems from SSE and streamable-http transports being built without an auth provider while wildcard CORS (allow_origins=*) is applied, opening the path to cross-origin browser pages and any non-browser HTTP client. No CISA KEV listing exists, but the CVSS 4.0 vector includes E:P, indicating publicly available exploit code exists.
Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.
Pre-authentication denial of service in libssh2 through 1.11.1 allows a malicious SSH server to pin a connecting client's CPU at 100% for over 60 seconds by advertising an attacker-controlled SSH_MSG_EXT_INFO extension count of 0xFFFFFFFF during key exchange. The flaw is reachable before authentication completes, so any client that initiates an SSH session to a hostile or compromised server endpoint is exposed, and no public exploit identified at time of analysis though VulnCheck has published an advisory and the upstream PR diff is public.
TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform man-in-the-middle attacks on HTTPS traffic routed through SOCKS5 proxies. The ProxyAgent silently drops the requestTls option (including ca, cert, key, rejectUnauthorized, and servername) when the proxy URI uses socks5:// or socks://, causing connections to fall back to Node.js's default Mozilla CA bundle instead of the application-configured trust anchor. No public exploit identified at time of analysis, but the CWE-295 improper certificate validation flaw directly defeats corporate CA pinning controls.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
Refresh token persistence in NocoDB (npm/nocodb ≤ 0.301.3) allows an attacker who has captured a victim's refresh token to retain persistent account access even after the victim completes a 'Forgot Password' recovery flow. The `passwordForgot` code path omitted the `UserRefreshToken.deleteAllUserToken(user.id)` call present in both `passwordChange` and `passwordReset`, leaving the attacker's stolen refresh cookie valid and exchangeable for new JWTs indefinitely. No public exploit has been identified at time of analysis, and no vendor-released patch version is confirmed in the available advisory data.
Symlink-following in chrome-devtools-mcp (npm, versions 0.20.0 through 1.0.1) allows any local user on the same POSIX host to truncate and overwrite arbitrary files owned by a victim user by pre-placing a symlink at the daemon's deterministic PID file path under /tmp. The attack targets macOS unconditionally and Linux sessions where $XDG_RUNTIME_DIR is unset, because the runtime path falls back to world-accessible /tmp. A detailed proof-of-concept demonstrating SSH key destruction is published in the GitHub Security Advisory; no confirmed active exploitation or CISA KEV listing exists at time of analysis, but the attack requires only a local account and trivial setup.
Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable `os.tmpdir()/pi-extensions` path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. Affects shared dev boxes, CI runners, and HPC login nodes; Windows/macOS default per-user temp directories typically avoid exposure.
Tamper Protection bypass in Netskope Client for Windows allows a malicious local administrator to disable or subvert the endpoint security agent by directly manipulating the Windows service object and associated registry keys, which are protected by overly permissive Discretionary Access Control Lists. All Netskope Client versions below R138 on Windows are affected. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the gap is operationally significant in environments where insider threat, post-compromise lateral movement, or separation of duties between IT admins and security tooling are concerns.
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Anti-tampering bypass in Netskope Client for Windows (all versions prior to R138) allows a local administrator to send crafted IOCTL requests directly to the NSClient kernel driver, completely neutralizing the product's self-protection mechanisms. The flaw arises from CWE-782 - an IOCTL interface exposed by the driver without sufficient access controls - meaning a privileged insider can issue arbitrary control operations the driver was not designed to accept from untrusted callers. No public exploit has been identified at time of analysis, and exploitation is constrained to actors who already hold administrative privileges on the endpoint, limiting the realistic threat to insider scenarios or post-compromise lateral movement by an attacker who has already achieved admin-level access.
Reflected XSS in n8n's Facebook (Meta), WhatsApp, and Microsoft Teams webhook trigger nodes allows an attacker to execute arbitrary JavaScript in an authenticated user's browser by luring them to a crafted URL targeting the vulnerable webhook verification endpoints. Affected are all n8n deployments running version < 2.24.0 with any of the four vulnerable trigger nodes active; the CVSS scope change (S:C) means successful exploitation extends beyond the n8n component itself, enabling session hijacking or theft of API credentials stored in workflows. No public exploit code or CISA KEV listing has been identified at time of analysis; a vendor-released patch is confirmed in n8n 2.24.0.
Denial of service in n8n workflow automation platform (versions prior to 2.24.0) allows an authenticated user with workflow create/edit permissions to trigger global prototype pollution via a crafted table parameter in the Microsoft SQL node. The pollution of Object.prototype persists for the lifetime of the n8n process, causing application-wide validation failures until the server is restarted. No public exploit identified at time of analysis, though the vendor advisory provides clear technical detail.
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's `path` matcher and `file_server` handler, where the matcher treats `\` as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Arbitrary code execution in yt-dlp versions before 2026.06.09 occurs when aria2c is selected as the external downloader for fragmented HLS/DASH streams, allowing a malicious manifest or metadata server to inject options into aria2c's input file and write attacker-controlled files. On Windows this yields immediate code execution via a planted ffmpeg.exe, while on all platforms it enables code execution on the next run via a planted yt-dlp.conf with a malicious --exec. CVSS is 9.6 (critical), but there is no public exploit identified at time of analysis, EPSS is low (0.40%, 32th percentile), and CISA SSVC marks exploitation as none.
Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious `.desktop`, `.url`, or `.webloc` files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 `EXT-X-MEDIA:TYPE=SUBTITLES` URI), a user who downloads from a malicious URL with options like `--write-subs` will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted `.desktop` file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).
Permission-sandbox bypass in the Deno runtime (versions <= 2.7.13) on macOS lets untrusted code reach paths that operators explicitly blocked with --deny-read, --deny-write, --deny-run, or --deny-ffi. Because Deno compared paths byte-for-byte while APFS treats Unicode-equivalent and case-equivalent spellings as the same file, a script granted broad --allow-* but with --deny-* carve-outs can read, write, execute, or FFI-load a protected file by referring to it with an alternate spelling (NFD vs NFC, case folding, ligatures, or German ss vs ß). No public exploit identified at time of analysis, and EPSS is low (0.14%), but the bypass is trivial to perform once an attacker controls the path string.
Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin testing when `crypto.checkPrime`/`checkPrimeSync` is called with default options, causing crafted composites whose smallest prime factor exceeds 17,863 (e.g. 17,881 × 17,891) to be reported as prime. Remote attackers who control bignums fed into a victim Deno application can therefore smuggle composite values past validation, with no public exploit identified at time of analysis beyond the vendor-published reproducer.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
Missing webhook request validation in n8n's MicrosoftAgent365Trigger and StripeTrigger nodes allows unauthenticated remote attackers who know the webhook URL to submit forged payloads and cause arbitrary workflow execution with attacker-controlled data. All n8n npm versions below 2.25.7 and versions 2.26.0-2.26.1 are affected when either node is actively used in a workflow. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:C scoring reflects low-complexity, unauthenticated network exploitation with a scope change indicating potential downstream impact on systems integrated with triggered workflows.
Elevation of privilege in the Microsoft Malware Protection Engine (mpengine) - the scanning core shared by Microsoft Defender Antivirus - allows a low-privileged local user, tracked publicly as "RoguePlanet", to gain SYSTEM-level control by abusing how the engine resolves file links (CWE-59). Because the engine runs with the highest privileges, successful exploitation yields total loss of confidentiality, integrity, and availability. Publicly available exploit code exists (MSNightmare/RoguePlanet on GitHub) and SSVC rates technical impact as total, but there is no CISA KEV listing and EPSS is low (0.39%, 30th percentile), indicating no evidence of widespread active exploitation yet.
Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.